1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TDLCMD.DLL problem

Discussion in 'Virus & Other Malware Removal' started by mergatroid, Apr 15, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    My son's computer is infected with malware. Avira AntiVir identifies tdlcmd.dll in C:\windows\system32\, which keeps coming back.

    I have seen other posts related to this problem, but unless things have changed, it appears the solution must tailored to each individual computer.

    I would be grateful for help in removing this.
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Please do the following:

    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  3. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    Using the links above, I have downloaded both dds.com and dds.scr to the desktop. Clicking on either causes a command window to flash by and close again, and that's all -- no further messages, and no log files. Vista is the OS.
     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Please run this program instead:


    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under the Custom Scan box paste this in


      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.
     
  5. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    thank you. Here are the results:

    OTL.txt

    OTL logfile created on: 16/04/2010 1:42:50 AM - Run 1
    OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Erik\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6002.18005)
    Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
    4.00 Gb Paging File | 2.00 Gb Available in Paging File | 64.00% Paging File free
    Paging file location(s): c:\pagefile.sys 900 1800 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 220.95 Gb Total Space | 72.39 Gb Free Space | 32.76% Space Free | Partition Type: NTFS
    Drive D: | 11.93 Gb Total Space | 1.86 Gb Free Space | 15.58% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ERIK-PC
    Current User Name: Erik
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Minimal
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - C:\Users\Erik\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
    PRC - C:\Users\Erik\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
    PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
    PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)


    ========== Modules (SafeList) ==========

    MOD - C:\Users\Erik\Desktop\OTL.exe (OldTimer Tools)
    MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
    SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
    SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
    SRV - (Vongo Service) -- C:\Program Files\Vongo\VongoService.exe (Starz Entertainment Group LLC)
    SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://internetsearchservice.com/search?q={searchTerms}
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
    IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://internetsearchservice.com/search?q=%s
    IE - HKLM\..\URLSearchHook: {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://internetsearchservice.com/search?q={searchTerms}
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://flvdirect.iamwired.net/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
    IE - HKCU\..\URLSearchHook: {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Search"
    FF - prefs.js..browser.search.defaulturl: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "www.google.com"
    FF - prefs.js..extensions.enabledItems: {14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}:4.6.6.4
    FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:10.1.0
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717
    FF - prefs.js..extensions.enabledItems: [email protected]:1.03.01
    FF - prefs.js..keyword.URL: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"


    FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/15 17:40:02 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 22:15:46 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/14 22:15:52 | 000,000,000 | ---D | M]

    [2009/05/22 17:50:34 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Extensions
    [2009/05/22 17:50:34 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Extensions\[email protected]
    [2010/04/15 19:03:52 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions
    [2009/09/09 19:53:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2008/12/03 09:13:34 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2008/12/30 16:13:28 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
    [2009/03/19 12:00:33 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\[email protected]
    [2008/06/21 20:38:05 | 000,000,271 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\searchplugins\search.xml
    [2010/04/15 19:03:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/02/27 16:34:38 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}
    [2008/06/21 20:37:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
    [2008/09/12 21:46:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
    [2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
    [2008/05/26 18:51:43 | 000,024,684 | ---- | M] (MyWebSearch.com) -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
    [2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
    [2010/04/14 22:15:58 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/04/14 22:15:58 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml.moz-backup
    [2010/04/14 22:15:58 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/04/14 22:15:58 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml.moz-backup
    [2010/04/14 22:15:58 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/04/14 22:15:58 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml.moz-backup
    [2010/04/14 22:15:58 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
    [2010/04/14 22:15:58 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml.moz-backup

    O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
    O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O2 - BHO: (ONLYUSEmeBLADE Toolbar) - {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
    O2 - BHO: (Ask Toolbar BHO) - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
    O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
    O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (ONLYUSEmeBLADE Toolbar) - {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
    O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (ONLYUSEmeBLADE Toolbar) - {EDF6ED5F-BEC3-4387-BBCC-B1F01C403B9B} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {F4D76F09-7896-458A-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
    O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
    O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKCU\..Trusted Domains: //@[email protected]/ ([]msni in Computer)
    O15 - HKCU\..Trusted Domains: //@[email protected]/ ([]msni in Local intranet)
    O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1 192.168.1.1
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\MCPClient: DllName - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll - C:\Program Files\Common Files\Stardock\MCPStub.dll (Stardock)
    O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll (Stardock)
    O24 - Desktop WallPaper: C:\Users\Erik\Pictures\cat-adoption-team.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Erik\Pictures\cat-adoption-team.jpg
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/11/02 05:06:03 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias [2008/12/02 17:44:01 | 000,000,000 | ---D | M]
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found
    OTL cannot create restorepoints on Vista OSs!

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/16 00:44:10 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTL.exe
    [2010/04/15 23:57:15 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
    [2010/04/15 19:08:16 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2010/04/15 19:07:38 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Erik\Desktop\HJTsetup.exe
    [2010/04/15 18:46:48 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/04/15 18:09:30 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2010/04/15 18:08:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2010/04/15 17:56:42 | 000,638,464 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTS.exe
    [2010/04/15 17:29:44 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Product Assistant
    [2010/04/11 16:07:19 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2010/04/11 16:06:57 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Roaming\SUPERAntiSpyware.com
    [2010/04/11 16:06:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2010/04/11 16:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
    [2010/04/11 16:00:19 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
    [2010/04/11 11:59:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2010/04/11 11:59:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2010/04/11 11:59:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2010/04/11 11:58:58 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2010/04/11 11:58:08 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/04/11 11:57:19 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\TFC.exe
    [2010/04/11 10:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
    [2010/04/11 01:57:52 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Roaming\Avira
    [2010/04/11 01:29:18 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
    [2010/04/11 01:29:17 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
    [2010/04/11 01:29:17 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
    [2010/04/11 01:29:17 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
    [2010/04/11 01:29:17 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
    [2010/04/11 01:29:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
    [2010/04/11 01:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/04/06 17:25:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
    [2010/04/06 17:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/04/05 01:19:07 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Local\Blizzard Entertainment
    [2 C:\Users\Erik\Documents\*.tmp files -> C:\Users\Erik\Documents\*.tmp -> ]

