Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I have just removed a virus - need expert help to be declared clean

Started by paroariax , Jul 12 2010 03:23 PM

This topic is locked

#1
paroariax

Posted 12 July 2010 - 03:23 PM

Member

Member
13 posts

Hi

I have just removed the Black Internet virus from my system by following the discussion and solution outlined here (note: use this link [anonymized using pagewash.com] to get past the unregistered user page view limit).

Summary of virus I removed

At a high level, its an adspam downloader/trojan that runs using multiple background iexplore.exe processes
Periodically set the WAVE output volume to zero.
Suspect traffic showing up in Wireshark.
Does not appear to modify DNS routing (wireshark confirmed DNS requests still sent to 192.168.0.1)
iexplore.exe processes were executed by fake services.exe and smss.exe located in "C:\System Volume Information\Microsoft"
services.exe and smss.exe couldn't be removed through windows because access is denied to the "C:\System Volume Information" folder.
At a low level, the virus modifies the MBR to restore the services.exe and smss.exe, and execute them on windows boot-up.
None of the anti-malware tools were able to detect it, presumably because it was too new.
AVG detected services.exe and smss.exe when the malware scanners tried to access them, but wasn't able to remove them.

Steps I took to remove the virus (as suggested by the thread I linked to)

Fixed the MBR using a Grub boot disk (as I don't have access to the Windows Recovery Console).
Removed the fake services.exe and smss.exe using a Live CD.
Rebooted to windows.
Fake services.exe and smss.exe were no longer running.
iexplore.exe processes were no longer running.
Did a full AVG scan, nothing found.
No more suspect traffic showing up in Wireshark.
DNS routing still appears OK in Wireshark.
Rebooted into Live CD, checked that fake services.exe and smss.exe were definitely still gone.

What I would like help with now is being declared clean. I have read the Malware and Spyware Cleaning Guide, and I have most of the requested outputs ready. However I had trouble running GMER, as it kept crashing whe I left it over night. I have the Dr Watson report that was generated by the crash, but its quite large (308 KB) so I won't post it unless requested.

Note that I was unable to terminate AVG 9 before running any of the scans, as AVG 9 no longer has a wy to properly shut it down (that I can find). I don't know if that's what caused the GMER crash or not.

Index of outputs I have posted below

-Keith.

Edited by paroariax, 14 July 2010 - 10:59 AM.

#2
paroariax

Posted 12 July 2010 - 03:30 PM

Member

Topic Starter
Member
13 posts

OTL - OTL.Txt

OTL logfile created on: 06/07/2010 20:24:26 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Downloads\Troubleshooting\Spyware and Malware scanners\OTL by OldTimer
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 220.86 Gb Total Space | 174.57 Gb Free Space | 79.04% Space Free | Partition Type: NTFS
Drive D: | 12.00 Gb Total Space | 6.70 Gb Free Space | 55.85% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive J: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive L: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive O: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive P: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive S: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive T: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive W: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS

Computer Name: KEITHHP
Current User Name: Keith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/01 12:19:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Downloads\Troubleshooting\Spyware and Malware scanners\OTL by OldTimer\OTL.exe
PRC - [2010/06/29 19:22:55 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/06/29 19:22:53 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/06/29 19:22:53 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/06/29 19:22:51 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/06/29 19:22:31 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/06/29 19:22:30 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/06/29 19:22:30 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/29 19:22:29 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/06/29 14:09:54 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/06/29 14:09:53 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/03/26 00:54:16 | 000,080,384 | ---- | M] () -- C:\Program Files\Bazaar\tbzrcache.exe
PRC - [2010/03/25 00:29:08 | 000,164,352 | ---- | M] () -- c:\altera\91sp2\quartus\bin\jtagserver.exe
PRC - [2009/08/19 11:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 11:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/08/08 01:23:08 | 000,256,512 | ---- | M] (SafeBoot International) -- C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
PRC - [2008/07/23 13:08:16 | 000,065,808 | ---- | M] (Bioscrypt Inc.) -- C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PRC - [2008/07/19 11:40:58 | 002,054,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2008/07/19 11:40:52 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/07 16:10:52 | 000,576,024 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
PRC - [2007/11/28 02:42:12 | 000,093,736 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
PRC - [2007/01/05 04:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/13 14:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 14:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2004/05/02 18:02:51 | 000,062,464 | ---- | M] (Elias Fotinis) -- C:\Program Files\DeskPins\DeskPins.exe
PRC - [2001/09/21 17:07:00 | 000,472,064 | ---- | M] (Greatis Software) -- C:\Program Files\GreatisSoft\RegRun2\WatchDog.exe

