TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Hopper073 on January 16, 2010, 06:13:46 PM

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 16, 2010, 06:13:46 PM

I seem to be having quite a few problems, I am being redirected when I click on any search results using google and yahoo search. It redirects me to another search that may be somewhat related. I also did a malware bytes scan which did find a few problems and deleted them properly I think. Yet I am still having the same problem, and when i tried to use system restore to an earlier date, it came up that the system could not be restored. Also had an externl drive which now will not appear, although it seems to not be running, so that may not be related. Thanks for any help in advance!

Here is my Hijack this...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:37 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/do1productions (http://\"http://www.myspace.com/do1productions\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2007 Platinum\Privacy Control Center.exe" reminder
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; NET_mmhpset)" -"http://www.nickjr.com/playtime/cats/games/all_games/dora_driving.jhtml"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (http://\"http://www.comcast.net/\") (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (http://\"http://www.comcastsupport.com/\") (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (http://\"http://online.comcast.net/help/\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab (http://\"http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab\")
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://www.taxsimple.org/tsweb/msrdp.cab (http://\"https://www.taxsimple.org/tsweb/msrdp.cab\")
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB (http://\"http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (http://\"http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe (http://\"http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe\")
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (http://\"http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab\")
O20 - AppInit_DLLs: interceptor.dll,secuload.dll,oyxyyk.dll
O23 - Service: EasyHideIP - Unknown owner - C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - K:\MAGIX Music Maker 2008 Producer Edition\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)

--
End of file - 7910 bytes

Title: Google search redirect, cannot system restore
Post by: guestolo on January 16, 2010, 06:48:04 PM

Download [color=\"#FF0000\"]OTL.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTL.exe\")[/url] by OldTimer to your Desktop.

Close all windows and double click on OTL.exe to run it
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 16, 2010, 11:20:07 PM

Thank you...here they are...

OTL logfile created on: 1/16/2010 11:04:33 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 304.00 Mb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.18 Gb Total Space | 5.85 Gb Free Space | 17.63% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.90% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 697.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]

PRC - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/05/26 20:06:32 | 04,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/01/04 12:01:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/11/25 12:48:38 | 00,991,232 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
PRC - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]

MOD - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2006/11/17 14:18:44 | 00,503,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2006/11/17 14:18:44 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2006/10/24 14:07:54 | 00,184,320 | --S- | M] (Tenebril Inc.) -- C:\WINDOWS\system32\Interceptor.dll
MOD - [2006/10/24 14:07:18 | 00,307,200 | --S- | M] (Tenebril Inc.) -- C:\WINDOWS\system32\InterceptHelper.dll

[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (PCTAVSvc)
SRV - File not found [On_Demand | Stopped] -- -- (FirebirdServerMAGIXInstance)
SRV - [2009/12/17 16:36:24 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/01/04 12:01:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/25 12:48:38 | 00,991,232 | ---- | M] () [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2) SQL Server (SONY_MEDIAMGR2)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2007/01/09 13:38:50 | 00,045,056 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe -- (EasyHideIP)
SRV - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) [Auto | Running] -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe -- (MobilePreInstallerService)
SRV - [2004/05/24 13:23:38 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/07/28 22:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]

DRV - [2008/11/25 12:39:04 | 00,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2008/10/13 09:35:31 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2008/07/28 17:19:28 | 00,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/12 09:44:10 | 00,021,904 | ---- | M] (PC Tools Research Pty Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AVFilter.sys -- (AVFilter)
DRV - [2007/12/06 14:51:44 | 00,028,568 | ---- | M] (PC Tools Research Pty Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVHook.sys -- (AVHook)
DRV - [2007/12/06 14:51:44 | 00,021,912 | ---- | M] (PC Tools Research Pty Ltd ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVRec.sys -- (AVRec)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/03/07 18:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/09/27 07:00:02 | 00,069,920 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TPkd.sys -- (TPkd)
DRV - [2005/09/09 16:47:34 | 00,030,976 | ---- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MA763004.sys -- (ma763004)
DRV - [2005/03/04 11:02:20 | 01,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/10/01 02:08:38 | 00,018,048 | R--- | M] (CASIO COMPUTER CO., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pl40rwdm.sys -- (PL-40R)
DRV - [2004/08/20 16:26:00 | 00,737,874 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/02/11 23:04:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/02/04 20:28:00 | 00,134,144 | ---- | M] (Copyright © VIA/S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/01/02 23:05:48 | 00,011,520 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/01/02 22:20:40 | 00,432,000 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/12/12 09:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/02 21:23:20 | 00,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/28 17:34:40 | 00,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2003/09/19 03:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/07/18 19:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/02 14:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/01/10 09:56:34 | 00,030,921 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SQCaptur.sys -- (DCamUSBSQTECH) Dual-Mode DSC(2770)
DRV - [2002/10/04 20:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 00,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)

[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com (http://\"http://www.google.com\")

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com (http://\"http://www.google.com\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7 (http://\"http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/do1productions (http://\"http://www.myspace.com/do1productions\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com (http://\"http://www.google.com\")
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = <local>

[color=\"#E56717\"]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.myspace.com/do1productions"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/15 17:07:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/13 20:16:37 | 00,000,000 | ---D | M]

[2009/09/02 19:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/31 17:29:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions
[2009/10/23 07:14:09 | 00,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/09/02 19:15:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/02/19 16:55:07 | 00,000,050 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O3 - HKLM\..\Toolbar: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [GhostSurf Reminder] C:\Program Files\GhostSurf 2007 Platinum\Privacy Control Center.exe (Tenebril Inc.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe ()
O4 - HKLM..\Run: [VTTimer] File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; Mozilla\4.0 ( File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRunBackup = -1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - File not found
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Value error. File not found
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\") (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (http://\"http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\") (MySpace Uploader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab (http://\"http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab\") (Windows Live Safety Center Base Module)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://www.taxsimple.org/tsweb/msrdp.cab (http://\"https://www.taxsimple.org/tsweb/msrdp.cab\") (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (http://\"http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab\") (Reg Error: Key error.)
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB (http://\"http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB\") (TSEasyInstallX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab\") (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab\") (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (http://\"http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe (http://\"http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe\") (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (http://\"http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab\") (get_atlcom Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.3 64.233.217.5
O20 - AppInit_DLLs: (interceptor.dll) - C:\WINDOWS\System32\Interceptor.dll (Tenebril Inc.)
O20 - AppInit_DLLs: (secuload.dll) - File not found
O20 - AppInit_DLLs: (oyxyyk.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 03:03:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/11 18:42:57 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{81cf5c59-f1a8-11de-bbbd-00110914716b}\Shell\Auto\command - "" = P:\launcher.exe -- File not found
O33 - MountPoints2\{81cf5c59-f1a8-11de-bbbd-00110914716b}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (SsiEfr.ex) - File not found
O34 - HKLM BootExecute: (otExecute settings...) - File not found
O34 - HKLM BootExecute: (ountPo) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/01/16 23:03:59 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 16:30:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/13 20:29:23 | 00,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/12/28 21:00:40 | 00,000,000 | ---D | C] -- C:\Program Files\Nick Jr. Arcade
[2009/12/27 21:56:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVS4YOU
[2009/12/27 21:56:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/12/27 21:53:17 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3a.dll
[2009/12/27 21:53:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2009/12/27 21:53:16 | 00,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2009/12/25 23:17:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\movtoavi
[2009/12/25 22:15:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/12/25 17:54:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RCA easyRip
[2009/10/19 01:05:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/03/07 16:42:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/08/18 16:59:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/10/21 16:56:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2006/05/10 14:37:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2006/05/02 20:54:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]

[2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 16:30:40 | 00,001,742 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/16 14:08:29 | 13,893,632 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/01/16 13:33:16 | 00,035,430 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/16 13:30:14 | 00,035,430 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\virus.html
[2010/01/15 17:00:01 | 00,000,316 | ---- | M] () -- C:\WINDOWS\tasks\dtughkqe.job
[2010/01/15 16:59:23 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/15 16:58:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/15 16:58:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/15 16:55:49 | 02,111,356 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/01/15 16:30:45 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/15 13:46:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/15 10:30:30 | 00,000,001 | ---- | M] () -- C:\s
[2010/01/14 11:35:04 | 00,000,187 | ---- | M] () -- C:\WINDOWS\sc.INI
[2010/01/13 20:30:48 | 00,000,790 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/01/13 20:28:41 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/13 20:28:41 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/13 07:57:00 | 00,000,332 | ---- | M] () -- C:\WINDOWS\beatbox.INI
[2010/01/13 07:57:00 | 00,000,028 | ---- | M] () -- C:\WINDOWS\robota.INI
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/05 20:39:38 | 00,006,435 | ---- | M] () -- C:\WINDOWS\System32\WORK.DAT
[2010/01/05 20:39:23 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\wupd.dat
[2009/12/27 13:57:14 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/12/25 22:22:54 | 03,141,944 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:22:00 | 01,622,708 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/25 19:02:22 | 00,000,097 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/12/22 20:39:00 | 00,011,497 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AccessCards.pdf
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]