    ========== Files - Modified Within 14 Days ==========

    [2010/04/16 01:41:00 | 004,980,736 | -HS- | M] () -- C:\Users\Erik\ntuser.dat
    [2010/04/16 01:39:06 | 000,020,992 | ---- | M] () -- C:\Windows\System32\tdlcmd.dll
    [2010/04/16 01:33:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/04/16 01:33:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/04/16 01:15:01 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000UA.job
    [2010/04/16 00:44:12 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTL.exe
    [2010/04/16 00:21:56 | 000,525,824 | ---- | M] () -- C:\Users\Erik\Desktop\dds.scr
    [2010/04/15 23:52:04 | 000,293,376 | ---- | M] () -- C:\Users\Erik\Desktop\9tqp9vcj.exe
    [2010/04/15 23:50:47 | 000,525,824 | ---- | M] () -- C:\Users\Erik\Desktop\dds.com
    [2010/04/15 19:08:16 | 000,001,874 | ---- | M] () -- C:\Users\Erik\Desktop\HijackThis.lnk
    [2010/04/15 19:07:35 | 000,027,240 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\nvModes.001
    [2010/04/15 19:06:37 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Erik\Desktop\HJTsetup.exe
    [2010/04/15 18:37:40 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
    [2010/04/15 18:08:30 | 003,916,476 | R--- | M] () -- C:\Users\Erik\Desktop\ComboFix.exe
    [2010/04/15 17:59:24 | 000,354,396 | ---- | M] () -- C:\Users\Erik\Desktop\SysProt.zip
    [2010/04/15 17:56:44 | 000,638,464 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTS.exe
    [2010/04/15 17:41:06 | 000,023,111 | ---- | M] () -- C:\Windows\hpqins15.dat
    [2010/04/15 17:35:52 | 000,077,375 | ---- | M] () -- C:\Windows\hpqins05.dat
    [2010/04/15 17:35:12 | 000,088,960 | ---- | M] () -- C:\Users\Erik\AppData\Local\GDIPFONTCACHEV1.DAT
    [2010/04/15 17:33:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/04/15 17:33:20 | 000,350,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2010/04/15 17:33:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/04/15 17:30:58 | 000,524,288 | -HS- | M] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
    [2010/04/15 17:30:58 | 000,065,536 | -HS- | M] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
    [2010/04/15 17:30:51 | 002,017,988 | -H-- | M] () -- C:\Users\Erik\AppData\Local\IconCache.db
    [2010/04/15 17:28:39 | 000,001,176 | ---- | M] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
    [2010/04/15 09:18:16 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job
    [2010/04/14 20:43:12 | 000,027,240 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\nvModes.dat
    [2010/04/14 20:00:49 | 000,108,573 | ---- | M] () -- C:\Users\Erik\Documents\stomach cancer.docx
    [2010/04/13 02:15:01 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000Core.job
    [2010/04/11 22:34:24 | 000,100,908 | ---- | M] () -- C:\Users\Erik\Desktop\SystemLook.exe
    [2010/04/11 17:13:35 | 000,284,915 | ---- | M] () -- C:\Users\Erik\Desktop\gmer.zip
    [2010/04/11 16:48:28 | 000,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2010/04/11 11:55:19 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\TFC.exe
    [2010/04/11 11:50:55 | 003,911,676 | R--- | M] () -- C:\Users\Erik\Desktop\123out.exe
    [2010/04/11 11:22:07 | 000,016,896 | ---- | M] () -- C:\Users\Erik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/04/11 10:54:54 | 000,003,766 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys
    [2010/04/11 10:13:45 | 000,000,862 | ---- | M] () -- C:\Users\Erik\Desktop\Eusing Free Registry Cleaner.lnk
    [2010/04/11 01:29:39 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
    [2010/04/11 01:14:16 | 000,000,680 | ---- | M] () -- C:\Users\Erik\AppData\Local\d3d9caps.dat
    [2010/04/07 22:17:14 | 000,000,806 | ---- | M] () -- C:\Users\Erik\Desktop\uhmmm,.lnk
    [2010/04/06 17:34:06 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE
    [2010/04/06 17:17:59 | 000,048,287 | ---- | M] () -- C:\Windows\System32\hrjysvzimagux.exe
    [2010/04/03 14:26:50 | 000,010,990 | ---- | M] () -- C:\Users\Erik\Documents\Epic fail..docx
    [2 C:\Users\Erik\Documents\*.tmp files -> C:\Users\Erik\Documents\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/04/16 01:39:06 | 000,020,992 | ---- | C] () -- C:\Windows\System32\tdlcmd.dll
    [2010/04/16 00:21:56 | 000,525,824 | ---- | C] () -- C:\Users\Erik\Desktop\dds.scr
    [2010/04/15 23:52:01 | 000,293,376 | ---- | C] () -- C:\Users\Erik\Desktop\9tqp9vcj.exe
    [2010/04/15 23:50:45 | 000,525,824 | ---- | C] () -- C:\Users\Erik\Desktop\dds.com
    [2010/04/15 19:08:16 | 000,001,874 | ---- | C] () -- C:\Users\Erik\Desktop\HijackThis.lnk
    [2010/04/15 17:59:22 | 000,354,396 | ---- | C] () -- C:\Users\Erik\Desktop\SysProt.zip
    [2010/04/15 17:39:02 | 000,023,111 | ---- | C] () -- C:\Windows\hpqins15.dat
    [2010/04/15 17:28:39 | 000,001,176 | ---- | C] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
    [2010/04/15 17:27:15 | 000,077,375 | ---- | C] () -- C:\Windows\hpqins05.dat
    [2010/04/14 19:48:33 | 000,108,573 | ---- | C] () -- C:\Users\Erik\Documents\stomach cancer.docx
    [2010/04/11 22:34:23 | 000,100,908 | ---- | C] () -- C:\Users\Erik\Desktop\SystemLook.exe
    [2010/04/11 22:32:18 | 003,916,476 | R--- | C] () -- C:\Users\Erik\Desktop\ComboFix.exe
    [2010/04/11 17:13:34 | 000,284,915 | ---- | C] () -- C:\Users\Erik\Desktop\gmer.zip
    [2010/04/11 16:07:01 | 000,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2010/04/11 11:59:22 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
    [2010/04/11 11:59:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/04/11 11:59:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/04/11 11:59:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/04/11 11:59:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2010/04/11 11:57:10 | 003,911,676 | R--- | C] () -- C:\Users\Erik\Desktop\123out.exe
    [2010/04/11 10:13:45 | 000,000,862 | ---- | C] () -- C:\Users\Erik\Desktop\Eusing Free Registry Cleaner.lnk
    [2010/04/11 01:29:39 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
    [2010/04/11 01:14:16 | 000,000,680 | ---- | C] () -- C:\Users\Erik\AppData\Local\d3d9caps.dat
    [2010/04/06 17:34:04 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
    [2010/04/06 17:17:59 | 000,048,287 | ---- | C] () -- C:\Windows\System32\hrjysvzimagux.exe
    [2010/04/03 14:26:50 | 000,010,990 | ---- | C] () -- C:\Users\Erik\Documents\Epic fail..docx
    [2010/04/01 08:53:05 | 000,011,268 | -HS- | C] () -- C:\ProgramData\7VJ5
    [2010/03/24 17:12:00 | 000,009,980 | -HS- | C] () -- C:\ProgramData\20xYJkS83BHk4
    [2009/10/25 00:27:03 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
    [2009/09/11 02:32:44 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/02/26 15:44:38 | 000,020,000 | -H-- | C] () -- C:\ProgramData\T09F8
    [2009/02/03 19:42:47 | 000,016,384 | -HS- | C] () -- C:\Users\Erik\Thumbs.db
    [2009/01/02 19:40:23 | 002,255,360 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
    [2008/12/21 15:55:34 | 000,395,776 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
    [2008/12/21 15:55:34 | 000,262,144 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
    [2008/12/21 15:55:34 | 000,112,640 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
    [2008/12/18 18:51:32 | 000,000,196 | ---- | C] () -- C:\Windows\ulead32.ini
    [2008/12/02 10:59:51 | 000,000,197 | ---- | C] () -- C:\Windows\System32\MRT.INI
    [2008/06/29 20:52:26 | 000,000,600 | ---- | C] () -- C:\Users\Erik\PUTTY.RND
    [2008/06/22 22:20:57 | 000,159,760 | ---- | C] () -- C:\ProgramData\BallAudioAudio.20oyyt
    [2008/06/22 21:57:56 | 000,348,176 | ---- | C] () -- C:\ProgramData\BallAudioAudio.fqclia9