========== Modules (SafeList) ==========

MOD - [2010/07/01 12:19:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Downloads\Troubleshooting\Spyware and Malware scanners\OTL by OldTimer\OTL.exe
MOD - [2008/07/23 13:03:28 | 000,076,048 | ---- | M] (Bioscrypt Inc.) -- C:\WINDOWS\system32\APSHook.dll
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (0231881253519503mcinstcleanup) McAfee Application Installer Cleanup (0231881253519503)
SRV - [2010/06/29 19:22:51 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/29 19:22:31 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/06/29 14:09:53 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/25 00:29:08 | 000,164,352 | ---- | M] () [Auto | Running] -- c:\altera\91sp2\quartus\bin\jtagserver.exe -- (JTAGServer)
SRV - [2010/02/23 14:04:34 | 000,369,920 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2009/10/20 19:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/08/20 02:03:42 | 000,032,768 | ---- | M] (Hewlett-Packard Development Company, L.P) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe -- (HP ProtectTools Service)
SRV - [2008/08/08 01:23:08 | 000,256,512 | ---- | M] (SafeBoot International) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe -- (HpFkCryptService)
SRV - [2008/07/23 13:03:38 | 000,158,992 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll -- (ASBroker)
SRV - [2008/07/23 13:03:32 | 000,137,488 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll -- (ASChannel)
SRV - [2008/07/19 11:40:58 | 002,054,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®
SRV - [2008/07/19 11:40:52 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2008/04/07 16:10:52 | 000,576,024 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2007/11/28 02:42:14 | 000,185,896 | ---- | M] (ActivIdentity) [On_Demand | Stopped] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2007/02/10 14:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2007/02/10 14:29:48 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/01/05 04:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2005/10/14 11:50:20 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)