[2010/01/16 16:30:40 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/16 13:33:14 | 00,035,430 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/16 13:30:02 | 00,035,430 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\virus.html
[2010/01/15 10:30:30 | 00,000,001 | ---- | C] () -- C:\s
[2010/01/13 20:30:48 | 00,000,790 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/01/05 20:39:23 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\wupd.dat
[2010/01/05 20:39:16 | 00,006,435 | ---- | C] () -- C:\WINDOWS\System32\WORK.DAT
[2010/01/05 15:44:57 | 13,893,632 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2009/12/25 22:22:15 | 03,141,944 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:21:40 | 01,622,708 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/22 20:38:55 | 00,011,497 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AccessCards.pdf
[2009/12/04 18:22:31 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/12/04 18:22:12 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/12/04 18:22:12 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/20 20:48:41 | 00,000,187 | ---- | C] () -- C:\WINDOWS\sc.INI
[2009/02/04 17:47:57 | 00,000,062 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 22:08:00 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\AVLibrary.dll
[2009/01/25 13:58:00 | 01,434,061 | -HS- | C] () -- C:\WINDOWS\System32\mbioynvx.ini
[2009/01/25 13:54:34 | 00,405,972 | -HS- | C] () -- C:\WINDOWS\System32\LTDKUuvw.ini2
[2009/01/25 13:54:32 | 00,405,972 | -HS- | C] () -- C:\WINDOWS\System32\LTDKUuvw.ini
[2009/01/06 07:05:59 | 00,000,049 | ---- | C] () -- C:\WINDOWS\netctrl.ini
[2008/12/25 17:39:12 | 00,000,110 | ---- | C] () -- C:\WINDOWS\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
[2008/10/14 06:06:57 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/06/11 10:09:57 | 00,092,544 | ---- | C] () -- C:\WINDOWS\System32\xqnbsyjw.dll
[2008/06/10 21:09:50 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[2008/06/10 21:09:06 | 00,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Wavlbsys.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Hyperman.dll
[2008/03/17 20:04:31 | 00,000,057 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/19 19:02:15 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/09/13 17:29:18 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2007/08/26 19:10:30 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/15 19:31:36 | 00,000,578 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AutoGK.ini
[2007/08/13 22:38:06 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/08/13 18:15:08 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/08/13 18:15:08 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/08/13 15:10:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/05/02 06:13:29 | 00,000,035 | ---- | C] () -- C:\WINDOWS\Pt.dll
[2006/05/10 14:37:17 | 00,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/05/10 14:37:11 | 00,000,339 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/05/10 14:36:04 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006/05/10 14:34:46 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2006/05/02 22:02:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2006/05/02 20:54:21 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/05/02 20:54:21 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/01/04 14:57:17 | 00,000,046 | ---- | C] () -- C:\WINDOWS\mxcdr.INI
[2005/12/24 11:33:16 | 00,038,912 | ---- | C] () -- C:\WINDOWS\System32\mgxasio.dll
[2005/11/25 15:04:33 | 00,000,046 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/11/25 15:02:55 | 00,000,078 | ---- | C] () -- C:\WINDOWS\TONKA.INI
[2005/08/13 12:25:39 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\richtxt4.dll
[2005/08/13 12:25:39 | 00,000,029 | ---- | C] () -- C:\WINDOWS\pool.ini
[2005/08/04 19:55:20 | 00,000,194 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS
[2005/05/29 17:16:26 | 00,000,960 | ---- | C] () -- C:\WINDOWS\musiceditor.INI
[2005/01/08 18:06:27 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PI4_setup.ini
[2004/12/17 18:18:12 | 00,000,579 | ---- | C] () -- C:\WINDOWS\KA.INI
[2004/12/05 19:44:42 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/12/05 19:44:42 | 00,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/12/05 19:44:18 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/11/05 23:31:15 | 00,000,317 | ---- | C] () -- C:\WINDOWS\sampler.INI
[2004/11/05 23:31:14 | 00,000,028 | ---- | C] () -- C:\WINDOWS\robota.INI
[2004/11/05 23:31:13 | 00,000,332 | ---- | C] () -- C:\WINDOWS\beatbox.INI
[2004/11/05 23:05:32 | 00,000,338 | ---- | C] () -- C:\WINDOWS\musicmaker.INI
[2004/11/05 22:51:53 | 00,005,937 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2004/11/05 22:51:53 | 00,000,150 | ---- | C] () -- C:\WINDOWS\magix.ini
[2004/10/23 15:48:53 | 00,037,376 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/09/26 17:45:19 | 00,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/09/14 18:46:11 | 00,000,097 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/27 23:44:08 | 00,040,960 | ---- | C] () -- C:\WINDOWS\SPARKEY.DLL
[2004/06/08 18:41:12 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/06/08 18:41:12 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/06/08 18:41:12 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/06/08 18:41:12 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/04/03 03:18:54 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 02:36:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 02:36:39 | 00,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 19:19:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/04/02 19:18:38 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/04/02 19:18:38 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/04/02 19:17:14 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 19:15:40 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 19:00:40 | 00,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 19:00:02 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/02 05:01:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 04:52:33 | 00,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 04:14:52 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 03:43:52 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 03:34:53 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 03:34:53 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 03:34:35 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 03:08:11 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 01:52:53 | 00,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/24 02:33:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/08 01:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/15 17:54:04 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1999/07/23 12:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

[color=\"#E56717\"]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3C6F4669
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9D0F60A0
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCD94695
< End of report >

OTL Extras logfile created on: 1/16/2010 11:04:33 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 304.00 Mb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.18 Gb Total Space | 5.85 Gb Free Space | 17.63% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.90% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 697.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[color=\"#E56717\"]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Value error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[color=\"#E56717\"]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services

[color=\"#E56717\"]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1A24F9E8-009D-40FC-ABED-2AAFFAB0F4F0}" = InterLok Driver Kit
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(tm) 6 Update 11
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SONY_MEDIAMGR2)
"{2D37F6AE-D201-4580-B91A-6BF9BB93ED2D}" = The Simsâ„¢ 2 Double Deluxe
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java(tm) 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(tm) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160060}" = Java(tm) SE Development Kit 6 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35B8CC58-F128-4169-82EB-0E6CB0C3AFE6}" = ArcSoft PhotoImpression
"{4AF6FE63-53AB-4D03-A4D0-8D42AC0A7856}" = Casio SMF Conveter
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5C648FDB-0138-4619-B66E-230EF53E8E2C}" = The Simsâ„¢ 2 Teen Style Stuff
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6890BB45-8983-47C3-8FE5-4A03CB7554FE}" = Native Instruments Compilation Vol. 1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}" = Text-To-Speech-Runtime
"{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}" = The Simsâ„¢ 2 FreeTime
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8A7E941F-2BB4-47D0-B732-8AE5F3513B68}" = ASAPI
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{92B43A6F-E328-495A-ACFA-FC47C1B7215D}" = Digidesign Shared Plug-Ins 7.0
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9EAB794B-ABC6-4261-821F-326B6CA87AFD}" = LeapFrog Tag Plugin
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B2F4A60F-7C07-4DDB-B29B-B4EE8E451B87}" = MediaFACE 4.01 Design Wizard
"{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Simsâ„¢ 2 Apartment Life
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD49361E-3FE6-457E-90A1-9C59E29B5D02}" = Java DB 10.3.1.4
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF055C57-A988-42E6-BDAF-E3D94C6973A8}" = LeapFrog Connect
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D99B2022-8C8B-4F47-8B7F-D6ECC3562B51}" = Media Manager 2.4
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Simsâ„¢ 2 Seasons
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
"{E17AF7A0-B0A8-4B55-A4B4-1D8D4E171BA2}" = Free Bomb Factory Plug-Ins 7.0
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EA2C608A-60C1-4722-8643-03E5FBE87F5B}" = FL Studio 4.5
"{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = The Simsâ„¢ 2 Bon Voyage
"{F354FE7E-783D-6880-F7DB-C61197C799E3}" = imeem Uploader
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"0E5906722E3ECA13747F1633D3F55E9F47120424" = Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
"2G_1.0" = JumpStart 2nd Grade v1.0
"3DGroove" = 3D Groove Playback Engine
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"ASIO4ALL" = ASIO4ALL
"AVIcodec" = AVIcodec (remove only)
"BackWeb-1940576 Uninstaller" = Compaq Connections
"Bowling" = Bowling
"CleanUp!" = CleanUp!
"com.imeem.DesktopUploader.6C3F108F466C0F04F30B58747CAA4DF34281133B.1" = imeem Uploader
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Compaq Instant Support" = Compaq Instant Support
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"Easy-Hide-IP_is1" = Easy-Hide-IP 1.6
"Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
"eGames GameButler" = eGames GameButler
"FG_1.4" = Jumpstart First Grade v1.4
"Firebird SQL Server US" = Firebird SQL Server - MAGIX Edition
"FL Studio 7" = FL Studio 7
"FL Studio 9" = FL Studio 9
"GhostSurfPlatinum07_is1" = GhostSurf 2007 Platinum
"Graphic Equalizer Studio" = Graphic Equalizer Studio
"Hardcore" = Hardcore
"HijackThis" = HijackThis 2.0.2
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"InstallShield_{4AF6FE63-53AB-4D03-A4D0-8D42AC0A7856}" = Casio SMF Conveter
"InstallShield_{B2F4A60F-7C07-4DDB-B29B-B4EE8E451B87}" = MediaFACE 4.01 Design Wizard
"KG_2.4b" = JumpStart Kindergarten v2.4b
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.4.4 (Full)
"Lexmark 1200 Series" = Lexmark 1200 Series
"lhimryezobsqhew" = RON Tool Netupbanner
"MagicDisc 2.7.105" = MagicDisc 2.7.105
"MAGIX Music Maker 14 Producer Edition Download version US" = MAGIX Music Maker 14 Producer Edition Download version 13.0.2.1 (US)
"MAGIX Screenshare US" = MAGIX Screenshare 4.3.6.1987 (US)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MobilePre" = MobilePre 1.0.0.12
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MVApplication1" = Memorex exPressit Label Design Studio
"Native Instruments Compilation Vol. 1" = Native Instruments Compilation Vol. 1
"NVIDIA" =
"odf-converter-integrator" = odf-converter-integrator
"OmniquadTS" = Omniquad Total Security
"Pencil-Pal First Grade" = Pencil-Pal First Grade
"PoiZone" = PoiZone
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"RealPlayer 6.0" = RealPlayer Basic
"Sawer" = Sawer
"SoundCapture" = SoundCapture
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Sytrus" = Sytrus
"Toxic Biohazard" = Toxic Biohazard
"UPCShell" = LeapFrog Connect
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"Wise Disk Cleaner_is1" = Wise Disk Cleaner 3.74
"Wise Registry Cleaner_is1" = Wise Registry Cleaner 3 Free 3.82
"wmp11" = Windows Media Player 11
"Xilisoft Video Converter" = Xilisoft Video Converter
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Toolbar" = Yahoo! Toolbar
"YRefresher_is1" = Yrefresher 1.00

[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Mask Surf Lite" = Mask Surf Lite
"Move Media Player" = Move Media Player
"uTorrent" = ÂµTorrent

[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 1/13/2010 9:54:57 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10d.ocx, version 10.0.42.34, fault address 0x002ef8b6.