    [2008/06/22 21:32:53 | 000,274,448 | ---- | C] () -- C:\ProgramData\BallAudioAudio.f1gh6n
    [2008/06/22 21:10:03 | 000,118,800 | ---- | C] () -- C:\ProgramData\BallAudioAudio.e2qu0
    [2008/06/22 20:47:52 | 000,102,416 | ---- | C] () -- C:\ProgramData\BallAudioAudio.laq25
    [2008/06/22 20:25:19 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.plov6l
    [2008/06/22 20:03:14 | 000,339,984 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ulcytj
    [2008/06/22 19:41:07 | 000,278,544 | ---- | C] () -- C:\ProgramData\BallAudioAudio.jvxzjs
    [2008/06/22 19:18:19 | 000,262,160 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gyjaz9
    [2008/06/22 18:56:10 | 000,110,608 | ---- | C] () -- C:\ProgramData\BallAudioAudio.b95l9
    [2008/06/22 18:33:39 | 000,225,296 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hwys682
    [2008/06/22 18:11:36 | 000,249,872 | ---- | C] () -- C:\ProgramData\BallAudioAudio.m67gkn
    [2008/06/22 17:49:27 | 000,213,008 | ---- | C] () -- C:\ProgramData\BallAudioAudio.4iopj2
    [2008/06/22 17:26:55 | 000,192,528 | ---- | C] () -- C:\ProgramData\BallAudioAudio.usv9jbi
    [2008/06/22 17:04:47 | 000,016,400 | ---- | C] () -- C:\ProgramData\BallAudioAudio.4e175
    [2008/06/22 16:42:36 | 000,327,696 | ---- | C] () -- C:\ProgramData\BallAudioAudio.7pnej
    [2008/06/22 16:19:47 | 000,172,048 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hv9ufya
    [2008/06/22 15:57:40 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ygls2z
    [2008/06/22 15:35:30 | 000,245,776 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hkpn4
    [2008/06/22 15:12:54 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dmp3vk
    [2008/06/22 14:50:44 | 000,192,528 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ffznv
    [2008/06/22 14:27:51 | 000,331,792 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gu1rpfm
    [2008/06/22 14:05:42 | 000,405,520 | ---- | C] () -- C:\ProgramData\BallAudioAudio.zi2zi
    [2008/06/22 13:43:31 | 000,094,224 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gteskk
    [2008/06/22 13:20:53 | 000,110,608 | ---- | C] () -- C:\ProgramData\BallAudioAudio.uefjt
    [2008/06/22 12:58:32 | 000,352,272 | ---- | C] () -- C:\ProgramData\BallAudioAudio.k53lq
    [2008/06/22 12:35:18 | 000,385,040 | ---- | C] () -- C:\ProgramData\BallAudioAudio.xxzm9da
    [2008/06/22 12:12:40 | 000,163,856 | ---- | C] () -- C:\ProgramData\BallAudioAudio.obrsc
    [2008/06/22 11:50:25 | 000,049,168 | ---- | C] () -- C:\ProgramData\BallAudioAudio.jcwt4
    [2008/06/22 11:27:47 | 000,131,088 | ---- | C] () -- C:\ProgramData\BallAudioAudio.w9115
    [2008/06/22 11:05:38 | 000,020,496 | ---- | C] () -- C:\ProgramData\BallAudioAudio.qo75w7y
    [2008/06/22 10:43:15 | 000,004,112 | ---- | C] () -- C:\ProgramData\BallAudioAudio.qswkx3s
    [2008/06/22 10:21:00 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.l1dz55b
    [2008/06/22 09:58:51 | 000,167,952 | ---- | C] () -- C:\ProgramData\BallAudioAudio.n0od7
    [2008/06/22 09:36:14 | 000,303,120 | ---- | C] () -- C:\ProgramData\BallAudioAudio.71plwad
    [2008/06/22 09:14:07 | 000,200,720 | ---- | C] () -- C:\ProgramData\BallAudioAudio.6vowc
    [2008/06/22 08:51:35 | 000,364,560 | ---- | C] () -- C:\ProgramData\BallAudioAudio.sftdol
    [2008/06/22 08:28:44 | 000,036,880 | ---- | C] () -- C:\ProgramData\BallAudioAudio.xs4rop
    [2008/06/22 08:06:36 | 000,073,744 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ke6g9b
    [2008/06/22 07:44:25 | 000,229,392 | ---- | C] () -- C:\ProgramData\BallAudioAudio.yd56z92
    [2008/06/22 07:21:57 | 000,270,352 | ---- | C] () -- C:\ProgramData\BallAudioAudio.fowlq
    [2008/06/22 06:59:46 | 000,073,744 | ---- | C] () -- C:\ProgramData\BallAudioAudio.2xb9rl
    [2008/06/22 06:37:20 | 000,368,656 | ---- | C] () -- C:\ProgramData\BallAudioAudio.94uej2r
    [2008/06/22 06:15:10 | 000,376,848 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ogjuo
    [2008/06/22 05:53:03 | 000,184,336 | ---- | C] () -- C:\ProgramData\BallAudioAudio.o432s2
    [2008/06/22 05:30:24 | 000,356,368 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dav854v
    [2008/06/22 05:08:06 | 000,135,184 | ---- | C] () -- C:\ProgramData\BallAudioAudio.kjlu0i
    [2008/06/22 04:45:51 | 000,114,704 | ---- | C] () -- C:\ProgramData\BallAudioAudio.mwphrh
    [2008/06/22 04:23:09 | 000,397,328 | ---- | C] () -- C:\ProgramData\BallAudioAudio.w9mlbo
    [2008/06/22 04:00:49 | 000,094,224 | ---- | C] () -- C:\ProgramData\BallAudioAudio.c747bj
    [2008/06/22 03:38:29 | 000,286,736 | ---- | C] () -- C:\ProgramData\BallAudioAudio.r126kw
    [2008/06/22 03:15:24 | 000,262,160 | ---- | C] () -- C:\ProgramData\BallAudioAudio.b0b9yy
    [2008/06/22 02:52:46 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.sfc9g
    [2008/06/22 02:30:41 | 000,020,496 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hexf5f
    [2008/06/22 02:08:39 | 000,274,448 | ---- | C] () -- C:\ProgramData\BallAudioAudio.y1702n
    [2008/06/22 01:46:42 | 000,237,584 | ---- | C] () -- C:\ProgramData\BallAudioAudio.v8ha7
    [2008/06/22 01:24:50 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.a5lxj
    [2008/06/22 01:03:00 | 000,278,544 | ---- | C] () -- C:\ProgramData\BallAudioAudio.aieyak
    [2008/06/22 00:41:08 | 000,081,936 | ---- | C] () -- C:\ProgramData\BallAudioAudio.7jz5bv0
    [2008/05/26 22:45:14 | 000,058,792 | ---- | C] () -- C:\Windows\System32\wbload.dll
    [2008/04/16 18:31:09 | 000,003,766 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
    [2008/04/16 18:31:09 | 000,000,088 | RHS- | C] () -- C:\Windows\System32\AED9B54B09.sys
    [2008/04/16 16:54:37 | 000,260,645 | ---- | C] () -- C:\Users\Erik\water background.gif
    [2008/04/16 16:30:07 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2008/03/11 09:34:25 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\FnF4.txt
    [2008/02/23 16:58:57 | 000,016,896 | ---- | C] () -- C:\Users\Erik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/02/18 16:50:18 | 000,102,416 | ---- | C] () -- C:\ProgramData\clock coal beep.4vz7xc
    [2008/02/18 16:50:02 | 000,372,752 | ---- | C] () -- C:\ProgramData\BallAudioAudio.46rrza
    [2008/02/18 16:50:02 | 000,335,888 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dtdeb7
    [2008/02/17 20:04:28 | 000,027,240 | ---- | C] () -- C:\Users\Erik\AppData\Roaming\nvModes.001
    [2008/02/17 20:03:03 | 000,027,240 | ---- | C] () -- C:\Users\Erik\AppData\Roaming\nvModes.dat
    [2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\QSwitch.txt
    [2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\DSwitch.txt
    [2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\AtStart.txt
    [2008/02/17 19:22:05 | 000,000,020 | -HS- | C] () -- C:\Users\Erik\ntuser.ini
    [2008/02/17 19:22:04 | 004,980,736 | -HS- | C] () -- C:\Users\Erik\ntuser.dat
    [2008/02/17 19:22:04 | 000,524,288 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
    [2008/02/17 19:22:04 | 000,524,288 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
    [2008/02/17 19:22:04 | 000,262,144 | -H-- | C] () -- C:\Users\Erik\ntuser.dat.LOG2
    [2008/02/17 19:22:04 | 000,262,144 | -H-- | C] () -- C:\Users\Erik\ntuser.dat.LOG1
    [2008/02/17 19:22:04 | 000,065,536 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
    [2007/12/30 13:07:42 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
    [2007/11/02 05:21:25 | 000,004,253 | ---- | C] () -- C:\ProgramData\hpzinstall.log
    [2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 06:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
    [2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