========== Driver Services (SafeList) ==========

DRV - [2010/06/29 19:22:54 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/29 19:22:53 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/06/29 19:22:31 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/29 19:20:01 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/06/29 14:10:00 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/03/24 21:01:16 | 000,007,680 | ---- | M] (Altera Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\pgdhdlc.sys -- (AlteraByteBlaster)
DRV - [2009/12/22 16:28:07 | 000,040,896 | ---- | M] (SniffUsb/UsbSnoop Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbsnoop.sys -- (usbsnoop) usbsnoop (display)
DRV - [2009/11/18 22:21:28 | 000,057,536 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpdibus.sys -- (TPDIBUS)
DRV - [2009/10/21 21:37:50 | 000,076,288 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2009/10/21 21:37:50 | 000,026,120 | ---- | M] (Rainbow Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (Sntnlusb)
DRV - [2009/10/20 19:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/10/20 06:06:02 | 000,031,872 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CyUSB.sys -- (CyUsb)
DRV - [2009/09/02 13:21:38 | 000,195,424 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2009/08/19 10:47:00 | 000,058,960 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbblstr.sys -- (AlteraUSBBlaster)
DRV - [2009/06/04 19:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2009/03/27 09:03:00 | 006,280,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/08 02:47:50 | 000,051,376 | ---- | M] (SafeBoot N.V.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SbAlg.sys -- (SbAlg)
DRV - [2008/08/08 02:47:46 | 000,012,928 | ---- | M] (SafeBoot International) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SbFsLock.sys -- (SbFsLock)
DRV - [2008/08/08 02:47:44 | 000,012,496 | ---- | M] (SafeBoot International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rsvlock.sys -- (RsvLock)
DRV - [2008/08/08 02:47:42 | 000,109,184 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SafeBoot.sys -- (SafeBoot)
DRV - [2008/07/19 11:40:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/06/27 09:46:48 | 006,023,072 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/06/05 12:58:18 | 000,144,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel®
DRV - [2008/05/13 15:33:20 | 000,338,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/28 11:14:02 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)
DRV - [2007/12/18 10:46:34 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2007/07/06 13:13:12 | 000,049,032 | ---- | M] (Prism Sound) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\dsloader.sys -- (DSLOADER) Prism Sound dScope Series III - uninitialised (dsloader.sys)
DRV - [2007/05/17 13:45:06 | 000,017,928 | ---- | M] (Prism Sound) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\dsusbdrv.sys -- (DSUSBDRV) Prism Sound dScope Series III (dsusbdrv.sys)
DRV - [2007/03/20 10:33:28 | 000,028,672 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\libusb0.sys -- (libusb0)
DRV - [2006/05/26 12:50:14 | 000,018,560 | ---- | M] (D-Link Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DUBE100B.sys -- (DUBE100B)
DRV - [2004/08/03 18:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 18:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 18:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 18:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 18:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 18:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 18:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 18:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 18:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 18:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 18:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 18:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 18:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 18:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 18:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2002/05/08 18:44:42 | 000,105,472 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2002/04/04 06:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2001/08/17 17:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 17:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 17:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 17:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 08:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E8 D8 8D D4 37 E2 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.11
FF - prefs.js..extensions.enabledItems: [email protected]:1.19
FF - prefs.js..extensions.enabledItems: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}:3.0.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}:1.4.7
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.98
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.7.4
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/06/29 19:24:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/06/29 19:19:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 18:20:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/14 11:12:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/17 10:54:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/09/25 16:03:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Extensions
[2010/07/06 13:17:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions
[2010/01/19 09:55:57 | 000,000,000 | ---D | M] (All-in-One Sidebar) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
[2009/12/10 10:01:36 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2010/07/06 13:17:09 | 000,000,000 | ---D | M] (Fire.fm) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}
[2010/07/06 13:17:09 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/12/02 13:42:22 | 000,000,000 | ---D | M] (CookieSafe) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
[2010/06/08 10:26:44 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/04/16 09:40:24 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/06/18 18:41:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/04/12 09:10:16 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/02 13:42:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\extensions\[email protected]
[2010/04/22 21:53:30 | 000,001,827 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\24dz8ayv.default\searchplugins\bing.xml
[2010/07/06 13:17:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/24 20:10:36 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/24 20:10:36 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/24 20:10:36 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/24 20:10:36 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/06/23 19:34:21 | 000,000,879 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 zdaemon.org
O1 - Hosts: 127.0.0.1 pagewash.com
O1 - Hosts: 127.0.0.1 hidemyass.com
O1 - Hosts: 127.0.0.1 anonymouse.org
O1 - Hosts: 127.0.0.1 zend2.com
O1 - Hosts: 127.0.0.1 torproject.org
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Credential Manager for HP ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll (Bioscrypt Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)
O4 - HKLM..\Run: [Process Explorer (added by KDG)] C:\Downloads\Troubleshooting\Process Explorer\procexp.exe (Sysinternals - www.sysinternals.com)
O4 - HKLM..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Regrun2] C:\Program Files\GreatisSoft\RegRun2\WatchDog.exe (Greatis Software)
O4 - HKLM..\RunOnceEx: [Title] File not found
O4 - Startup: C:\Documents and Settings\Keith\Start Menu\Programs\Startup\DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe (Elias Fotinis)
O4 - Startup: C:\Documents and Settings\Keith\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)
O4 - Startup: C:\Documents and Settings\Keith\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (APSHook.dll) - C:\WINDOWS\System32\APSHook.dll (Bioscrypt Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - C:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Bioscrypt Inc.)
O24 - Desktop WallPaper: C:\Downloads\Graphics\Wallpaper\Two Turtles Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Downloads\Graphics\Wallpaper\Two Turtles Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/01 02:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2004/06/28 09:05:07 | 000,000,000 | ---D | M] - L:\Autotrax -- [ NTFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/12/18 13:06:29 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: SENTINEL - C:\WINDOWS\System32\SNTI386.DLL (Rainbow Technologies, Inc.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/06 18:09:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\inkscape
[2010/07/06 18:05:51 | 000,000,000 | ---D | C] -- C:\Program Files\Inkscape
[2010/06/30 15:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\ImgBurn
[2010/06/30 15:00:04 | 000,000,000 | ---D | C] -- C:\Program Files\ImgBurn
[2010/06/30 09:21:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\RegRun2