Error - 1/14/2010 1:58:36 AM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/15/2010 9:00:08 AM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x0263139c.

Error - 1/15/2010 5:20:33 PM | Computer Name = MAIN | Source = MsiInstaller | ID = 10005
Description = Product: MSXML 4.0 SP2 (KB973688) -- The installer has encountered
an unexpected error installing this package. This may indicate a problem with this
package. The error code is 2932. The arguments are: c:\WINDOWS\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe,
131,

Error - 1/15/2010 5:22:06 PM | Computer Name = MAIN | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Office Standard Edition 2003 -- Error 2932. An
internal error has occurred. (C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\graph.ico
131 ) Contact Microsoft Product Support Services (PSS) for assistance.
For information about how to contact PSS, see C:\Program Files\Microsoft Office\OFFICE11\1033\PSS10R.CHM.

Error - 1/15/2010 5:22:38 PM | Computer Name = MAIN | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Standard Edition 2003 - Update 'Update for
Office 2003 (KB978551): IRMPRTIDNMinus1' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127 (http://\"http://go.microsoft.com/fwlink/?LinkId=23127\")

Error - 1/15/2010 6:27:37 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/15/2010 10:55:22 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10d.ocx, version 10.0.42.34, fault address 0x002ef8b6.

Error - 1/16/2010 3:46:31 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x025e139c.

[ System Events ]
Error - 1/15/2010 5:34:30 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The PC Tools AntiVirus Engine service failed to start due to the following
error: %%2

Error - 1/15/2010 5:34:33 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep fasttx2k PCIIde SISAGP viaagp1 ViaIde

Error - 1/15/2010 5:35:38 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7034
Description = The LexBce Server service terminated unexpectedly. It has done this
1 time(s).

Error - 1/15/2010 5:35:44 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7034
Description = The EasyHideIP service terminated unexpectedly. It has done this
1 time(s).

Error - 1/15/2010 5:52:34 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The PC Tools AntiVirus Engine service failed to start due to the following
error: %%2

Error - 1/15/2010 5:52:34 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 1/15/2010 5:58:47 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The PC Tools AntiVirus Engine service failed to start due to the following
error: %%2

Error - 1/15/2010 5:58:47 PM | Computer Name = MAIN | So

Title: Google search redirect, cannot system restore
Post by: guestolo on January 16, 2010, 11:50:58 PM

Download ComboFix from this location
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 12:33:56 PM

4ComboFix 10-01-16.04 - Owner 01/17/2010 11:34:35.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.183 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Desktopicon
c:\program files\outlook
c:\program files\webserver
C:\s
c:\windows\EventSystem.log
c:\windows\IA
c:\windows\IA\KE.vbs
c:\windows\patch.exe
c:\windows\system32\LTDKUuvw.ini
c:\windows\system32\LTDKUuvw.ini2
c:\windows\system32\mbioynvx.ini
c:\windows\system32\Thumbs.db
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat
c:\windows\Tasks\dtughkqe.job
c:\windows\wiaserviv.log

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2009-12-28 02:56 . 2009-12-28 02:56   --------   d-----w-   c:\documents and settings\Owner\Application Data\AVS4YOU
2009-12-28 02:56 . 2009-12-28 02:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVS4YOU
2009-12-26 03:15 . 2009-12-26 03:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 21:30 . 2010-01-16 21:30   --------   d-----w-   c:\program files\Trend Micro
2010-01-14 22:17 . 2008-01-26 22:22   --------   d-----w-   c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-01-14 22:12 . 2008-01-26 22:24   1   ----a-w-   c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-14 01:16 . 2009-08-01 20:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-14 01:16 . 2009-08-01 20:04   --------   d-----w-   c:\program files\NOS
2010-01-13 19:56 . 2008-05-11 19:42   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-13 19:55 . 2008-06-09 02:16   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2008-07-21 06:42   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-05-11 19:42   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-06 23:19 . 2008-06-11 02:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\MAGIX
2010-01-06 23:19 . 2006-01-05 12:57   --------   d-----w-   c:\documents and settings\Owner\Application Data\Magix
2010-01-01 06:42 . 2007-08-13 21:09   --------   d-----w-   c:\documents and settings\Owner\Application Data\BitTorrent
2009-12-29 02:00 . 2009-12-29 02:00   --------   d-----w-   c:\program files\Nick Jr. Arcade
2009-12-28 03:02 . 2009-12-28 02:53   --------   d-----w-   c:\program files\AVS4YOU
2009-12-28 03:01 . 2009-12-28 02:53   --------   d-----w-   c:\program files\Common Files\AVSMedia
2009-12-26 03:15 . 2007-08-18 06:11   --------   d-----w-   c:\program files\QuickTime
2009-12-04 23:22 . 2009-02-27 02:18   --------   d-----w-   c:\program files\K-Lite Codec Pack
2009-12-04 23:13 . 2004-09-29 21:19   73120   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 18:00 . 2009-12-04 23:22   85504   ----a-w-   c:\windows\system32\ff_vfw.dll
2009-10-29 07:45 . 2004-02-06 23:05   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00   265728   ------w-   c:\windows\system32\drivers\http.sys
2002-07-31 23:55 . 2005-08-05 00:55   194   -csh--w-   c:\windows\WSYS049.SYS
2007-08-26 21:32 . 2007-08-26 21:32   0   --sha-w-   c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"GhostSurf Reminder"="c:\program files\GhostSurf 2007 Platinum\Privacy Control Center.exe" [2005-08-15 82037]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\Interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ    autocheck autochk *\0SsiEfr.ex

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio MobilePre Control Panel Launcher.lnk]
backup=c:\windows\pss\M-Audio MobilePre Control Panel Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
backup=c:\windows\pss\SpyCatcher Protector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostSurf Reminder]
2005-08-15 02:32   82037   ----a-w-   c:\program files\GhostSurf 2007 Platinum\Privacy Control Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06   4351216   ----a-w-   c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-10-13 14:35   26112   ----a-w-   c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-04 17:01   136600   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-04-10 17:29   37888   ----a-w-   c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R2 EasyHideIP;EasyHideIP;c:\program files\Easy-Hide-IP\services\EasyHideIp.exe [3/30/2009 10:04 PM 45056]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;k:\magix music maker 2008 producer edition\Common\Database\bin\fbserver.exe --> k:\magix music maker 2008 producer edition\Common\Database\bin\fbserver.exe [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2008 5:40 PM 18560]
S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\DRIVERS\gttap1.sys --> c:\windows\system32\DRIVERS\gttap1.sys [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 9:31 PM 29263712]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [1/29/2006 3:15 PM 18048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ    getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.myspace.com/do1productions
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = <local>
uSearchAssistant = hxxp://www.google.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/do1productions
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe
AddRemove-Edirol HQ Orchestral v1.01 - k:\image-~1\FRUITY~1\Plugins\VST\Edirol\ORCHES~1\UNWISE.EXE
AddRemove-Firebird SQL Server US - k:\common\Database\unwise.exe
AddRemove-FL Studio 7 - k:\image-line\FRUITYLOOP7\uninstall.exe
AddRemove-FL Studio 9 - k:\image-line\FL9\FLStudioXXL9\uninstall.exe
AddRemove-Graphic Equalizer Studio - c:\program files\PAS-Products\Graphic Equalizer Studio\DeIsL1.isu
AddRemove-MAGIX Music Maker 14 Producer Edition Download version US - k:\magix14\unwise.exe
AddRemove-MAGIX Screenshare US - k:\pcvisit\unwise.exe
AddRemove-{2D37F6AE-D201-4580-B91A-6BF9BB93ED2D} - k:\ea\EAUninstall.exe
AddRemove-{5C648FDB-0138-4619-B66E-230EF53E8E2C} - k:\ea\Sims 2 Teen Stuff\EAUninstall.exe
AddRemove-{87F6C83D-F949-4d14-B5CB-DC8C75F8932D} - k:\ea\freetime\EAUninstall.exe
AddRemove-{B6F5B704-06D3-4687-90F3-6195304AD755} - k:\ea\EAUninstall.exe
AddRemove-{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06} - k:\seasons\EAUninstall.exe
AddRemove-{F248ADFA-64E0-4b03-8A83-059078BED6A0} - k:\ea\The_Sims_2_Bon_Voyage-FLT\EAUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2010-01-17 11:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1683667600-2349370972-1423106209-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Easy-Hide-IP\services\EasyHideIP-Server2\Easy-Hide-IPS2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Easy-Hide-IP\services\EasyHideIP-Server2\EasyHideIP-Server2.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\M-Audio MobilePre\Install\MPInst.exe
c:\program files\Easy-Hide-IP\services\EasyHideIP-Server1\EasyHideIP-Server1.exe
c:\program files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2010-01-17 12:10:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 17:10

Pre-Run: 6,088,867,840 bytes free
Post-Run: 6,064,328,704 bytes free

- - End Of File - - 1BBF02624F7BB192DD0F4E8A59AE86F5

Title: Google search redirect, cannot system restore
Post by: guestolo on January 17, 2010, 01:10:30 PM