    ========== LOP Check ==========

    [2009/01/11 23:09:39 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Acreon
    [2008/11/24 18:44:05 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Azureus
    [2010/04/01 07:14:48 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\BitTorrent
    [2008/12/20 01:35:11 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\cmw
    [2010/04/16 01:45:23 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\DNA
    [2008/03/21 21:38:23 | 000,000,000 | -H-D | M] -- C:\Users\Erik\AppData\Roaming\ijjigame
    [2009/02/26 15:45:00 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Lasersoft Imaging
    [2008/11/27 08:53:33 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Launchy
    [2009/06/15 23:46:43 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\LimeWire
    [2008/04/16 22:53:46 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Publish Providers
    [2008/04/16 22:48:13 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Sony
    [2009/08/01 22:06:01 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\SystemRequirementsLab
    [2008/02/17 20:01:37 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\WildTangent
    [2010/04/15 17:31:03 | 000,032,592 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2010/04/15 09:18:16 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
    [2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
    [2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
    [2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
    [2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=313FF294978EA6AF715722D708FB249F -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20494_none_b858f78adaed51b3\AGP440.sys
    [2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f2490cb0\AGP440.sys
    [2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16399_none_b7d45c31c1cb309c\AGP440.sys
    [2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
    [2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
    [2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

    < MD5 for: ATAPI.SYS >
    [2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
    [2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
    [2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
    [2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
    [2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
    [2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
    [2008/02/18 15:53:46 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
    [2008/02/18 15:53:46 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
    [2008/02/18 15:53:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
    [2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\drivers\atapi.sys

    < MD5 for: CNGAUDIT.DLL >
    [2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
    [2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
    [2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

    < MD5 for: EVENTLOG.DLL >
    [2007/01/13 01:30:08 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\CyberLink\PowerDirector\EventLog.dll

    < MD5 for: IASTORV.SYS >
    [2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
    [2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
    [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
    [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

    < MD5 for: NETLOGON.DLL >
    [2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
    [2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
    [2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
    [2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
    [2008/01/19 03:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

    < MD5 for: NVSTOR.SYS >
    [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
    [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
    [2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
    [2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

    < MD5 for: SCECLI.DLL >
    [2008/01/19 03:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
    [2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
    [2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
    [2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
    [2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
    [2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
    [2009/04/11 02:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %systemroot%\system32\drivers\*.sys /90 >
    [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
    [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
    [2010/02/20 16:53:34 | 000,411,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
    [2010/04/03 01:46:45 | 000,030,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tgqvhnos.sys

    ========== Files - Unicode (All) ==========
    [2009/08/09 14:13:20 | 000,000,368 | -H-- | C] ()(C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00&#61459;
    [2009/08/09 14:13:20 | 000,000,368 | -H-- | C] ()(C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00&#61459;
    [2009/08/09 14:13:20 | 000,000,000 | -H-- | C] ()(C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00&#61459;
    [2009/08/09 14:13:20 | 000,000,000 | -H-- | C] ()(C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00&#61459;
    [2007/04/28 15:54:48 | 000,000,368 | -H-- | M] ()(C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00&#61459;
    [2007/04/28 15:54:48 | 000,000,000 | -H-- | M] ()(C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00&#61459;
    [2007/04/28 15:38:26 | 000,000,368 | -H-- | M] ()(C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00&#61459;
    [2007/04/28 15:38:26 | 000,000,000 | -H-- | M] ()(C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00&#61459;