[2010/06/30 09:21:16 | 000,000,000 | ---D | C] -- C:\Program Files\GreatisSoft
[2010/06/29 19:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Local Settings\Application Data\AVG Security Toolbar
[2010/06/29 19:22:53 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/06/29 19:20:01 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/29 19:20:01 | 000,052,872 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/06/29 19:19:58 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/29 19:19:55 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/29 19:19:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/06/29 19:19:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/06/29 14:10:18 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/29 14:10:16 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/29 14:08:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/29 14:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/06/29 14:08:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/06/28 09:39:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/06/28 09:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\Malwarebytes
[2010/06/28 09:20:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/28 09:20:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/28 09:20:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/28 09:20:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/21 13:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\Glensound GS-HL005 Admin
[2010/06/10 16:53:46 | 000,000,000 | ---D | C] -- C:\Backups
[2010/06/07 17:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\Office Genuine Advantage
[2010/06/07 17:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/05/27 09:21:28 | 000,143,360 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi920.dll
[2010/05/25 17:30:51 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/05/25 14:43:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Atmel
[2010/05/25 14:39:13 | 000,000,000 | ---D | C] -- C:\WinAVR-20100110
[2010/05/25 14:37:53 | 000,143,360 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi1001.dll
[2010/05/25 14:37:53 | 000,102,400 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi811.dll
[2010/05/25 14:37:35 | 000,143,360 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi1010.dll
[2010/05/25 14:37:34 | 000,143,360 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi1002.dll
[2010/05/25 14:37:33 | 005,752,320 | ---- | C] (BCGSoft Ltd) -- C:\WINDOWS\System32\BCGCBPRO103090.dll
[2010/05/25 14:37:33 | 004,419,584 | ---- | C] (BCGSoft Ltd) -- C:\WINDOWS\System32\BCGCBPRO10180.dll
[2010/05/25 14:37:32 | 000,073,728 | ---- | C] (Rogue Wave Software Inc) -- C:\WINDOWS\System32\RWUXThemeS.dll
[2010/05/21 21:19:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\SQL9_KB948109_ENU
[2010/05/18 15:00:05 | 000,143,360 | ---- | C] (Jungo) -- C:\WINDOWS\System32\wdapi921.dll
[2010/05/10 10:32:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\Subversion
[2010/05/06 17:49:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\SQL9_KB970895_ENU
[2010/05/05 08:44:03 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/05/04 10:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\atunes
[2010/05/04 10:09:06 | 000,000,000 | ---D | C] -- C:\Program Files\aTunes
[2010/04/30 13:08:31 | 000,000,000 | ---D | C] -- C:\Program Files\CastRipper
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/04/30 08:50:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/04/27 16:59:02 | 000,000,000 | ---D | C] -- C:\Program Files\Glensound DCS-6432
[2010/04/23 18:33:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/04/23 13:54:05 | 000,007,680 | ---- | C] (Altera Corporation) -- C:\WINDOWS\System32\drivers\pgdhdlc.sys
[2010/04/22 19:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\My Received Files
[2010/04/22 17:15:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Tracing
[2010/04/22 17:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/04/22 17:13:20 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/04/22 17:13:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/04/22 17:13:06 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/04/22 17:12:46 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/04/22 17:11:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2010/04/21 10:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2010/04/19 18:32:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\AutoHotKey
[2010/04/19 18:30:11 | 000,000,000 | ---D | C] -- C:\Program Files\AutoHotkey
[2010/04/15 09:09:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/12 11:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Bazaar
[2010/04/08 14:23:21 | 000,202,048 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\tpd2xx.dll
[2010/04/08 14:23:21 | 000,057,536 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\tpdibus.sys
[2010/04/08 14:20:58 | 000,000,000 | ---D | C] -- C:\Aarkvark
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/06 19:31:11 | 000,008,139 | ---- | M] () -- C:\Documents and Settings\Keith\.recently-used.xbel
[2010/07/06 18:45:08 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Keith\NTUSER.DAT
[2010/07/06 18:08:37 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Inkscape.lnk
[2010/07/06 18:08:37 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Inkscape.lnk
[2010/07/06 14:10:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/06 10:20:09 | 061,677,838 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/06 09:17:15 | 000,216,218 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/06 09:16:41 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/06 09:16:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/06 09:16:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/06 09:16:13 | 3753,181,184 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/01 10:05:55 | 000,000,252 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/01 09:03:19 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/30 15:00:08 | 000,001,546 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\ImgBurn.lnk
[2010/06/30 15:00:08 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010/06/30 10:05:39 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/30 10:05:39 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/06/30 09:21:49 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Regrun2.lnk
[2010/06/29 19:22:54 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/29 19:22:53 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/29 19:22:53 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/06/29 19:22:31 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/06/29 19:20:01 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/06/29 19:20:01 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/06/29 19:19:55 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/29 18:55:07 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Keith\ntuser.ini
[2010/06/29 18:55:02 | 000,000,600 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/29 18:55:02 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/06/29 14:10:14 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/29 14:10:00 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/29 14:08:11 | 000,000,885 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/06/29 14:08:11 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/28 09:20:25 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/25 19:48:15 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/25 16:11:48 | 000,567,288 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/25 16:11:48 | 000,488,328 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/25 16:11:48 | 000,088,952 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/23 19:34:36 | 003,175,586 | -H-- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\IconCache.db
[2010/06/21 13:09:30 | 000,001,963 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GS-HL005 Admin.lnk
[2010/06/10 08:37:28 | 000,293,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/09 21:33:52 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/09 18:01:11 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/09 16:47:11 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/01 11:55:36 | 000,000,394 | ---- | M] () -- C:\Documents and Settings\Keith\quartus2.ini
[2010/06/01 10:31:15 | 000,000,440 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Shortcut to F0000004.lnk
[2010/05/26 22:07:15 | 000,000,237 | ---- | M] () -- C:\WINDOWS\DScope.INI
[2010/05/25 09:38:47 | 000,000,464 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\Shortcut to MPI-004 GSM Beltpack.lnk
[2010/05/24 13:15:07 | 000,000,631 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\AVR Studio 4.lnk
[2010/05/18 13:13:38 | 000,001,837 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVR32 Studio.lnk
[2010/05/18 13:11:50 | 000,000,741 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\AVR32 Studio.lnk
[2010/04/30 13:08:32 | 000,000,662 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\CastRipper.lnk