Please download [color=\"red\"]SystemLook[/color] from one of the links below and save it to your Desktop.
[color=\"blue\"]Download Mirror #1[/color] (http://\"http://jpshortstuff.247fixes.com/SystemLook.exe\")
[color=\"blue\"]Download Mirror #2[/color] (http://\"http://images.malwareremoval.com/jpshortstuff/SystemLook.exe\")[/b]

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code: [Select]
:filefind atapi.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Also: Go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

Use the browse button and navigate to this file on your hard disk
c:\windows\system32\DRIVERS\atapi.sys<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or better yet, post the link to the results

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 02:09:38 PM

thank you... here is the link:

http://www.virustotal.com/analisis/b4df1d2...70b9-1263742066 (http://\"http://www.virustotal.com/analisis/b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9-1263742066\")

Here are the results:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:00 on 17/01/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys   --a--- 96512 bytes   [17:07 17/01/2010]   [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys   ------ 96512 bytes   [05:59 04/08/2004]   [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys   --a--c 96512 bytes   [23:44 08/06/2004]   [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys   ------ 96512 bytes   [23:44 08/06/2004]   [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

Title: Google search redirect, cannot system restore
Post by: guestolo on January 17, 2010, 02:42:12 PM

Download [color=\"#0000FF\"]TDSSKille[/color]r (http://\"http://support.kaspersky.com/downloads/utils/tdsskiller.zip\") and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

[color=\"#FF0000\"]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v[/color]
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 02:52:14 PM

14:50:45:984 1732   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
14:50:45:984 1732   ================================================================================
14:50:45:984 1732   SystemInfo:

14:50:45:984 1732   OS Version: 5.1.2600 ServicePack: 3.0
14:50:45:984 1732   Product type: Workstation
14:50:45:984 1732   ComputerName: MAIN
14:50:45:984 1732   UserName: Owner
14:50:45:984 1732   Windows directory: C:\WINDOWS
14:50:45:984 1732   Processor architecture: Intel x86
14:50:45:984 1732   Number of processors: 1
14:50:45:984 1732   Page size: 0x1000
14:50:45:984 1732   Boot type: Normal boot
14:50:45:984 1732   ================================================================================
14:50:46:140 1732   UnloadDriverW: NtUnloadDriver error 2
14:50:46:140 1732   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:50:46:156 1732   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:50:46:359 1732   UtilityInit: KLMD drop and load success
14:50:46:359 1732   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
14:50:46:359 1732   UtilityInit: KLMD open success
14:50:46:359 1732   UtilityInit: Initialize success
14:50:46:359 1732
14:50:46:359 1732   Scanning   Services ...
14:50:46:359 1732   CreateRegParser: Registry parser init started
14:50:46:359 1732   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
14:50:46:359 1732   CreateRegParser: DisableWow64Redirection error
14:50:46:359 1732   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:50:46:359 1732   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
14:50:46:359 1732   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:50:46:359 1732   wfopen_ex: Trying to KLMD file open
14:50:46:359 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
14:50:46:359 1732   wfopen_ex: File opened ok (Flags 2)
14:50:46:359 1732   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3B4B78
14:50:46:359 1732   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:50:46:359 1732   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
14:50:46:359 1732   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:50:46:359 1732   wfopen_ex: Trying to KLMD file open
14:50:46:359 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
14:50:46:359 1732   wfopen_ex: File opened ok (Flags 2)
14:50:46:359 1732   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3B4A68
14:50:46:359 1732   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
14:50:46:359 1732   CreateRegParser: EnableWow64Redirection error
14:50:46:359 1732   CreateRegParser: RegParser init completed
14:50:47:218 1732   GetAdvancedServicesInfo: Raw services enum returned 356 services
14:50:47:250 1732   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:50:47:250 1732   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:50:47:250 1732
14:50:47:250 1732   Scanning   Kernel memory ...
14:50:47:250 1732   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:50:47:250 1732   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 83B97030
14:50:47:250 1732   DetectCureTDL3: KLMD_GetDeviceObjectList returned 11 DevObjects
14:50:47:250 1732
14:50:47:250 1732   DetectCureTDL3: DEVICE_OBJECT: 8364CC68
14:50:47:250 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8364CC68
14:50:47:250 1732   KLMD_ReadMem: Trying to ReadMemory 0x8364CC68[0x38]
14:50:47:250 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:250 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:250 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:250 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:250 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:250 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:250 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:250 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:250 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:250 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:250 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:250 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:250 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:250 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:250 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:250 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:250 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:250 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:296 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:296 1732
14:50:47:296 1732   DetectCureTDL3: DEVICE_OBJECT: 8364D9D8
14:50:47:296 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8364D9D8
14:50:47:296 1732   KLMD_ReadMem: Trying to ReadMemory 0x8364D9D8[0x38]
14:50:47:296 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:296 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:296 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:296 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:296 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:296 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:296 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:296 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:296 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:296 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:296 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:296 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:296 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:296 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:296 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:296 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:296 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:296 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:312 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:312 1732
14:50:47:312 1732   DetectCureTDL3: DEVICE_OBJECT: 8364E2D8
14:50:47:312 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8364E2D8
14:50:47:312 1732   KLMD_ReadMem: Trying to ReadMemory 0x8364E2D8[0x38]
14:50:47:312 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:312 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:312 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:312 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:312 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:312 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:312 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:312 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:312 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:312 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:312 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:312 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:312 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:312 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:312 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:312 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:312 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:312 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:328 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:328 1732
14:50:47:328 1732   DetectCureTDL3: DEVICE_OBJECT: 839F8C68
14:50:47:328 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 839F8C68
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0x839F8C68[0x38]
14:50:47:328 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:328 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:328 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:328 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:328 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:328 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:328 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:328 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:328 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:328 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:328 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:328 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:328 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:328 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:328 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:328 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:328 1732
14:50:47:328 1732   DetectCureTDL3: DEVICE_OBJECT: 8370AAB8
14:50:47:328 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8370AAB8
14:50:47:328 1732   DetectCureTDL3: DEVICE_OBJECT: 837ACEA0
14:50:47:328 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 837ACEA0
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0x837ACEA0[0x38]
14:50:47:328 1732   DetectCureTDL3: DRIVER_OBJECT: 837DCBB8
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0x837DCBB8[0xA8]
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0xE19EBE10[0x1E]
14:50:47:328 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:50:47:328 1732   DetectCureTDL3: IrpHandler (0) addr: F932E218
14:50:47:328 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (2) addr: F932E218
14:50:47:328 1732   DetectCureTDL3: IrpHandler (3) addr: F932E23C
14:50:47:328 1732   DetectCureTDL3: IrpHandler (4) addr: F932E23C
14:50:47:328 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (9) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (14) addr: F932E180
14:50:47:328 1732   DetectCureTDL3: IrpHandler (15) addr: F93299E6
14:50:47:328 1732   DetectCureTDL3: IrpHandler (16) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (22) addr: F932D5F0
14:50:47:328 1732   DetectCureTDL3: IrpHandler (23) addr: F932BA6E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:328 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:328 1732   KLMD_ReadMem: Trying to ReadMemory 0xF932AF26[0x400]
14:50:47:328 1732   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:50:47:328 1732   TDL3_FileDetect: Processing driver: USBSTOR
14:50:47:328 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:328 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:375 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:50:47:375 1732
14:50:47:375 1732   DetectCureTDL3: DEVICE_OBJECT: 8370A030
14:50:47:375 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8370A030
14:50:47:375 1732   DetectCureTDL3: DEVICE_OBJECT: 83B54EA0
14:50:47:375 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83B54EA0
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B54EA0[0x38]
14:50:47:375 1732   DetectCureTDL3: DRIVER_OBJECT: 837DCBB8
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0x837DCBB8[0xA8]
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0xE19EBE10[0x1E]
14:50:47:375 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:50:47:375 1732   DetectCureTDL3: IrpHandler (0) addr: F932E218
14:50:47:375 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (2) addr: F932E218
14:50:47:375 1732   DetectCureTDL3: IrpHandler (3) addr: F932E23C
14:50:47:375 1732   DetectCureTDL3: IrpHandler (4) addr: F932E23C
14:50:47:375 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (9) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (14) addr: F932E180
14:50:47:375 1732   DetectCureTDL3: IrpHandler (15) addr: F93299E6
14:50:47:375 1732   DetectCureTDL3: IrpHandler (16) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (22) addr: F932D5F0
14:50:47:375 1732   DetectCureTDL3: IrpHandler (23) addr: F932BA6E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0xF932AF26[0x400]
14:50:47:375 1732   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:50:47:375 1732   TDL3_FileDetect: Processing driver: USBSTOR
14:50:47:375 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:375 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:375 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:50:47:375 1732
14:50:47:375 1732   DetectCureTDL3: DEVICE_OBJECT: 837BD3B0
14:50:47:375 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 837BD3B0
14:50:47:375 1732   DetectCureTDL3: DEVICE_OBJECT: 837DEEA0
14:50:47:375 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 837DEEA0
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0x837DEEA0[0x38]
14:50:47:375 1732   DetectCureTDL3: DRIVER_OBJECT: 837DCBB8
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0x837DCBB8[0xA8]
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0xE19EBE10[0x1E]
14:50:47:375 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:50:47:375 1732   DetectCureTDL3: IrpHandler (0) addr: F932E218
14:50:47:375 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (2) addr: F932E218
14:50:47:375 1732   DetectCureTDL3: IrpHandler (3) addr: F932E23C
14:50:47:375 1732   DetectCureTDL3: IrpHandler (4) addr: F932E23C
14:50:47:375 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (9) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (14) addr: F932E180
14:50:47:375 1732   DetectCureTDL3: IrpHandler (15) addr: F93299E6
14:50:47:375 1732   DetectCureTDL3: IrpHandler (16) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (22) addr: F932D5F0
14:50:47:375 1732   DetectCureTDL3: IrpHandler (23) addr: F932BA6E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:375 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:375 1732   KLMD_ReadMem: Trying to ReadMemory 0xF932AF26[0x400]
14:50:47:375 1732   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:50:47:375 1732   TDL3_FileDetect: Processing driver: USBSTOR
14:50:47:375 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:375 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:390 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:50:47:390 1732
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 837BC3B0
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 837BC3B0
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 837D9320
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 837D9320
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x837D9320[0x38]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT: 837DCBB8
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x837DCBB8[0xA8]
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xE19EBE10[0x1E]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:50:47:390 1732   DetectCureTDL3: IrpHandler (0) addr: F932E218
14:50:47:390 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (2) addr: F932E218
14:50:47:390 1732   DetectCureTDL3: IrpHandler (3) addr: F932E23C
14:50:47:390 1732   DetectCureTDL3: IrpHandler (4) addr: F932E23C
14:50:47:390 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (9) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (14) addr: F932E180
14:50:47:390 1732   DetectCureTDL3: IrpHandler (15) addr: F93299E6
14:50:47:390 1732   DetectCureTDL3: IrpHandler (16) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (22) addr: F932D5F0
14:50:47:390 1732   DetectCureTDL3: IrpHandler (23) addr: F932BA6E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xF932AF26[0x400]
14:50:47:390 1732   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:50:47:390 1732   TDL3_FileDetect: Processing driver: USBSTOR
14:50:47:390 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:390 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:47:390 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:50:47:390 1732
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 83BCD8A0
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83BCD8A0
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83BCD8A0[0x38]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:390 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:390 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:390 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:390 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:390 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:390 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:390 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:390 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:390 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:390 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:390 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:390 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:390 1732
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 83BCDC68
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83BCDC68
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83BCDC68[0x38]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT: 83B97030
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B97030[0xA8]
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4CF50[0x18]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:50:47:390 1732   DetectCureTDL3: IrpHandler (0) addr: F9007BB0
14:50:47:390 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (2) addr: F9007BB0
14:50:47:390 1732   DetectCureTDL3: IrpHandler (3) addr: F9001D1F
14:50:47:390 1732   DetectCureTDL3: IrpHandler (4) addr: F9001D1F
14:50:47:390 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (9) addr: F90022E2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (14) addr: F90023BB
14:50:47:390 1732   DetectCureTDL3: IrpHandler (15) addr: F9005F28
14:50:47:390 1732   DetectCureTDL3: IrpHandler (16) addr: F90022E2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (22) addr: F9003C82
14:50:47:390 1732   DetectCureTDL3: IrpHandler (23) addr: F900899E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:390 1732   TDL3_FileDetect: Processing driver: Disk
14:50:47:390 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:390 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:47:390 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:50:47:390 1732
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 83B979C0
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83B979C0
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 83B95F18
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83B95F18
14:50:47:390 1732   DetectCureTDL3: DEVICE_OBJECT: 83B94030
14:50:47:390 1732   KLMD_GetLowerDeviceObject: Trying to get lower device object for 83B94030
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B94030[0x38]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT: 83B40898
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0x83B40898[0xA8]
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xE1A4BD28[0x1A]
14:50:47:390 1732   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:50:47:390 1732   DetectCureTDL3: IrpHandler (0) addr: F8F146F2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (1) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (2) addr: F8F146F2
14:50:47:390 1732   DetectCureTDL3: IrpHandler (3) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (4) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (5) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (6) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (7) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (8) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (9) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (10) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (11) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (12) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (13) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (14) addr: F8F14712
14:50:47:390 1732   DetectCureTDL3: IrpHandler (15) addr: F8F10852
14:50:47:390 1732   DetectCureTDL3: IrpHandler (16) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (17) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (18) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (19) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (20) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (21) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (22) addr: F8F1473C
14:50:47:390 1732   DetectCureTDL3: IrpHandler (23) addr: F8F1B336
14:50:47:390 1732   DetectCureTDL3: IrpHandler (24) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (25) addr: 804FA87E
14:50:47:390 1732   DetectCureTDL3: IrpHandler (26) addr: 804FA87E
14:50:47:390 1732   KLMD_ReadMem: Trying to ReadMemory 0xF8F11864[0x400]
14:50:47:390 1732   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:50:47:390 1732   TDL3_FileDetect: Processing driver: atapi
14:50:47:390 1732   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
14:50:47:390 1732   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
14:50:47:453 1732   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
14:50:47:453 1732
14:50:47:453 1732   Completed
14:50:47:453 1732
14:50:47:453 1732   Results:
14:50:47:453 1732   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
14:50:47:453 1732   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
14:50:47:453 1732   File objects infected / cured / cured on reboot:   0 / 0 / 0
14:50:47:453 1732
14:50:47:453 1732   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:50:47:453 1732   UtilityDeinit: KLMD(ARK) unloaded successfully