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 278 bytes -> C:\Windows\System32\drivers\tgqvhnos.sys:changelist
    < End of report >



    Extras.txt
    OTL Extras logfile created on: 16/04/2010 1:42:50 AM - Run 1
    OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Erik\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6002.18005)
    Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
    4.00 Gb Paging File | 2.00 Gb Available in Paging File | 64.00% Paging File free
    Paging file location(s): c:\pagefile.sys 900 1800 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 220.95 Gb Total Space | 72.39 Gb Free Space | 32.76% Space Free | Partition Type: NTFS
    Drive D: | 11.93 Gb Total Space | 1.86 Gb Free Space | 15.58% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ERIK-PC
    Current User Name: Erik
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Minimal
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- C:\Users\Erik\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4115463262-510367102-684270071-1000]
    "EnableNotifications" = 1
    "EnableNotificationsRef" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1
    "" =

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "" =
    "C:\Program Files\Vongo\VongoService.exe" = C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService -- (Starz Entertainment Group LLC)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)
    "C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{092B9662-783A-480F-AFEA-CC2BAC8C9424}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{2EC933B5-A76D-4BF5-A02D-F5D48A0C07D2}" = rport=139 | protocol=6 | dir=out | app=system |
    "{614ACE39-C3D3-49D8-9130-CBD7CCF51B53}" = lport=427 | protocol=17 | dir=in | name=hp 8000 |
    "{67A95B99-7283-47E6-829E-ECFDF860ACB5}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{7D192D70-C3EC-4542-8F25-940CEF8244AD}" = rport=137 | protocol=17 | dir=out | app=system |
    "{9EF41771-146E-4C55-BC26-65D4403C0977}" = lport=445 | protocol=6 | dir=in | app=system |
    "{9FB6ED8A-FFC9-474B-9A53-B3DA44BE7BD2}" = lport=137 | protocol=17 | dir=in | app=system |
    "{A4F87D3D-AEE9-4862-B372-B8333DD616FD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{AA954BD3-0C60-4C41-A7A2-400A7FC839F0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
    "{ACF5A059-79A2-41AD-8B76-B2F3EBB73411}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
    "{D7B11254-2BAD-4F03-8F62-FFFAEB0C3A37}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |
    "{E66067D8-C5A2-4786-A1AD-C7D72BE17F6C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{E89F5666-0423-4423-BF2A-E0D642AE40EF}" = lport=139 | protocol=6 | dir=in | app=system |
    "{F1A20D75-799C-4D36-867F-3B0783BF1F97}" = rport=445 | protocol=6 | dir=out | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0AD5B223-8147-4E9A-B40B-8DF3ECAA4298}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{0C208782-B442-4D83-9221-9EAEF3AB3B7D}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
    "{0C25BB61-4330-436E-92C7-3C7FEA6CF5D0}" = protocol=58 | dir=in | [email protected],-28545 |
    "{0CCDC1AC-6337-4C3E-AB14-E9689E5BBA9A}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
    "{0D1A302D-8F2B-415C-86F9-DA1542419F2D}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
    "{192D8781-D70A-4038-9645-E201198EABA4}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
    "{20BE8EE1-3EF4-4FE7-BA55-6C7E1182BD10}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{261606FF-8AE4-4561-8DEC-6EFD4FBE36A8}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{28C3ABFA-31CF-4625-9894-78C32C773282}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{2A3C5DB9-18C7-48ED-A9D0-B022428F2CED}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe |
    "{30A91DA5-382A-4537-B28C-70AF2725CEED}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "{32877ECA-1F5C-4682-9971-52DB39F1335B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe |
    "{330FC065-E195-4435-ABA5-028FA3A6A5CE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
    "{35D90C6A-D0CC-4FCA-9146-CAEDFA199A5B}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "{3DE0ABA3-E78B-42C5-889F-7D1A8F7DC70D}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe |
    "{3FF634D1-7EEC-4C6E-BDF0-873E852109EA}" = protocol=1 | dir=in | [email protected],-28543 |
    "{45AEBAB3-743C-4A9F-A278-BA597C8B0134}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{4B9EB990-86F0-43F7-81D0-BA29D3950E06}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
    "{4D630C61-B791-4168-9D33-4A64A5F7450F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{57A55DCB-2730-478E-98EB-6CC3C4E96661}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{5A7D99B7-97E0-4139-A2A2-7E0C17508472}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "{5C66D3FE-2644-4A87-A654-2D25B9B2FEB7}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe |
    "{5FC7A52A-1852-4B1A-90A1-E64EB586ACB1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe |
    "{64F45406-717E-462B-B5D2-8F0F5A380D00}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
    "{6D37C2B0-A2FD-4C73-810D-A1DBFC3D471E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |
    "{7464CE9C-5955-4FA8-BFE9-03EDF84385E2}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{757DB4D6-1C88-44FE-93C1-82AD0B973898}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{78CC0779-B61C-4F1C-8738-5B67B2212015}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |
    "{7CC8B0C3-6826-4D7A-8134-B8F585CB57EE}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
    "{7F4D586F-1FB1-4F87-978D-12AB0058D589}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{824A26A1-9385-4637-90B9-8390B016B07B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe |
    "{8F96A033-C107-4059-B309-EF34092D92F5}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
    "{91D340FD-2951-4E5B-87C2-57F25A5923BC}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{92F0F901-19D1-4836-A785-72AE8B47FF56}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{97FC2888-0F83-456D-B694-B39264C88932}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{A9063885-CAFA-4238-9735-8C3A4913DCC3}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
    "{B051661C-AEE6-4BA6-AAB8-A3541CC232D7}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{C1B50C45-D47B-4F6C-9BE6-C2C86F45AE3B}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
    "{C3E62D50-5CDE-4628-B58F-8070DBF738F4}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
    "{C75841FE-E610-4ACE-AA02-DC6D30B70375}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
    "{CAB80EF1-0A47-41A9-91DE-2CA753F244B0}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
    "{CB4FFD26-A463-4E5F-980E-E001372BB2EB}" = dir=in | app=e:\setup\hpznui01.exe |
    "{CDB9E6ED-5B48-40A5-B1F9-96DF1FF44927}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
    "{D03E6D96-2E82-4B3C-B1C8-48029A001DF0}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
    "{D55FE685-66EF-47DA-8D02-716E16C2AA39}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{D7973FA8-6161-4B9F-BCFB-5EEEF98E4C97}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
    "{DE4D7AAC-00C2-4B2C-941F-5CB6A46CABE2}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{DF612F82-EAC2-4937-9B2A-0F2876A4211C}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
    "{EEC94B8B-AE20-4821-9A5E-7BBAD14CFE16}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
    "{F15558E4-09CB-4076-BA84-D1032A1F9F79}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
    "{F39842AD-AD87-426D-8B64-880FAC50522E}" = protocol=1 | dir=out | [email protected],-28544 |
    "{F5905EA4-B10B-4FAC-82FE-D3D4E98D8057}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
    "{F646D18C-B9B4-4BD9-B299-0B73AB90F6B2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe |
    "{F793C491-C7DD-46FE-8F3D-8632A53CBFB7}" = protocol=58 | dir=out | [email protected],-28546 |
    "{FD4D9A64-7CEF-45F1-907D-AA3E204CDEB0}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "TCP Query User{2455F499-9214-45E1-A3E5-E8F262F9CB70}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "TCP Query User{3247E2E4-5BBB-41F6-AC09-C9B0194797A2}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "TCP Query User{574BA128-1DB1-4918-AD46-323E63C26745}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe |
    "TCP Query User{5F203965-518E-4F27-84C3-8F095D3BBA82}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
    "TCP Query User{69CA9514-99DD-45CA-BC93-C7703B08C910}C:\users\erik\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
    "TCP Query User{8DE452B6-B539-4FEE-A1E6-BEA72CE963EA}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
    "TCP Query User{96A57661-CAF2-491A-9721-3D5D8BB86C00}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe |
    "TCP Query User{A26E073C-7CD5-4E08-899A-EB9FD21C74DB}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "TCP Query User{B6B4EF75-2BD7-48AB-A330-6D6B44F34285}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
    "TCP Query User{C7D6CB27-8D62-48AA-A3C6-3659F8BBC23F}C:\program files\curse\curseclient.exe" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