[2010/04/30 12:26:37 | 020,327,027 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\vlc-record-2010-04-30-12h05m27s-Praise On Fire Radio-Michael W. Smith - Forever.mp3
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/23 18:35:56 | 000,000,883 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/04/23 13:54:31 | 000,000,027 | ---- | M] () -- C:\Documents and Settings\Keith\quartus2.qreg
[2010/04/23 13:54:25 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Quartus II 9.1sp2 Web Edition.lnk
[2010/04/21 10:52:03 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
[2010/04/21 03:36:41 | 000,016,924 | ---- | M] () -- C:\Documents and Settings\Keith\qms-bmh3.bmp
[2010/04/21 03:36:40 | 000,016,924 | ---- | M] () -- C:\Documents and Settings\Keith\qms-bmh2.bmp
[2010/04/21 03:36:39 | 000,016,920 | ---- | M] () -- C:\Documents and Settings\Keith\qms-bmh1.bmp
[2010/04/19 18:31:44 | 000,001,352 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\AutoHotkey.ahk
[2010/04/16 09:27:38 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/12 11:53:29 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Bazaar Explorer.lnk
[2010/04/08 14:23:23 | 000,344,782 | ---- | M] () -- C:\WINDOWS\System32\TPUSBUninstaller.exe
[2010/04/08 14:22:11 | 000,000,560 | ---- | M] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Aardvark GUI.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/06 19:31:11 | 000,008,139 | ---- | C] () -- C:\Documents and Settings\Keith\.recently-used.xbel
[2010/07/06 18:08:37 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Inkscape.lnk
[2010/07/06 18:08:37 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Inkscape.lnk
[2010/07/01 09:03:19 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/30 15:00:08 | 000,001,546 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\ImgBurn.lnk
[2010/06/30 15:00:08 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010/06/30 09:21:49 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\Regrun2.lnk
[2010/06/29 19:22:49 | 061,677,838 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/06/29 19:20:01 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/06/29 19:19:55 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/06/29 18:55:48 | 3753,181,184 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/29 14:10:44 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/29 14:08:11 | 000,000,885 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/06/29 14:08:11 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/29 13:52:17 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\Keith\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk
[2010/06/29 13:52:17 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Keith\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
[2010/06/29 13:52:17 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\Keith\Start Menu\Programs\Startup\DeskPins.lnk
[2010/06/28 09:20:25 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/25 19:48:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/21 13:09:30 | 000,001,963 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GS-HL005 Admin.lnk
[2010/06/01 10:31:15 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\Shortcut to F0000004.lnk
[2010/05/25 14:37:32 | 000,290,904 | ---- | C] () -- C:\WINDOWS\System32\vc6-re200l.dll
[2010/05/25 09:38:47 | 000,000,464 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\Shortcut to MPI-004 GSM Beltpack.lnk
[2010/05/25 09:14:10 | 000,000,631 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\AVR Studio 4.lnk
[2010/05/18 13:14:38 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\AVR32 Studio.lnk
[2010/05/18 13:13:38 | 000,001,837 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVR32 Studio.lnk
[2010/04/30 15:09:15 | 000,000,662 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\CastRipper.lnk
[2010/04/30 12:05:57 | 020,327,027 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\vlc-record-2010-04-30-12h05m27s-Praise On Fire Radio-Michael W. Smith - Forever.mp3
[2010/04/23 13:54:25 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Quartus II 9.1sp2 Web Edition.lnk
[2010/04/21 10:52:03 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2010/04/19 18:31:44 | 000,001,352 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\AutoHotkey.ahk
[2010/04/12 11:53:29 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Bazaar Explorer.lnk
[2010/04/08 14:23:23 | 000,344,782 | ---- | C] () -- C:\WINDOWS\System32\TPUSBUninstaller.exe
[2010/04/08 14:22:11 | 000,000,560 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\Aardvark GUI.lnk
[2010/04/07 14:02:18 | 000,000,237 | ---- | C] () -- C:\WINDOWS\DScope.INI
[2010/02/01 19:22:02 | 000,000,052 | ---- | C] () -- C:\WINDOWS\cool.ini
[2010/02/01 19:21:13 | 000,000,011 | ---- | C] () -- C:\WINDOWS\wordpad.ini
[2010/01/19 14:13:49 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2009/12/02 23:02:09 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/20 19:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/10/05 07:43:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\MPMapTrace.dll
[2009/10/05 07:07:52 | 000,364,544 | ---- | C] () -- C:\WINDOWS\System32\mpPathan.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/27 09:03:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 09:03:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 09:03:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 09:03:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/18 13:07:11 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4964.dll
[2008/12/18 12:41:35 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/18 12:24:05 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/12/18 12:24:05 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/12/18 12:24:05 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/12/18 12:24:05 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/12/18 12:24:05 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/12/18 12:24:05 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/08/08 02:47:42 | 000,109,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\SafeBoot.sys
[2007/11/28 02:41:06 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\aicext.dll
[2006/12/13 17:03:14 | 000,074,240 | ---- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2005/04/03 23:30:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\scardsyn.dll
[2002/05/08 11:12:22 | 000,000,840 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[1998/05/07 04:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2010/05/25 14:43:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Atmel
[2010/06/29 19:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/06/29 19:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/03/15 18:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/12/18 12:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2010/06/29 14:08:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/05/25 14:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\atunes
[2010/03/15 18:18:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\AVG9
[2009/12/02 10:24:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\bazaar
[2010/06/25 19:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Dropbox
[2009/12/22 14:29:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Echo Software
[2010/03/26 21:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\GrabIt
[2010/06/18 16:09:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\gtk-2.0
[2010/06/30 15:09:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\ImgBurn
[2010/07/06 18:09:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\inkscape
[2010/06/25 17:36:03 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Keith\Application Data\Microchip
[2009/12/02 14:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\OpenOffice.org
[2008/12/18 12:38:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\SampleView
[2010/05/10 10:32:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Subversion
[2009/12/02 14:19:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Thunderbird
[2010/03/26 14:02:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Wireshark
[2010/07/06 14:10:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/06/29 18:55:02 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/07/06 09:16:13 | 3753,181,184 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 17:48:03 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/12/03 16:19:52 | 000,000,828 | ---- | M] () -- C:\MPUsbSIn.log
[2010/04/07 17:48:03 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/09/25 11:17:41 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/06 09:16:12 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/04/25 11:17:50 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/04/25 11:17:50 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/04/25 11:17:50 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 01:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 01:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/14 01:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-25 15:12:31