Title: Google search redirect, cannot system restore
Post by: guestolo on January 17, 2010, 02:57:53 PM

Can you do the following
Reopen OTL.exe and Run Scan
Post the new log that opens, I have to step out for a bit, may not be back for a couple hours
Then I'll look at the new log

Keep me informed how things are running please

Title: Google search redirect, cannot system restore
Post by: guestolo on January 17, 2010, 03:24:04 PM

Forgot to add, with that new log from OTL
Can you also reopen MalwareBytes AntiMalware
Ensure you first check for updates

Then do a Quick Scan
If anything is found after the scan "Remove Selected"
Post the log from MBAM also

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 03:26:33 PM

Here is the new scan...I really appreciate your help...google seems fine now..things appear to be running smoothly. Do you think that all of that stuff could have caused my external simpletech drive to not function? Although I have had it a few years and maybe it just crashed. here is the log...

OTL logfile created on: 1/17/2010 3:16:01 PM - Run 2
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 216.00 Mb Available Physical Memory | 43.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.18 Gb Total Space | 5.62 Gb Free Space | 16.93% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.90% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 697.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]

PRC - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/01/04 12:01:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/11/25 12:48:38 | 00,991,232 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
PRC - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]

MOD - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2006/11/17 14:18:44 | 00,503,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2006/11/17 14:18:44 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2006/10/24 14:07:54 | 00,184,320 | --S- | M] (Tenebril Inc.) -- C:\WINDOWS\system32\Interceptor.dll
MOD - [2006/10/24 14:07:18 | 00,307,200 | --S- | M] (Tenebril Inc.) -- C:\WINDOWS\system32\InterceptHelper.dll

[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (PCTAVSvc)
SRV - File not found [On_Demand | Stopped] -- -- (FirebirdServerMAGIXInstance)
SRV - [2009/12/17 16:36:24 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/01/04 12:01:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/25 12:48:38 | 00,991,232 | ---- | M] () [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2) SQL Server (SONY_MEDIAMGR2)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2007/01/09 13:38:50 | 00,045,056 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe -- (EasyHideIP)
SRV - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) [Auto | Running] -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe -- (MobilePreInstallerService)
SRV - [2004/05/24 13:23:38 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/07/28 22:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2008/11/25 12:39:04 | 00,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2008/10/13 09:35:31 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2008/07/28 17:19:28 | 00,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/12 09:44:10 | 00,021,904 | ---- | M] (PC Tools Research Pty Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AVFilter.sys -- (AVFilter)
DRV - [2007/12/06 14:51:44 | 00,028,568 | ---- | M] (PC Tools Research Pty Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVHook.sys -- (AVHook)
DRV - [2007/12/06 14:51:44 | 00,021,912 | ---- | M] (PC Tools Research Pty Ltd ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVRec.sys -- (AVRec)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/03/07 18:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/09/27 07:00:02 | 00,069,920 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TPkd.sys -- (TPkd)
DRV - [2005/09/09 16:47:34 | 00,030,976 | ---- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MA763004.sys -- (ma763004)
DRV - [2005/03/04 11:02:20 | 01,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/10/01 02:08:38 | 00,018,048 | R--- | M] (CASIO COMPUTER CO., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pl40rwdm.sys -- (PL-40R)
DRV - [2004/08/20 16:26:00 | 00,737,874 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/02/11 23:04:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/02/04 20:28:00 | 00,134,144 | ---- | M] (Copyright © VIA/S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/01/02 23:05:48 | 00,011,520 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/01/02 22:20:40 | 00,432,000 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/12/12 09:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/02 21:23:20 | 00,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/28 17:34:40 | 00,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2003/09/19 03:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/07/18 19:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/02 14:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/01/10 09:56:34 | 00,030,921 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SQCaptur.sys -- (DCamUSBSQTECH) Dual-Mode DSC(2770)
DRV - [2002/10/04 20:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 00,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)

[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html\")

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7 (http://\"http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/do1productions (http://\"http://www.myspace.com/do1productions\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com (http://\"http://www.google.com\")
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = <local>

[color=\"#E56717\"]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.myspace.com/do1productions"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/15 17:07:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/13 20:16:37 | 00,000,000 | ---D | M]