    "TCP Query User{E3CE66EF-BF2E-46D6-91AB-C7769C3DB28B}C:\users\erik\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
    "TCP Query User{FDAE2A43-EDB3-427C-B692-226F229AACCC}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
    "UDP Query User{0C7795CE-CA5B-4939-9373-ABF5FB01E7A8}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
    "UDP Query User{0D5AE96B-3DED-4B06-A2BB-72AB7D8481B1}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "UDP Query User{3159A116-9BAF-40F6-9F01-335FF7D2E70F}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "UDP Query User{3EC8EBB2-1830-43E6-8E7B-ADECAB547A5C}C:\users\erik\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
    "UDP Query User{3F73D53B-0B53-41EF-8F24-DCF2888FA411}C:\program files\curse\curseclient.exe" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
    "UDP Query User{5A35CE7A-3123-448D-AD03-532801976BF7}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe |
    "UDP Query User{765713D2-7DDD-4B8B-95F5-8339CB83A512}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe |
    "UDP Query User{A4A16790-89CB-4E27-BD6B-C37457B0B051}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
    "UDP Query User{B183308F-4136-40C0-9FA6-D337DA735094}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
    "UDP Query User{D5579808-FA27-47DE-A958-613B66B5460B}C:\users\erik\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
    "UDP Query User{E454E1E8-EAE1-4C9B-8C97-C191C81A9E8E}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
    "UDP Query User{F97437AD-AFC0-4C1E-B7A7-007014F085FB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
    "{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
    "{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
    "{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
    "{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
    "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
    "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
    "{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
    "{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}" = Corel Snapfire
    "{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
    "{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
    "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
    "{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}" = Nokia Connectivity Cable Driver
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
    "{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
    "{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
    "{2284D904-C138-4B58-93EC-5C362AB5130A}" = The Sims&#8482; Life Stories
    "{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{240556C4-80D1-465F-81D8-E0B9D108548A}" = 5300_5400_Help
    "{250E9609-E830-43EB-B379-DAB7546A2422}" = muvee autoProducer 6.1
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
    "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 19
    "{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support
    "{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch
    "{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
    "{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
    "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
    "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 E1
    "{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
    "{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
    "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
    "{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
    "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.6
    "{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
    "{48B82226-75E3-4E90-92CC-D30F79EA6380}" = Norton Security Scan
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
    "{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
    "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
    "{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
    "{542C0F0B-FBDF-45d9-AF8A-345C1A9B5AE3}" = 8000A809
    "{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
    "{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{671B4BAD-D681-4d29-9498-D8BF3F1A389D}" = BPDSoftware
    "{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
    "{68471BF2-F1F7-4C89-BBBA-400B94996596}" = ESU for Microsoft Vista
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6A3F98BA-338E-49a1-9D79-D786A83E6621}" = HP Officejet Pro 8000 A809 Series
    "{6E4EE9B5-F69D-4455-B430-40FA5F0DC988}" = ProductContext
    "{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
    "{77B3331C-1644-4C9E-9F1C-7D2A5517102E}" = BPDSoftware_Ini_CCR_Vista
    "{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
    "{7ABD82AD-E13E-4673-A450-0890D43C8F9D}" = MPM
    "{7DC4A410-9986-4329-9E5D-687B2C42CA39}" = HP QuickTouch 1.00 C4
    "{7F94FB03-6617-4442-9817-CDDB36EAE529}" = 8000A809_eDocs
    "{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{84C34368-0C06-4880-9095-474609A8E770}" = Sony Preset Manager 2.0e
    "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
    "{86BC184E-CFCD-48D5-829A-666A36C6ACC9}" = 8000A809_Help
    "{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
    "{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}" = Vongo
    "{8D2C1E44-7685-4D05-8342-B0DC6422FA47}" = Ulead Straight-to-Disc SDK
    "{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
    "{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
    "{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
    "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
    "{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
    "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
    "{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
    "{AD277ED4-7E41-4074-911D-D34AF41B9D49}" = HP Officejet Pro K5300/5400 Series
    "{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
    "{AFB69549-3AAE-4433-A99B-673B8A513379}" = BPDSoftware_Ini
    "{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor
    "{B10A30CF-CCFF-4056-9ABC-F8D42BDF141F}" = myPrintMileage (Officejet Pro 8000 A809)
    "{B40DCEFF-9B7B-4c36-B4FA-6CE7EABFB4B8}" = K5400
    "{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
    "{B53620C0-3A83-4F50-A7AB-175DB64C1CE3}" = HP User Guides 0090
    "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
    "{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C716522C-3731-4667-8579-40B098294500}" = Toolbox
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
    "{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D49EE5B7-1AEB-49C9-B77D-4AEE7249F505}" = BPD_HPSU
    "{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
    "{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
    "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
    "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
    "{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
    "{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
    "{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
    "{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
    "{FA0CE30A-B8EF-4b6b-85BF-D2B2C354A32C}" = ProductContext
    "{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
    "{FBA70FCC-BD23-4120-BA30-3E0DDF66AE82}" = 5300_5400_Readme
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "ADS Tech Master Installer V3.8" = ADS Tech Master Installer V3.8
    "ADS Tech V3.8 DVD Xpress DX2 CapWiz" = ADS Tech V3.8 DVD Xpress DX2 CapWiz
    "AIM_6" = AIM 6
    "AskPBar Uninstall" = Ask Toolbar
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
    "Cheat Engine 5.5_is1" = Cheat Engine 5.5
    "CNXT_AUDIO_HDA" = Conexant HD Audio
    "CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
    "DesktopX" = DesktopX
    "Epson-SE TWAIN_is1" = Epson-SE TWAIN
    "Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
    "Hauppauge MCE2005 Software Encoder" = Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
    "HijackThis" = HijackThis 2.0.2
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "HP Imaging Device Functions" = HP Imaging Device Functions 12.0
    "HP Photosmart Essential" = HP Photosmart Essential 3.5
    "HP Smart Web Printing" = HP Smart Web Printing 4.60
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
    "HPExtendedCapabilities" = HP Customer Participation Program 12.0
    "hrjysvzimagux" = Performance Maximizer Profitizeme
    "InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
    "InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
    "Messenger Plus! Live" = Messenger Plus! Live & Sponsor (CiD)
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
    "MSNINST" = MSN
    "NVIDIA Drivers" = NVIDIA Drivers
    "ObjectBar" = ObjectBar
    "ONLYUSEmeBLADE Toolbar" = ONLYUSEmeBLADE Toolbar
    "Shop for HP Supplies" = Shop for HP Supplies
    "SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.4
    "Sony Vocal Eraser_is1" = Sony Vocal Eraser
    "SystemRequirementsLab" = System Requirements Lab
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "WildTangent hp Master Uninstall" = My HP Games
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "World of Warcraft" = World of Warcraft
    "Yahoo! Companion" = Yahoo! Toolbar