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8B4F37E5
< End of report >

#3
paroariax

Posted 12 July 2010 - 03:32 PM

Member

Topic Starter
Member
13 posts

OTL - Extras.Txt

OTL Extras logfile created on: 06/07/2010 20:24:26 - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Downloads\Troubleshooting\Spyware and Malware scanners\OTL by OldTimer
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 220.86 Gb Total Space | 174.57 Gb Free Space | 79.04% Space Free | Partition Type: NTFS
Drive D: | 12.00 Gb Total Space | 6.70 Gb Free Space | 55.85% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive J: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive L: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive O: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive P: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive S: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive T: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS
Drive W: | 908.88 Gb Total Space | 612.99 Gb Free Space | 67.45% Space Free | Partition Type: NTFS

Computer Name: KEITHHP
Current User Name: Keith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- File not found
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"C:\Program Files\AVG\AVG8\avgam.exe" = C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe -- File not found
"C:\Program Files\AVG\AVG8\avgdiag.exe" = C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe -- File not found
"C:\Program Files\AVG\AVG8\avgdiagex.exe" = C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\NetBeans 6.7.1\bin\netbeans.exe" = C:\Program Files\NetBeans 6.7.1\bin\netbeans.exe:*:Enabled:netbeans -- ()
"C:\Program Files\NetBeans 6.7.1\mobility8\Java_ME_platform_SDK_3.0\runtimes\cldc-hi-javafx\bin\runMidlet.exe" = C:\Program Files\NetBeans 6.7.1\mobility8\Java_ME_platform_SDK_3.0\runtimes\cldc-hi-javafx\bin\runMidlet.exe:*:Enabled:runMidlet -- ( Sun Microsystems, Inc.)
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Keith\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Keith\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()
"C:\Program Files\Java\jdk1.6.0_17\jre\bin\java.exe" = C:\Program Files\Java\jdk1.6.0_17\jre\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\ZDaemon\zlauncher.exe" = C:\ZDaemon\zlauncher.exe:*:Enabled:ZDaemon Browser -- File not found
"C:\ZDaemon\zdaemon.exe" = C:\ZDaemon\zdaemon.exe:*:Enabled:zdaemon -- File not found
"G:\Doom\Engines\ZDaemon\zlauncher.exe" = G:\Doom\Engines\ZDaemon\zlauncher.exe:*:Enabled:ZDaemon Browser -- File not found
"G:\Doom\Engines\ZDaemon\zdaemon.exe" = G:\Doom\Engines\ZDaemon\zdaemon.exe:*:Enabled:ZDaemon -- File not found
"C:\ZDaemon\zserv32.exe" = C:\ZDaemon\zserv32.exe:*:Enabled:zserv32 -- File not found
"C:\ZDaemon\zsl\zsllite.exe" = C:\ZDaemon\zsl\zsllite.exe:*:Enabled:ZDaemon Server Launcher -- File not found
"C:\ZDaemon\zsl\ZDSProtocol.exe" = C:\ZDaemon\zsl\ZDSProtocol.exe:*:Enabled:ZDSProtocol -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\launch4j-tmp\aTunes.exe" = C:\Program Files\Java\jre6\launch4j-tmp\aTunes.exe:*:Enabled:Java™ Platform SE binary -- File not found
"C:\Program Files\Atmel\AVR Tools\AVR32 Studio\avr32studio.exe" = C:\Program Files\Atmel\AVR Tools\AVR32 Studio\avr32studio.exe:*:Enabled:avr32studio -- ()
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1296CAF3-F007-4813-A95F-AD153F978DF1}" = AVRStudio4
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24DD7C58-EAC5-41BA-AC05-1EF58525CE44}" = Pocket e-Sword (WM6)
"{252F1DFB-80C1-45B8-B325-B5D412C5437F}" = dScope Series III
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160170}" = Java™ SE Development Kit 6 Update 17
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager
"{3FD077A9-D8F2-4BBC-9B7D-A0E903F02690}" = AVR32 Toolchain
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A8CFC2B-2E30-4D00-98A5-A9D32E747C28}" = Quartus II 9.1sp2 Web Edition
"{4D81BE33-818D-4597-A74B-20F2CE120A36}" = Drive Encryption for HP ProtectTools
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{52CF142B-7B0E-41E7-98F5-B834122523E7}_is1" = Programmer's Notepad 2
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{68BC42E8-B744-487E-B6B1-18D9DC802F9D}" = Credential Manager for HP ProtectTools
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6AEFC5D3-4B2F-4044-A4F9-E51F37820E70}" = MPLAB Tools v8.40
"{72BFBADF-78CE-4322-ADAF-197F53605466}" = AVR32 Studio
"{75D7BB3A-9AB7-4ad1-AD5E-0059B90C624B}" = HP ProtectTools Security Manager Suite
"{78584C1B-8F7B-4B24-80D1-02B309F67AB3}" = Privacy Manager for HP ProtectTools
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1
"{93EEE706-B4B2-4147-A01B-E6F7693E7DCE}" = SigmaStudio 3.1
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient 6.1 x86
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB662A7E-DFF6-47C9-BBD2-430079EA8E74}" = BIOS Configuration for HP ProtectTools
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9DCF4E9-A41B-40E7-B028-2255E36D2A1C}" = TortoiseOverlays
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5D88F8F-FDA4-4CF4-9F3E-3F40118C2120}" = AVRStudio4
"{D847A607-656D-449B-B27E-D41998AF0B17}" = HP JavaCard for HP ProtectTools
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{DDC0FC3C-70D7-41F3-803A-C92484EE53AC}" = AVRStudio4
"{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}" = Intel® Network Connections 13.1.33.0
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E13DA42E-6653-4526-8D82-6B927D3E32D1}" = Easy-PC Version 13
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{e7394a0f-3f80-45b1-87fc-abcd51893246}" = Python 2.6.4
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F18B31E4-E2E3-4F4F-A2C9-BA579D6AF400}" = TortoiseOverlays
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8315137-BDC7-4ED9-9F78-57E63AE87240}" = HP ProtectTools Security Manager
"{FEDCA026-0826-4CFD-A6C6-540600DB3239}" = AVR USB
"7-Zip" = 7-Zip 4.65
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agent Ransack_is1" = Agent Ransack Version 1.7.3
"AutoHotkey" = AutoHotkey 1.0.48.05
"AVG9Uninstall" = AVG 9.0
"Bazaar_is1" = Bazaar 2.1.1
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"bzr-xmloutput" = bzr-xmloutput 0.8.4
"CastRipper_is1" = CastRipper 2.9.6.000 2007.06.09
"Cool Edit 2000" = Cool Edit 2000
"DeskPins" = DeskPins (remove only)
"flip.exe" = Flip 3.3.2
"GPL Ghostscript 8.71" = GPL Ghostscript 8.71
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"Inkscape" = Inkscape 0.47
"InstallShield_{6AEFC5D3-4B2F-4044-A4F9-E51F37820E70}" = MPLAB Tools v8.40
"KoolCalc" = KoolCalc
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MozBackup" = MozBackup 1.4.9
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"nbi-nb-base-6.7.1.0.0" = NetBeans IDE 6.7.1
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NVIDIA Drivers" = NVIDIA Drivers
"PackJacket 0.4.2" = PackJacket 0.4.2
"PDF Complete" = PDF Complete
"PROHYBRIDR" = 2007 Microsoft Office system
"Rainbow Sentinel Driver" = Sentinel System Driver
"Regrun2" = RegRun II
"SP44286" = HP Softpaq SP44286
"ST6UNST #1" = Project1
"ST6UNST #2" = Glensound GDC-6432 dCCUconfig
"TotalPhase" = Total Phase USB Driver v2.02
"VLC media player" = VLC media player 1.0.5
"WIC" = Windows Imaging Component
"WinAVR-20100110" = WinAVR 20100110 (remove only)
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinPcapInst" = WinPcap 4.1.1
"Wireshark" = Wireshark 1.2.4
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"JFreeChart 1.0.13 Demo" = JFreeChart 1.0.13 Demo
"JST JSlider?SnapToTicks" = JST JSlider?SnapToTicks