[2009/09/02 19:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/31 17:29:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions
[2009/10/23 07:14:09 | 00,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/09/02 19:15:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/17 11:52:36 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [GhostSurf Reminder] C:\Program Files\GhostSurf 2007 Platinum\Privacy Control Center.exe (Tenebril Inc.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe ()
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; Mozilla\4.0 ( File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRunBackup = -1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - File not found
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Value error. File not found
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\") (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (http://\"http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\") (MySpace Uploader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab (http://\"http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab\") (Windows Live Safety Center Base Module)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://www.taxsimple.org/tsweb/msrdp.cab (http://\"https://www.taxsimple.org/tsweb/msrdp.cab\") (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (http://\"http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab\") (Reg Error: Key error.)
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB (http://\"http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB\") (TSEasyInstallX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab\") (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab\") (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab\") (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (http://\"http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe (http://\"http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe\") (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (http://\"http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab\") (get_atlcom Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.3 64.233.217.5
O20 - AppInit_DLLs: (C:\WINDOWS\system32\Interceptor.dll) - C:\WINDOWS\system32\Interceptor.dll (Tenebril Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 03:03:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/11 18:42:57 | 00,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (SsiEfr.ex) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/01/17 14:50:01 | 00,176,392 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/01/17 12:36:58 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/17 11:05:13 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/17 11:05:13 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/17 11:05:13 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/17 11:05:13 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/17 11:03:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/17 11:01:26 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/16 23:03:59 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 16:30:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/13 20:29:23 | 00,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/12/28 21:00:40 | 00,000,000 | ---D | C] -- C:\Program Files\Nick Jr. Arcade
[2009/12/27 21:56:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVS4YOU
[2009/12/27 21:56:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/12/27 21:53:17 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3a.dll
[2009/12/27 21:53:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2009/12/27 21:53:16 | 00,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2009/12/25 23:17:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\movtoavi
[2009/12/25 22:15:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/12/25 17:54:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RCA easyRip
[2009/10/19 01:05:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/03/07 16:42:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/08/18 16:59:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/10/21 16:56:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2006/05/10 14:37:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2006/05/02 20:54:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]

[2010/01/17 14:49:51 | 00,152,401 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/01/17 14:25:18 | 00,039,424 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\week_of_010410_blog.doc
[2010/01/17 13:28:43 | 00,100,908 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2010/01/17 11:53:17 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/17 11:53:01 | 00,000,315 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/17 11:52:36 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/17 11:51:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/17 11:51:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/17 11:50:19 | 13,893,632 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/01/17 11:50:19 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/17 10:59:38 | 03,827,754 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 13:33:16 | 00,035,430 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/15 16:55:49 | 02,111,356 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/01/14 11:35:04 | 00,000,187 | ---- | M] () -- C:\WINDOWS\sc.INI
[2010/01/13 20:30:48 | 00,000,790 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/01/13 20:28:41 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/13 20:28:41 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/13 08:44:14 | 00,176,392 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/01/13 07:57:00 | 00,000,332 | ---- | M] () -- C:\WINDOWS\beatbox.INI
[2010/01/13 07:57:00 | 00,000,028 | ---- | M] () -- C:\WINDOWS\robota.INI
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 13:57:14 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/12/25 22:22:54 | 03,141,944 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:22:00 | 01,622,708 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/25 19:02:22 | 00,000,097 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/12/22 20:39:00 | 00,011,497 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AccessCards.pdf
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]

[2010/01/17 14:49:49 | 00,152,401 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/01/17 14:25:18 | 00,039,424 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\week_of_010410_blog.doc
[2010/01/17 13:28:43 | 00,100,908 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2010/01/17 11:52:48 | 00,000,570 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Audiograbber.lnk
[2010/01/17 11:52:48 | 00,000,565 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FL Studio 7.lnk
[2010/01/17 11:05:13 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/17 11:05:13 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/17 11:05:13 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/17 11:05:13 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/17 11:05:13 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/17 10:59:34 | 03,827,754 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/16 16:30:40 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/16 13:33:14 | 00,035,430 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/13 20:30:48 | 00,000,790 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/01/05 15:44:57 | 13,893,632 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2009/12/25 22:22:15 | 03,141,944 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:21:40 | 01,622,708 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/22 20:38:55 | 00,011,497 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AccessCards.pdf
[2009/12/04 18:22:31 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/12/04 18:22:12 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/12/04 18:22:12 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/20 20:48:41 | 00,000,187 | ---- | C] () -- C:\WINDOWS\sc.INI
[2009/02/04 17:47:57 | 00,000,062 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 22:08:00 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\AVLibrary.dll
[2009/01/06 07:05:59 | 00,000,049 | ---- | C] () -- C:\WINDOWS\netctrl.ini
[2008/12/25 17:39:12 | 00,000,110 | ---- | C] () -- C:\WINDOWS\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
[2008/10/14 06:06:57 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/06/11 10:09:57 | 00,092,544 | ---- | C] () -- C:\WINDOWS\System32\xqnbsyjw.dll
[2008/06/10 21:09:50 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[2008/06/10 21:09:06 | 00,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Wavlbsys.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Hyperman.dll
[2008/03/17 20:04:31 | 00,000,057 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/19 19:02:15 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/09/13 17:29:18 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2007/08/26 19:10:30 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/15 19:31:36 | 00,000,578 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AutoGK.ini
[2007/08/13 22:38:06 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/08/13 18:15:08 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/08/13 18:15:08 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/08/13 15:10:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/05/02 06:13:29 | 00,000,035 | ---- | C] () -- C:\WINDOWS\Pt.dll
[2006/05/10 14:37:17 | 00,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/05/10 14:37:11 | 00,000,339 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/05/10 14:36:04 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006/05/10 14:34:46 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2006/05/02 22:02:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2006/05/02 20:54:21 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/05/02 20:54:21 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/01/04 14:57:17 | 00,000,046 | ---- | C] () -- C:\WINDOWS\mxcdr.INI
[2005/12/24 11:33:16 | 00,038,912 | ---- | C] () -- C:\WINDOWS\System32\mgxasio.dll
[2005/11/25 15:04:33 | 00,000,046 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/11/25 15:02:55 | 00,000,078 | ---- | C] () -- C:\WINDOWS\TONKA.INI
[2005/08/13 12:25:39 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\richtxt4.dll
[2005/08/13 12:25:39 | 00,000,029 | ---- | C] () -- C:\WINDOWS\pool.ini
[2005/08/04 19:55:20 | 00,000,194 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS
[2005/05/29 17:16:26 | 00,000,960 | ---- | C] () -- C:\WINDOWS\musiceditor.INI
[2005/01/08 18:06:27 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PI4_setup.ini
[2004/12/17 18:18:12 | 00,000,579 | ---- | C] () -- C:\WINDOWS\KA.INI
[2004/12/05 19:44:42 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/12/05 19:44:42 | 00,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/12/05 19:44:18 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/11/05 23:31:15 | 00,000,317 | ---- | C] () -- C:\WINDOWS\sampler.INI
[2004/11/05 23:31:14 | 00,000,028 | ---- | C] () -- C:\WINDOWS\robota.INI
[2004/11/05 23:31:13 | 00,000,332 | ---- | C] () -- C:\WINDOWS\beatbox.INI
[2004/11/05 23:05:32 | 00,000,338 | ---- | C] () -- C:\WINDOWS\musicmaker.INI
[2004/11/05 22:51:53 | 00,005,937 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2004/11/05 22:51:53 | 00,000,150 | ---- | C] () -- C:\WINDOWS\magix.ini
[2004/10/23 15:48:53 | 00,037,376 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/09/26 17:45:19 | 00,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/09/14 18:46:11 | 00,000,097 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/27 23:44:08 | 00,040,960 | ---- | C] () -- C:\WINDOWS\SPARKEY.DLL
[2004/06/08 18:41:12 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/06/08 18:41:12 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/06/08 18:41:12 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/06/08 18:41:12 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/04/03 03:18:54 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 02:36:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 02:36:39 | 00,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 19:19:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/04/02 19:18:38 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/04/02 19:18:38 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/04/02 19:17:14 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 19:15:40 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 19:00:40 | 00,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 19:00:02 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/02 05:01:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 04:52:33 | 00,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 04:14:52 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 03:43:52 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 03:34:53 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 03:34:53 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 03:34:35 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 03:08:11 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 01:52:53 | 00,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/24 02:33:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/08 01:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/15 17:54:04 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1999/07/23 12:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

[color=\"#E56717\"]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3C6F4669
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9D0F60A0
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCD94695
< End of report >

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 07:48:27 PM

sorry..here is the malwarebytes log..

Malwarebytes' Anti-Malware 1.44
Database version: 3585
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/17/2010 7:46:21 PM
mbam-log-2010-01-17 (19-46-21).txt

Scan type: Quick Scan
Objects scanned: 132675
Time elapsed: 16 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Google search redirect, cannot system restore
Post by: guestolo on January 17, 2010, 08:18:17 PM

Can you let me know the following
I see PCTools AV possibly installed, is it running properly and active?

In addition, did you once have Symantec's AV/Internet Security installed and have since removed it
+ I see the following Omniquad Total Security
Is this running on your computer, if it is, what protection software does it include?

And one more request, please do an online virus scan
If you have any AV software realtime protections running, temporarily disable it

Then, Go to the following link [color=\"#0000FF\"]ESET Online Scanner[/color] (http://\"http://www.eset.com/onlinescan/\")[/url]
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take awhile, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 09:11:01 PM

[quote name=\'guestolo\' post=\'467455\' date=\'Jan 17 2010, 08:18 PM\']Can you let me know the following
I see PCTools AV possibly installed, is it running properly and active?

In addition, did you once have Symantec's AV/Internet Security installed and have since removed it
+ I see the following Omniquad Total Security
Is this running on your computer, if it is, what protection software does it include?

And one more request, please do an online virus scan
If you have any AV software realtime protections running, temporarily disable it

Then, Go to the following link [color=\"#0000FF\"]ESET Online Scanner[/color] (http://\"http://www.eset.com/onlinescan/\")[/url]
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take awhile, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

[/quote]

No...i actually don't have any of the above listed AVs....it appears that the windows firewall is now functioning again...i will run the scan soon...thanks again..