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "BitTorrent" = BitTorrent
    "BitTorrent DNA" = DNA
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
     
  6. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    Here is gmer result:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-11 23:22:52
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Erik\AppData\Local\Temp\kxldapoc.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
    Device \Driver\atapi \Device\Ide\IdePort0 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
    Device \Driver\atapi \Device\Ide\IdePort1 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
    Device \Driver\atapi \Device\Ide\IdePort2 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
    Device \Driver\atapi \Device\Ide\IdePort3 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet Pro 8000 A809 [email protected] 631928

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  7. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Download Combofix from either of the links below, and save it to your desktop.

    Link 1
    Link 2



    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    --------------------------------------------------------------------

    Double click on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
     
  8. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    Thank you.

    Combofix cannot complete. I ran it three times. The first time resulted in BSOD, and the second and third times the computer rebooted mid scan.
     
  9. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    PS - the stop code on the blue screen was: 0x0000007E (0xc0000005, 0x84911305, 0x8AB6BC78, 0x8AB6B974)
     
  10. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Delete the copy that you have on your desktop and download a fresh copy

    rename it to combo.com before saving it to your desktop

    Make certain all your security programs are disabled before running it, and all other windows are closed.

    Please try booting into safe mode and running it from safe mode if it still won't run.
     
  11. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    Excellent -- it worked after renaming the file.
    Here is the combofix log:

    ComboFix 10-04-15.05 - Erik 16/04/2010 14:27:17.6.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.2.1033.18.3006.2037 [GMT -4:00]
    Running from: c:\users\Erik\Desktop\ComboFix.com
    FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .
    ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
    to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\tdlcmd.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
    .