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 21/06/2010 14:17:14 | Computer Name = KEITHHP | Source = Application Error | ID = 1000
Description = Faulting application zdaemon.exe, version 0.0.0.0, faulting module
zdaemon.exe, version 0.0.0.0, fault address 0x00061e18.

Error - 25/06/2010 05:58:20 | Computer Name = KEITHHP | Source = Application Error | ID = 1000
Description = Faulting application smss.exe, version 1.0.0.1, faulting module ntdll.dll,
version 5.1.2600.5755, fault address 0x000369da.

Error - 25/06/2010 23:21:32 | Computer Name = KEITHHP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module comctl32.dll, version 6.0.2900.5512, fault address 0x00011a76.

Error - 25/06/2010 23:26:35 | Computer Name = KEITHHP | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 29/06/2010 09:08:37 | Computer Name = KEITHHP | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 01/07/2010 09:13:10 | Computer Name = KEITHHP | Source = ESENT | ID = 490
Description = svchost (1132) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 01/07/2010 09:13:10 | Computer Name = KEITHHP | Source = ESENT | ID = 439
Description = Catalog Database (1132) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error
-1032.

Error - 01/07/2010 09:13:11 | Computer Name = KEITHHP | Source = ESENT | ID = 473
Description = Catalog Database (1132) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 05/07/2010 14:17:26 | Computer Name = KEITHHP | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 05/07/2010 14:40:43 | Computer Name = KEITHHP | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.

[ System Events ]
Error - 01/07/2010 10:37:08 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 01/07/2010 10:37:08 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7001
Description = The Altera ByteBlaster service depends on the Parallel port driver
service which failed to start because of the following error: %%1058

Error - 05/07/2010 04:11:02 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 05/07/2010 04:11:02 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7001
Description = The Altera ByteBlaster service depends on the Parallel port driver
service which failed to start because of the following error: %%1058

Error - 05/07/2010 14:27:58 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7034
Description = The AVG E-mail Scanner service terminated unexpectedly. It has done
this 1 time(s).

Error - 05/07/2010 14:28:30 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7034
Description = The AVG E-mail Scanner service terminated unexpectedly. It has done
this 2 time(s).

Error - 05/07/2010 14:29:09 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7034
Description = The AVG E-mail Scanner service terminated unexpectedly. It has done
this 3 time(s).

Error - 06/07/2010 04:16:39 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 06/07/2010 04:16:39 | Computer Name = KEITHHP | Source = Service Control Manager | ID = 7001
Description = The Altera ByteBlaster service depends on the Parallel port driver
service which failed to start because of the following error: %%1058

Error - 06/07/2010 04:17:46 | Computer Name = KEITHHP | Source = System Error | ID = 1003
Description = Error code 0000004e, parameter1 00000002, parameter2 000ac9d7, parameter3
000dfbb2, parameter4 0000ffff.

< End of report >

#4
paroariax

Posted 14 July 2010 - 10:56 AM

Member

Topic Starter
Member
13 posts

MBAM - Quick Scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4313

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/07/2010 17:50:10
mbam-log-2010-07-14 (17-50-10).txt

Scan type: Quick scan
Objects scanned: 143458
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5
paroariax

Posted 19 July 2010 - 02:29 AM

Member

Topic Starter
Member
13 posts

Incidentally, it looks like this guy has the same virus (Black Internet) as the one I originally removed.

#6
emeraldnzl

Posted 26 July 2010 - 04:46 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello paroariax,

Disable resident protections (Antivirus...); remember to re-enable them after the scan

Download Lop S&D

Double-click Lop S&D.exe (If you are running on Vista you will need to right-click on the file and choose Run As Administrator.)
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Next

Please run the MGA Diagnostic Tool and post back the report it produces:

Download MGADiag to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

So when you return please post
LopR.txt
MGA Report

#7
paroariax

Posted 28 July 2010 - 01:31 PM

Member

Topic Starter
Member
13 posts

Sorry about the delay. I will run these scans tonight.

Thank you very much for your help.

#8
paroariax

Posted 28 July 2010 - 01:48 PM

Member

Topic Starter
Member
13 posts

I could not get Lop S&D to work. It displays the language selection, I press E then enter, and it just exits. Is there perhaps some component missing? All you gave me was the EXE file. I tried running it from C:\rubbish\ and from the desktop.

MGADiag output:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2MDY9-F6J9M-K42BQ
Windows Product Key Hash: jY+nlE0RT38EEXpeUqSdQPABSQc=
Windows Product ID: 76487-OEM-2211906-00101
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {FBF3900A-0C0B-4A69-BC57-A498BC918C13}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 102
2007 Microsoft Office system - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1_B4D0AA8B-920-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{FBF3900A-0C0B-4A69-BC57-A498BC918C13}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-K42BQ</PKey><PID>76487-OEM-2211906-00101</PID><PIDType>2</PIDType><SID>S-1-5-21-853003296-2933495739-1635901285</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7900 Convertible Minitower</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786G1 v01.08</Version><SMBIOSVersion major="2" minor="5"/><Date>20080825000000.000000+000</Date><SLPBIOS>Compaq,Hewlett,Hewlett,Compaq</SLPBIOS></BIOS><HWID>85F33C3F01842078</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>HP Compaq dc7900 Convertible Minitower</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><PidType>19</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 5819:Compaq Computer Corporation|1153C:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|9F98:Compaq Computer Corporation|11563:Compaq Computer Corporation|11563:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|9F98:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: Compaq,Hewlett,Hewlett,Compaq

OEM Activation 2.0 Data-->
N/A

#9
emeraldnzl

Posted 28 July 2010 - 02:33 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello paroariax,

Please just post your logs normally in the thread i.e. don't use code or quote tags for logs.

Now

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Post the contents of RootRepeal.txt in your next reply.

#10
paroariax

Posted 29 July 2010 - 02:19 AM

Member

Topic Starter
Member
13 posts

I have to go away on a business trip over the weekend, so I'll have to run this scan monday night and post the result on tuesday. I hope that's ok.

#11
emeraldnzl

Posted 29 July 2010 - 02:31 AM

GeekU Instructor

GeekU Moderator
20,051 posts

That's fine.

#12
paroariax

Posted 04 August 2010 - 02:40 AM

Member

Topic Starter
Member
13 posts

I tried running RootRepeal overnight last night. When I came in this morning the PC was off, not hibernating but off. I'm going to try again tonight but this time I'll disable all the power saving settings first. Please don't close this issue as inactive.

#13
emeraldnzl

Posted 04 August 2010 - 01:11 PM

GeekU Instructor

GeekU Moderator
20,051 posts

#14
paroariax

Posted 05 August 2010 - 02:03 AM

Member

Topic Starter
Member
13 posts

RootRepeal.txt

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/08/04 18:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA6BAE000 Size: 892928 File Visible: No Signed: -
Status: -

Name: PROCEXP141.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
Address: 0xA5E84000 Size: 9600 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAD233000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba10887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba108bfe

==EOF==