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 17, 2010, 10:48:26 PM

C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe   probably a variant of Win32/Agent trojan   cleaned by deleting - quarantined
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe   probably a variant of Win32/Agent trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir   Win32/Adware.ISearch application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\LTDKUuvw.ini.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\LTDKUuvw.ini2.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\mbioynvx.ini.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\system32\mcntntdl.exe   Win32/Adware.ZenoSearch application   cleaned by deleting - quarantined
C:\WINDOWS\system32\npc\FNZvri5.exe   a variant of Win32/Adware.GooochiBiz application   deleted - quarantined

Title: Google search redirect, cannot system restore
Post by: guestolo on January 18, 2010, 12:47:50 AM

Let's try the following
Can you print these instructions, or copy/paste them to an empty notepad file on your desktop

Download and save to your desktop
Norton Removal tool (http://\"http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=1a13409b-29db-4397-a286-9dec49f8e252&seg=hho&ct=us&lg=en&docurl=20080828154508EN\")
from the Download link in Step 2 of the link
Don't run it yet

Access your Add and Remove Programs
Close down all web browsers
Uninstall the following
Javaâ„¢ 6 Update 11
Javaâ„¢ 6 Update 6
Javaâ„¢ 6 Update 7
Javaâ„¢ SE Development Kit 6 Update 6
Compaq Connections
RON Tool Netupbanner
Viewpoint Media Player
Omniquad Total Security

Run the Norton Removal tool on desktop, follow the prompts
You should be prompted to reboot the computer afterwards, if not, reboot manually

Back in Windows

[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE) (http://\"http://java.sun.com/javase/downloads/index.jsp\").
Scroll down to where it says "JRE 6 Update 18".
Click the "Download" button to the right.
In the Window that opens, select Windows,>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe that you downloaded to install the newest version.

Can you post back here what version of PCTools you had installed
Was it just the PCTools AV or did it include SpywareDoctor?
Here's a link that includes which tools they supply, can you remember which it was
http://www.pctools.com/contact/support/ (http://\"http://www.pctools.com/contact/support/\")

In addition:
Download Security Check by screen317 from here (http://\"http://screen317.spywareinfoforum.org/SecurityCheck.exe\") or here (http://\"http://screen317.changelog.fr/SecurityCheck.exe\").

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 18, 2010, 05:29:50 AM

It was quite a while ago..but I think it had Spyware doctor as well. Here is the text...

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
GhostSurf 2007 Platinum
HijackThis 2.0.2
Wise Disk Cleaner 3.74
Wise Registry Cleaner 3 Free 3.82
Java(tm) 6 Update 18
Java Auto Updater
Java DB 10.3.1.4
[color=\"red\"]Out of date Java installed![/color]
Adobe Flash Player 10
Adobe Reader 7.1.0
[color=\"red\"]Out of date Adobe Reader installed![/color]
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

I also noticed when I ran hijack this earlier, a google toolbar and some sort of 3dlife player? I don't use either of those things...

Title: Google search redirect, cannot system restore
Post by: guestolo on January 20, 2010, 07:44:32 PM

I'm trying to figure a good way to rid you of leftovers from PCTools AV

Can you try the following
Download and install PCTools AV free edition from the following link
http://fileforum.betanews.com/detail/PC-To...on/1131512968/1 (http://\"http://fileforum.betanews.com/detail/PC-Tools-AntiVirus-Free-Edition/1131512968/1\")

Reboot after installation, back in Windows
Try and uninstallation from Add and Remove programs
or in Start>>All Programs
After uninstalling, reboot once again

Then run a fresh scan with OTL and post it's new log

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 23, 2010, 02:39:42 PM

Thanks...I did end up with the google redirect again yesterday...I'm not sure where it's coming from...I have pop ups blocked...I do play backgammon in pogo daily, and do use google a lot...I found Hitman Pro 3.5 on Cnet which states it does remove the google redirect virus. It did remove it, it was back in that Atapi sys file, I guess I'll keep Hitman for the 30 day free trial.

Anyway..installed and uninstalled the PC tools...and ran OTL..here is the log. I do appreciate all of your help..

OTL logfile created on: 1/21/2010 9:25:10 PM - Run 3
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 243.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.18 Gb Total Space | 8.28 Gb Free Space | 24.97% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.69 Gb Free Space | 16.90% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 2.07 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]

PRC - [2010/01/18 05:23:56 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/01/11 15:21:52 | 00,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
PRC - [2004/08/20 15:55:14 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/05/24 13:23:38 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2004/05/24 13:22:06 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]

MOD - [2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [On_Demand | Stopped] -- -- (FirebirdServerMAGIXInstance)
SRV - [2010/01/18 05:23:56 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/17 16:36:24 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlusÂ®
SRV - [2008/11/25 12:48:38 | 00,991,232 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2) SQL Server (SONY_MEDIAMGR2)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2007/01/09 13:38:50 | 00,045,056 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe -- (EasyHideIP)
SRV - [2005/09/09 16:47:34 | 00,049,152 | ---- | M] (M-Audio) [Auto | Running] -- C:\Program Files\M-Audio MobilePre\Install\MPInst.exe -- (MobilePreInstallerService)
SRV - [2004/05/24 13:23:38 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/07/28 22:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]

DRV - [2008/11/25 12:39:04 | 00,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2008/10/13 09:35:31 | 00,008,552 | ---- | M] (Windows Â® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2008/07/28 17:19:28 | 00,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/03/07 18:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/09/27 07:00:02 | 00,069,920 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TPkd.sys -- (TPkd)
DRV - [2005/09/09 16:47:34 | 00,030,976 | ---- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MA763004.sys -- (ma763004)
DRV - [2005/03/04 11:02:20 | 01,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/10/01 02:08:38 | 00,018,048 | R--- | M] (CASIO COMPUTER CO., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pl40rwdm.sys -- (PL-40R)
DRV - [2004/08/20 16:26:00 | 00,737,874 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/02/11 23:04:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/02/04 20:28:00 | 00,134,144 | ---- | M] (Copyright Â© VIA/S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/01/02 23:05:48 | 00,011,520 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/01/02 22:20:40 | 00,432,000 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/12/12 09:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/02 21:23:20 | 00,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/28 17:34:40 | 00,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2003/09/19 03:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/07/18 19:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/02 14:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/01/10 09:56:34 | 00,030,921 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SQCaptur.sys -- (DCamUSBSQTECH) Dual-Mode DSC(2770)
DRV - [2002/10/04 20:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 00,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)

[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html\")

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7 (http://\"http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/do1productions (http://\"http://www.myspace.com/do1productions\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com (http://\"http://www.google.com\")
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = <local>

[color=\"#E56717\"]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.myspace.com/do1productions"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/15 17:07:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/18 05:24:26 | 00,000,000 | ---D | M]

[2009/09/02 19:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/31 17:29:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions
[2009/10/23 07:14:09 | 00,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tto1zyqv.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2010/01/18 05:24:32 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/17 11:52:36 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; Mozilla\4.0 ( File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRunBackup = -1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - File not found
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Value error. File not found
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\") (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (http://\"http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\") (MySpace Uploader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab (http://\"http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab\") (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (http://\"http://download.eset.com/special/eos/OnlineScanner.cab\") (OnlineScanner Control)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://www.taxsimple.org/tsweb/msrdp.cab (http://\"https://www.taxsimple.org/tsweb/msrdp.cab\") (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab\") (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (http://\"http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab\") (Reg Error: Key error.)
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB (http://\"http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB\") (TSEasyInstallX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab\") (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab\") (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (http://\"http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe (http://\"http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe\") (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (http://\"http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab\") (get_atlcom Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.3 64.233.217.5
O20 - AppInit_DLLs: (c:\windows\system32\interceptor.dll) - C:\WINDOWS\System32\interceptor.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 03:03:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/11 18:42:57 | 00,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (SsiEfr.ex) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/01/21 12:48:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/01/21 12:48:03 | 00,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/01/20 21:44:16 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/19 11:54:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\allthatchordssaved
[2010/01/19 11:12:52 | 00,000,000 | ---D | C] -- C:\Program Files\All That Chords!
[2010/01/18 05:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/01/18 05:24:26 | 00,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/18 05:24:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/18 05:24:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/18 05:24:26 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/18 04:49:52 | 00,793,200 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Owner\Desktop\Norton_Removal_Tool.exe
[2010/01/17 14:50:01 | 00,176,392 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/01/17 12:36:58 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/17 11:05:13 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/17 11:05:13 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/17 11:05:13 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/17 11:05:13 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/17 11:03:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/17 11:01:26 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/16 23:03:59 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 16:30:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/13 20:29:23 | 00,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/01/13 10:33:23 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/28 21:00:40 | 00,000,000 | ---D | C] -- C:\Program Files\Nick Jr. Arcade
[2009/12/27 21:56:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVS4YOU
[2009/12/27 21:56:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/12/27 21:53:17 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3a.dll
[2009/12/27 21:53:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2009/12/27 21:53:16 | 00,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2009/12/25 23:17:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\movtoavi
[2009/12/25 22:15:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/12/25 17:54:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RCA easyRip
[2009/10/19 01:05:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/03/07 16:42:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/08/18 16:59:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/10/21 16:56:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/10/21 16:56:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2006/08/30 01:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2006/05/10 14:37:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2006/05/02 20:54:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]

[2010/01/21 21:24:36 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/21 21:23:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/21 21:23:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/21 21:22:13 | 13,893,632 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/01/21 21:22:13 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/21 13:05:40 | 00,000,370 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/01/21 12:48:40 | 00,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/01/21 12:48:05 | 00,001,692 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/01/20 23:41:57 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/01/20 11:38:29 | 00,000,032 | ---- | M] () -- C:\WINDOWS\System32\use_atc.dat
[2010/01/19 11:12:53 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\All That Chords!.lnk
[2010/01/19 11:11:47 | 00,115,731 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\chordswheel.JPG
[2010/01/18 23:33:04 | 02,641,188 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/01/18 05:25:30 | 00,843,187 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2010/01/18 05:23:55 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/18 05:23:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/18 05:23:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/18 05:23:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/18 05:23:55 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/18 05:08:45 | 00,001,089 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/18 05:08:45 | 00,000,315 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/18 05:08:45 | 00,000,281 | RHS- | M] () -- C:\boot. ini
[2010/01/18 04:49:53 | 00,793,200 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Owner\Desktop\Norton_Removal_Tool.exe
[2010/01/18 02:10:22 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/17 13:28:43 | 00,100,908 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2010/01/17 11:52:36 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/17 10:59:38 | 03,827,754 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/16 23:04:01 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/16 13:33:16 | 00,035,430 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/14 11:35:04 | 00,000,187 | ---- | M] () -- C:\WINDOWS\sc.INI
[2010/01/13 20:30:48 | 00,000,790 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/01/13 20:28:41 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/13 20:28:41 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/13 08:44:14 | 00,176,392 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/01/13 07:57:00 | 00,000,332 | ---- | M] () -- C:\WINDOWS\beatbox.INI
[2010/01/13 07:57:00 | 00,000,028 | ---- | M] () -- C:\WINDOWS\robota.INI
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 13:57:14 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/12/25 22:22:54 | 03,141,944 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:22:00 | 01,622,708 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/25 19:02:22 | 00,000,097 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]

[2010/01/21 13:05:40 | 00,000,370 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/01/21 12:48:40 | 00,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/01/21 12:48:05 | 00,001,692 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/01/19 21:35:21 | 13,893,632 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/01/19 11:12:58 | 00,000,032 | ---- | C] () -- C:\WINDOWS\System32\use_atc.dat
[2010/01/19 11:12:53 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\All That Chords!.lnk
[2010/01/19 11:11:47 | 00,115,731 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\chordswheel.JPG
[2010/01/18 05:25:26 | 00,843,187 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2010/01/17 13:28:43 | 00,100,908 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2010/01/17 11:52:48 | 00,000,565 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FL Studio 7.lnk
[2010/01/17 11:05:13 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/17 11:05:13 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/17 11:05:13 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/17 11:05:13 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/17 11:05:13 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/17 10:59:34 | 03,827,754 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/16 16:30:40 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/16 13:33:14 | 00,035,430 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\virus.html
[2010/01/13 20:30:48 | 00,000,790 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2009/12/25 22:22:15 | 03,141,944 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0024.avi
[2009/12/25 22:21:40 | 01,622,708 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GEDC0012.avi
[2009/12/04 18:22:31 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/12/04 18:22:12 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/12/04 18:22:12 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/02/20 20:48:41 | 00,000,187 | ---- | C] () -- C:\WINDOWS\sc.INI
[2009/02/04 17:47:57 | 00,000,062 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 22:08:00 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\AVLibrary.dll
[2009/01/06 07:05:59 | 00,000,049 | ---- | C] () -- C:\WINDOWS\netctrl.ini
[2008/12/25 17:39:12 | 00,000,110 | ---- | C] () -- C:\WINDOWS\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
[2008/10/14 06:06:57 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/06/11 10:09:57 | 00,092,544 | ---- | C] () -- C:\WINDOWS\System32\xqnbsyjw.dll
[2008/06/10 21:09:50 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[2008/06/10 21:09:06 | 00,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Wavlbsys.dll
[2008/04/30 19:02:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\Hyperman.dll
[2008/03/17 20:04:31 | 00,000,057 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/19 19:02:15 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/09/13 17:29:18 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2007/08/26 19:10:30 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/15 19:31:36 | 00,000,578 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AutoGK.ini
[2007/08/13 22:38:06 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/08/13 18:15:08 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/08/13 18:15:08 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/08/13 15:10:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/05/02 06:13:29 | 00,000,035 | ---- | C] () -- C:\WINDOWS\Pt.dll
[2006/05/10 14:37:17 | 00,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/05/10 14:37:11 | 00,000,339 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/05/10 14:36:04 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006/05/10 14:34:46 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2006/05/02 22:02:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2006/05/02 20:54:21 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/05/02 20:54:21 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/01/04 14:57:17 | 00,000,046 | ---- | C] () -- C:\WINDOWS\mxcdr.INI
[2005/12/24 11:33:16 | 00,038,912 | ---- | C] () -- C:\WINDOWS\System32\mgxasio.dll
[2005/11/25 15:04:33 | 00,000,046 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/11/25 15:02:55 | 00,000,078 | ---- | C] () -- C:\WINDOWS\TONKA.INI
[2005/08/13 12:25:39 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\richtxt4.dll
[2005/08/13 12:25:39 | 00,000,029 | ---- | C] () -- C:\WINDOWS\pool.ini
[2005/08/04 19:55:20 | 00,000,194 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS
[2005/05/29 17:16:26 | 00,000,960 | ---- | C] () -- C:\WINDOWS\musiceditor.INI
[2005/01/08 18:06:27 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PI4_setup.ini
[2004/12/17 18:18:12 | 00,000,579 | ---- | C] () -- C:\WINDOWS\KA.INI
[2004/12/05 19:44:42 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/12/05 19:44:42 | 00,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/12/05 19:44:18 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/11/05 23:31:15 | 00,000,317 | ---- | C] () -- C:\WINDOWS\sampler.INI
[2004/11/05 23:31:14 | 00,000,028 | ---- | C] () -- C:\WINDOWS\robota.INI
[2004/11/05 23:31:13 | 00,000,332 | ---- | C] () -- C:\WINDOWS\beatbox.INI
[2004/11/05 23:05:32 | 00,000,338 | ---- | C] () -- C:\WINDOWS\musicmaker.INI
[2004/11/05 22:51:53 | 00,005,937 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2004/11/05 22:51:53 | 00,000,150 | ---- | C] () -- C:\WINDOWS\magix.ini
[2004/10/23 15:48:53 | 00,037,376 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/09/26 17:45:19 | 00,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/09/14 18:46:11 | 00,000,097 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/27 23:44:08 | 00,040,960 | ---- | C] () -- C:\WINDOWS\SPARKEY.DLL
[2004/06/08 18:41:12 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/06/08 18:41:12 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/06/08 18:41:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/06/08 18:41:12 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/06/08 18:41:12 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/04/03 03:18:54 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 02:36:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 02:36:39 | 00,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 19:19:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/04/02 19:18:38 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/04/02 19:18:38 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/04/02 19:17:14 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 19:15:40 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 19:00:40 | 00,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 19:00:02 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/02 05:01:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 04:52:33 | 00,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 04:14:52 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 03:43:52 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 03:34:53 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 03:34:53 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 03:34:35 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 03:08:11 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 01:52:53 | 00,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/24 02:33:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/08 01:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/15 17:54:04 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1999/07/23 12:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

[color=\"#E56717\"]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3C6F4669
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9D0F60A0
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCD94695
< End of report >

Title: Google search redirect, cannot system restore
Post by: guestolo on January 24, 2010, 04:43:13 PM

Please still do the following
Uninstall older copy of Java
Java DB 10.3.1.4 from Add/Remove programs

In addition, you should uninstall your out of date version of Adobe Reader
We'll update it in a bit
Remove>>Adobe Reader 7.1.0

Double click on OTL.exe and Run it

Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
Quote
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Value error. File not found
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - File not found
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Value error. File not found
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - File not found
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe (http://\"http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe\") (Reg Error: Key error.)
:Commands
[EmptyTemp]
[Reboot]
Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
Let the program run unhindered, reboot the PC when it is done

On startup, Allow OTL to run if prompted
A log should open, can you post it please
A copy of this log can also be found in
C:\_OTL\Moved Files folder

Updating Adobe Reader
You can get the latest version from this link
http://get.adobe.com/reader/ (http://\"http://get.adobe.com/reader/\")
NOTE: UNTICK the optional install of Google Toolbar or McAfee Security Scan
unless you prefer to install either, but they are not needed

With that fix log from OTL
Can you also do the following
Download GMER from here:
http://www.gmer.net/files.php (http://\"http://www.gmer.net/files.php\")

Unzip it to the Desktop.

Open the program - you should see the Rootkit / Malware tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for â€˜Show Allâ€™.
Important: Close any open programs/windows!
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Title: Google search redirect, cannot system restore
Post by: Hopper073 on January 26, 2010, 12:51:21 AM

Ok... I did everthing you said....no log from Gmer...it found nothing. Here are the OTL results..

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page_bak| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8828075D-D097-4055-AA02-2DBFA9D85E8A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97809617-3937-4F84-B335-9BB05EF1A8D4}\ not found.
Starting removal of ActiveX control {D4323BF2-006A-4440-A2F5-27E3E7AB25F8}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.MAIN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: LocalService
->Temp folder emptied: 66083 bytes
->Temporary Internet Files folder emptied: 469 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1463257 bytes
->Java cache emptied: 51129793 bytes
->FireFox cache emptied: 94570240 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2271586 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1480285 bytes

Total Files Cleaned = 147.00 mb

OTL by OldTimer - Version 3.1.25.2 log created on 01252010_214633

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Title: Google search redirect, cannot system restore
Post by: guestolo on January 28, 2010, 12:05:02 AM

How are things running on your end now?

Title: Google search redirect, cannot system restore
Post by: Hopper073 on February 08, 2010, 11:02:01 PM

[quote name=\'guestolo\' post=\'467684\' date=\'Jan 28 2010, 12:05 AM\']How are things running on your end now?[/quote]

thank you so much for your help....things are running smoothly. Again...Much appreciated!!

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Google search redirect, cannot system restore
Post by: guestolo on February 08, 2010, 11:30:33 PM

Can you do the following
Go to START>RUN>Copy/paste the following:

[color=\"#FF0000\"]ComboFix /uninstall[/color]

This will uninstall ComboFix and it's components

I would add SpywareBlaster to your set of protection software
it does not run in the background but helps to silently protect your system

SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
At the link you can read more about it if you like then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
IMPORTANT>>"Check for updates every couple of weeks or so"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

To properly remove OTL.exe
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

What do you plan on doing with HitMan Pro?
It's not a secure as a realtime scanning engine from an AntiVirus software
Do you need a free solution that is not a trial