    2010-04-16 18:47 . 2010-04-16 18:47 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-16 18:47 . 2010-04-16 18:47 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-16 18:44 . 2010-04-16 18:44 49032 ----a-w- C:\ComboFix_error.dat
    2010-04-16 03:57 . 2010-04-16 03:57 -------- d--h--w- c:\windows\PIF
    2010-04-15 23:08 . 2010-04-15 23:08 -------- d-----w- c:\program files\Trend Micro
    2010-04-15 21:39 . 2010-04-15 21:41 23111 ----a-w- c:\windows\hpqins15.dat
    2010-04-15 21:29 . 2010-04-15 21:29 -------- d-----w- c:\programdata\HP Product Assistant
    2010-04-15 21:27 . 2010-04-15 21:35 77375 ----a-w- c:\windows\hpqins05.dat
    2010-04-15 11:37 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-15 11:37 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-15 11:37 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-15 11:37 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-15 11:37 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-15 11:37 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-15 11:37 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 00:41 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-14 00:41 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-04-11 20:08 . 2010-04-11 20:08 52224 ----a-w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-11 20:07 . 2010-04-11 20:07 117760 ----a-w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-11 20:07 . 2010-04-11 20:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-04-11 20:06 . 2010-04-11 20:07 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-11 20:06 . 2010-04-11 20:06 -------- d-----w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com
    2010-04-11 20:05 . 2010-04-11 20:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-11 14:13 . 2010-04-11 14:23 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
    2010-04-11 05:57 . 2010-04-11 05:57 -------- d-----w- c:\users\Erik\AppData\Roaming\Avira
    2010-04-11 05:29 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-11 05:29 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-04-11 05:29 . 2009-05-11 15:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-11 05:29 . 2009-05-11 15:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-11 05:29 . 2010-04-11 05:29 -------- d-----w- c:\programdata\Avira
    2010-04-11 05:29 . 2010-04-11 05:29 -------- d-----w- c:\program files\Avira
    2010-04-11 05:14 . 2010-04-11 05:14 680 ----a-w- c:\users\Erik\AppData\Local\d3d9caps.dat
    2010-04-06 21:34 . 2010-04-06 21:34 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2010-04-06 21:25 . 2010-04-06 21:25 -------- d-----w- c:\program files\Common Files\Java
    2010-04-06 21:17 . 2010-04-06 21:17 48287 ----a-w- c:\windows\system32\hrjysvzimagux.exe
    2010-04-05 05:19 . 2010-04-05 05:19 -------- d-----w- c:\users\Erik\AppData\Local\Blizzard Entertainment
    2010-04-03 05:46 . 2010-04-03 05:46 30784 ----a-w- c:\windows\system32\drivers\tgqvhnos.sys
    2010-03-30 22:34 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-03-30 22:34 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-16 18:48 . 2008-06-03 23:06 -------- d-----w- c:\users\Erik\AppData\Roaming\DNA
    2010-04-16 17:58 . 2008-06-03 23:06 -------- d-----w- c:\program files\DNA
    2010-04-16 11:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-04-16 11:12 . 2007-11-02 09:16 -------- d-----w- c:\programdata\Microsoft Help
    2010-04-15 22:33 . 2008-06-07 18:18 -------- d-----w- c:\program files\Cheat Engine
    2010-04-15 21:38 . 2007-11-02 09:21 -------- d-----w- c:\programdata\HP
    2010-04-15 21:35 . 2008-02-17 23:56 88960 ----a-w- c:\users\Erik\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-04-15 00:43 . 2008-02-18 00:03 27240 ----a-w- c:\users\Erik\AppData\Roaming\nvModes.dat
    2010-04-11 14:54 . 2008-04-16 22:31 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-04-11 14:54 . 2008-04-16 22:31 -------- d-----w- c:\users\Erik\AppData\Roaming\Corel
    2010-04-11 14:44 . 2007-12-30 17:26 -------- d-----w- c:\programdata\NVIDIA
    2010-04-06 21:24 . 2007-11-02 09:49 -------- d-----w- c:\program files\Java
    2010-04-01 11:14 . 2008-06-03 23:06 -------- d-----w- c:\users\Erik\AppData\Roaming\BitTorrent
    2010-03-09 08:28 . 2008-12-02 15:35 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-02-24 14:16 . 2009-10-02 16:58 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-21 16:52 . 2010-02-21 16:51 -------- d-----w- c:\program files\iTunes
    2010-02-21 16:51 . 2010-02-21 16:51 -------- d-----w- c:\program files\iPod
    2010-02-21 16:51 . 2008-02-18 20:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-02-21 16:48 . 2010-02-21 16:47 -------- d-----w- c:\program files\QuickTime
    2010-02-21 16:43 . 2010-02-21 16:43 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-02-20 23:06 . 2010-03-10 08:08 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05 . 2010-03-10 08:07 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53 . 2010-03-10 08:07 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-02-17 01:51 . 2010-02-17 01:51 -------- d-----w- c:\programdata\Yahoo! Companion
    2010-02-17 01:50 . 2010-02-17 01:50 -------- d-----w- c:\program files\ONLYUSEmeBLADE
    2010-02-17 01:50 . 2010-02-17 01:50 -------- d-----w- c:\program files\Conduit
    2010-01-25 12:00 . 2010-02-23 19:18 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-23 19:18 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-23 19:18 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-23 19:18 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-23 19:18 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-23 19:18 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-23 19:18 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-23 19:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-23 19:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26 . 2010-02-23 19:18 2048 ----a-w- c:\windows\system32\tzres.dll
    2008-04-16 22:31 . 2008-04-16 22:31 88 --sha-r- c:\windows\System32\AED9B54B09.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]
    2009-12-31 16:53 2349080 ----a-w- c:\program files\ONLYUSEmeBLADE\tbONLY.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{EDF6ED5F-BEC3-4387-BBCC-B1F01C403B9B}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-04-11 323392]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Google Update"="c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-06-28 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
    2005-01-31 19:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Launchy.lnk]
    backup=c:\windows\pss\Launchy.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
    backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
    backup=c:\windows\pss\Yahoo! Widgets.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vc log bows face]
    c:\programdata\clock coal beep.4vz7xc [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Web Help]
    c:\programdata\BallAudioAudio.20oyyt [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
    2006-08-04 15:00 462336 ----a-w- c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2007-08-24 01:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
    2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
    2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):98,55,fb,e1,dd,34,ca,01

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4115463262-510367102-684270071-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000001

    R3 MUSTechVIDCAP;ADS DVD XPRESS DX2;c:\windows\system32\drivers\musgostrm.sys [2007-02-16 252160]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000Core.job
    - c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-28 20:21]

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000UA.job
    - c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-28 20:21]

    2010-04-16 c:\windows\Tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job
    - c:\windows\system32\msfeedssync.exe [2008-09-10 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://flvdirect.iamwired.net/
    uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
    uDefault_Search_URL = hxxp://internetsearchservice.com
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
    mSearch Bar = hxxp://internetsearchservice.com/ie6.html
    mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://internetsearchservice.com
    mSearchURL = hxxp://internetsearchservice.com
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
    FF - component: c:\program files\Mozilla Firefox\extensions\{14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}\components\Z_nuI-aQ-.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPMyWebS.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\users\Erik\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-16 14:47
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x87784F61]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0x8a3acd24
    \Driver\ACPI -> acpi.sys @ 0x82613d68
    \Driver\atapi -> atapi.sys @ 0x827259b0
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-16 14:58:34
    ComboFix-quarantined-files.txt 2010-04-16 18:58
    ComboFix2.txt 2010-04-15 22:46

    Pre-Run: 76,772,438,016 bytes free
    Post-Run: 76,744,691,712 bytes free

    - - End Of File - - 84CCBFD8CC35EAE3018AAE8C4105E9BE
     
  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    ComboFix requested a file be uploaded - could you please do that,

    Insert this link where it requests you to do so:

    http://forums.techguy.org/malware-removal-hijackthis-logs/917172-tdlcmd-dll-problem.html#post7333454


    NEXT


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
    • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    http://forums.techguy.org/7333454-post11.html
    
    Collect::
    c:\windows\system32\hrjysvzimagux.exe
    c:\windows\system32\drivers\tgqvhnos.sys
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vc log bows face]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Web Help]
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.


    NEXT


    We still have work to do, there is an infected driver still that we need to identify

    please re-run GMER and check the box beside "sections" and the C:\ drive only, leave all other choices blank.

    post the resulting log.
     
  13. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    I dragged the script to combofix.com, and combofix launched but didn't complete -- or at least it rebooted the system at some point, but no log file was generated that I could find. It wasn't like before when it went through all 50 stages and notepad popped up at the end with the log file.

    Meanwhile, in terms of uploading combfix_error.dat, should I just attach it to my reply? If not, how do I upload it to the link you provided?

    Shall I continue on with gmer?

    Thank you so much for your help so far.
     
  14. mergatroid

    mergatroid Thread Starter

    Joined:
    Apr 15, 2010
    Messages:
    22
    I am running gmer now and will post the results later this evening.
     
  15. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    this is the link you upload the file to
    http://www.bleepingcomputer.com/submit-malware.php?channel=4

    when you open that page

    there is a section there to put in a link to this topic

    that's where you put this link

    http://forums.techguy.org/malware-removal-hijackthis-logs/917172-tdlcmd-dll-problem.html#post7333454

    now use the brose button to locate the file ComboFix wants you to update:

    which is this file: C:\ComboFix_error.dat

    then press the upload button.


    Now go to C:\Combofix and see if a log was generated

    it will be called C:\combofix.txt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/917172

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice