Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32:Alureon-DR [Rtk] - redirects google links [Solved]


  • This topic is locked This topic is locked

#1
rtgnow

rtgnow

    New Member

  • Member
  • Pip
  • 5 posts
I have a virus that will not go away. I use avast! anti-virus software which sometimes captures the following virus when I scan memory on initial login.

Win32:Alureon-DR [Rtk]
\\?\globalroot\device\ide\ideport1\rpqqylqi\rpqqylqi\tdlwsp.dll

Thanks in advance for your assitance.

I was not able to run RootRepeal, it cause my computer to crash, blue screen.

Malwarebytes' Anti-Malware 1.41
Database version: 3109
Windows 5.1.2600 Service Pack 3

11/6/2009 12:41:39 AM
mbam-log-2009-11-06 (00-41-39).txt

Scan type: Quick Scan
Objects scanned: 133597
Time elapsed: 12 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logfile created on: 11/6/2009 12:53:59 AM - Run 1
OTL by OldTimer - Version 3.1.3.4 Folder = C:\Documents and Settings\rtgnow\Desktop\malware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 202.35 Mb Available Physical Memory | 39.60% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.90% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.45 Gb Free Space | 29.27% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS
Drive Y: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS
Drive Z: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS

Computer Name: BABY
Current User Name: rtgnow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
PRC - [2009/09/24 10:15:24 | 00,834,560 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2009/08/17 08:07:23 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe
PRC - [2003/08/15 12:38:14 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/15 12:37:08 | 00,618,496 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


========== Modules (SafeList) ==========

MOD - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2003/08/15 12:37:48 | 00,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (winvnc)
SRV - File not found -- -- (UPHClean)
SRV - File not found -- -- (DTQ)
SRV - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/02/02 11:33:20 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/01/20 11:08:24 | 01,089,536 | ---- | M] (iPass) -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe -- (iPCAgent)
SRV - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/31 11:55:46 | 00,000,000 | ---D | M]


O1 HOSTS File: (348979 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 10.1.1.114 test.loansoft.com
O1 - Hosts: 10.3.8.218 LNSFSSDEVWB2
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 11966 more lines...
O2 - BHO: (CitiUSBrowserHelper Class) - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ISLP2STA.EXE] File not found
O4 - HKLM..\Run: [O2USB] C:\WINDOWS\System32\O2USB.exe ()
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco VPN client for Dolby Laboratories.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\Program Files\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\g7ps {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll (G7 Productivity Systems, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/08 14:13:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/12/08 14:12:34 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/04 00:34:41 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/02 20:50:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/11/01 23:14:36 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/11/01 23:13:59 | 07,885,928 | ---- | C] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:08 | 00,204,496 | ---- | C] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 12:54:49 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/10/31 12:15:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2009/10/31 12:14:22 | 00,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2009/10/31 10:57:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/10/31 10:57:02 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/10/31 10:56:28 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/10/31 10:06:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\ApplicationHistory
[2009/10/31 07:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/10/31 07:02:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Identities
[2009/10/31 06:59:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/10/30 22:15:24 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\rtgnow\Recent
[2009/10/30 22:04:20 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/10/29 21:54:08 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/29 21:54:04 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/29 21:50:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/26 22:02:00 | 03,839,360 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf300.dll
[2009/10/26 22:00:09 | 00,000,000 | ---D | C] -- C:\Program Files\Quicken
[2009/10/25 11:11:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Eraser
[2007/02/05 20:57:11 | 00,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

========== Files - Modified Within 14 Days ==========

[2009/11/06 00:51:34 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/06 00:50:51 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\rtgnow\NTUSER.DAT
[2009/11/06 00:48:54 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/06 00:48:19 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/11/06 00:47:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/06 00:47:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/06 00:22:50 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\rtgnow\ntuser.ini
[2009/11/05 21:40:07 | 05,356,748 | -H-- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2009/11/04 23:47:49 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:43 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 23:26:57 | 00,000,888 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/02 23:26:57 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/02 23:26:57 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/11/02 21:52:55 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:24 | 00,231,390 | ---- | M] () -- C:\RootkitRevealer.zip
[2009/11/01 23:14:06 | 07,885,928 | ---- | M] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:21 | 00,204,496 | ---- | M] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 20:31:01 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/11/01 19:50:18 | 00,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 19:50:18 | 00,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/01 14:34:20 | 00,002,367 | ---- | M] () -- C:\WINDOWS\HPOCSS05.INI
[2009/11/01 14:34:20 | 00,000,581 | ---- | M] () -- C:\WINDOWS\HPOTBX05.INI
[2009/11/01 14:34:20 | 00,000,525 | ---- | M] () -- C:\WINDOWS\HPODJC05.INI
[2009/11/01 12:27:37 | 00,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 11:45:29 | 00,348,979 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/31 11:38:30 | 00,030,408 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/31 11:37:16 | 00,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/29 21:25:13 | 00,001,720 | -H-- | M] () -- C:\Documents and Settings\rtgnow\My Documents\Default.rdp
[2009/10/26 23:14:06 | 00,646,757 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 22:01:21 | 00,000,120 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/26 21:51:49 | 00,347,277 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091101-114529.backup
[2009/10/23 14:46:15 | 00,029,659 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\2009_tax.pdf

========== Files Created - No Company Name ==========

[2009/11/04 23:47:49 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:42 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 21:52:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:22 | 00,231,390 | ---- | C] () -- C:\RootkitRevealer.zip
[2009/10/31 11:47:39 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/10/30 22:08:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/10/26 23:14:03 | 00,646,757 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 21:59:47 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/23 14:46:13 | 00,029,659 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\2009_tax.pdf
[2009/10/19 20:10:46 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/10/19 20:10:46 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/10/19 20:10:46 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/10/19 20:10:45 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2009/01/24 14:05:54 | 00,999,424 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll
[2009/01/24 14:05:54 | 00,242,688 | ---- | C] () -- C:\WINDOWS\System32\cygncurses-8.dll
[2009/01/24 14:05:54 | 00,206,848 | ---- | C] () -- C:\WINDOWS\System32\cygncurses6.dll
[2009/01/24 14:05:54 | 00,158,208 | ---- | C] () -- C:\WINDOWS\System32\cygreadline6.dll
[2009/01/24 14:05:54 | 00,031,744 | ---- | C] () -- C:\WINDOWS\System32\cygintl-8.dll
[2009/01/05 14:44:10 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/12/24 01:34:13 | 05,356,748 | -H-- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2008/12/24 00:09:41 | 00,030,408 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/24 00:09:33 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\rtgnow\Application Data\desktop.ini
[2008/12/23 23:59:14 | 00,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/02/06 22:23:04 | 00,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2008/02/06 22:21:48 | 00,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/10/21 01:51:35 | 00,000,389 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/10/07 15:27:14 | 00,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/29 22:41:39 | 00,000,525 | ---- | C] () -- C:\WINDOWS\HPODJC05.INI
[2007/04/29 22:41:35 | 00,002,367 | ---- | C] () -- C:\WINDOWS\HPOCSS05.INI
[2007/04/29 22:41:35 | 00,000,581 | ---- | C] () -- C:\WINDOWS\HPOTBX05.INI
[2007/02/05 21:27:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/06/05 07:28:47 | 00,327,680 | ---- | C] () -- C:\WINDOWS\System32\AppShare-6-6-0.dll
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/01/11 08:28:03 | 00,000,223 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/07/21 07:41:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2005/07/07 12:24:45 | 00,000,754 | ---- | C] () -- C:\WINDOWS\wordpad.INI
[2003/12/09 16:57:22 | 00,000,224 | ---- | C] () -- C:\WINDOWS\I32FONTS.INI
[2003/12/09 15:25:49 | 00,000,898 | ---- | C] () -- C:\WINDOWS\lsbugs32.ini
[2003/12/09 08:57:19 | 00,007,830 | ---- | C] () -- C:\WINDOWS\uedit32.INI
[2003/12/09 08:28:31 | 00,000,177 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2003/12/08 17:19:23 | 00,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/12/08 16:45:30 | 00,000,886 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/08 05:25:28 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2003/07/29 06:18:52 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/22 17:47:34 | 00,003,104 | ---- | C] () -- C:\WINDOWS\System32\drivers\OzCrd2k.sys
[2001/10/24 12:03:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\hpomon05.dll
[2001/10/24 12:03:20 | 00,005,361 | ---- | C] () -- C:\WINDOWS\System32\hpolnk05.ini
[2001/08/23 04:00:00 | 00,000,888 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 04:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/22 10:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/12/21 11:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\G7PS
[2007/02/05 11:24:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/12/18 09:38:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2009/10/19 23:55:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/01/10 13:17:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/03/19 19:41:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/04/22 21:15:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/10/31 12:15:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2008/12/24 01:25:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\G7PS
[2009/10/15 07:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\GrabPro
[2009/11/02 20:50:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/10/20 10:27:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\OpenDNS Updater
[2009/10/15 22:06:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Orbit
[2009/10/19 09:35:14 | 00,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2001/08/23 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/06 00:51:34 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/06 00:47:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/11/01 23:14:06 | 07,885,928 | ---- | M] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:21 | 00,204,496 | ---- | M] (Malwarebytes) -- C:\StartUpLite.exe

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >

OTL Extras logfile created on: 11/6/2009 12:53:59 AM - Run 1
OTL by OldTimer - Version 3.1.3.4 Folder = C:\Documents and Settings\rtgnow\Desktop\malware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 202.35 Mb Available Physical Memory | 39.60% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.90% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.45 Gb Free Space | 29.27% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS
Drive Y: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS
Drive Z: | 270.66 Gb Total Space | 201.00 Gb Free Space | 74.26% Space Free | Partition Type: NTFS

Computer Name: BABY
Current User Name: rtgnow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"2799:UDP" = 2799:UDP:*:Enabled:Altova License Metering Port (UDP)
"2799:TCP" = 2799:TCP:*:Enabled:Altova License Metering Port (TCP)
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Altova\XML Spy Suite\XMLSpy.exe" = C:\Program Files\Altova\XML Spy Suite\XMLSpy.exe:*:Disabled:XML Spy -- File not found
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{17B66E83-1BC9-11D5-A54A-0090278A1BB8}" = Microsoft FrontPage Client - English
"{286FD726-2C5D-451B-B111-D11F455846EB}" = WorkFlow Designer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35343FF7-939B-401A-87B3-FF90A5123D88}" = Microsoft XML Parser and SDK
"{35E026DB-4698-47BB-99EB-1B8CEFF564D1}" = VersaCheck 2004 Silver
"{4059B475-06E5-4E5C-8549-B7857AB33668}" = XML Spy Suite 4.4
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{690CDDA6-5BFD-476D-B180-93DFD90B90A2}" = IPASS
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 Audio Drivers
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB6FFA58-F491-11D3-8951-000000030747}" = iPassConnect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DE700910-58F7-4D2E-B7E6-3BA2DA1B6806}" = Virtual Account Numbers
"{E255419E-9B70-4BF3-8EA6-7D6067058F3A}" = O2UsbCrd
"{E44BD710-B71A-11d3-9F79-006008A88EC8}" = VBA
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"CCleaner" = CCleaner
"doPDF 6 printer_is1" = doPDF 6.1 printer
"ERUNT_is1" = ERUNT 1.1j
"Foxit Reader" = Foxit Reader
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"OpenDNS Updater" = OpenDNS Updater 2.1
"Picasa 3" = Picasa 3
"RealArcade 1.2" = RealArcade
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMerge_is1" = WinMerge 2.12.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 1/2/2009 4:01:00 AM | Computer Name = BABY | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://download.micr...x86fre_spcd.iso
failed, 00000084.

Error - 1/16/2009 10:16:33 PM | Computer Name = BABY | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://internap.dl.s....686.4.3374.iso
failed, 00000084.

Error - 1/16/2009 10:19:38 PM | Computer Name = BABY | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://internap.dl.s....686.4.3374.iso
failed, 00000084.

Error - 11/3/2009 3:46:55 AM | Computer Name = BABY | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 2.

Error - 11/3/2009 10:06:29 AM | Computer Name = BABY | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 2.

[ Application Events ]
Error - 7/18/2009 3:43:45 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2009 3:43:51 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2009 3:43:51 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/2/2009 10:56:02 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/4/2009 1:22:38 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/4/2009 1:22:38 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/4/2009 1:22:42 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/6/2009 11:04:49 AM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/11/2009 7:01:01 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/12/2009 10:27:26 PM | Computer Name = BABY | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/6/2009 4:22:32 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7034
Description = The iPCAgent service terminated unexpectedly. It has done this 1
time(s).

Error - 11/6/2009 4:22:32 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7034
Description = The Cisco Systems, Inc. VPN Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/6/2009 4:22:32 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/6/2009 4:22:32 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/6/2009 4:27:33 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7000
Description = The User Profile Hive Cleanup service failed to start due to the following
error: %%2

Error - 11/6/2009 4:27:33 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7000
Description = The VNC Server service failed to start due to the following error:
%%3

Error - 11/6/2009 4:28:34 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 11/6/2009 4:28:34 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 11/6/2009 4:48:23 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7000
Description = The User Profile Hive Cleanup service failed to start due to the following
error: %%2

Error - 11/6/2009 4:48:23 AM | Computer Name = BABY | Source = Service Control Manager | ID = 7000
Description = The VNC Server service failed to start due to the following error:
%%3


< End of report >
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\WINDOWS\system32\dllcache\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply



Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
rtgnow

rtgnow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks, so much for your help. So far things are looking good. The redirects have stopped, but they have stopped for a couple of days in the past then they have re-appeared.

Well I guess I'm getting a little pariod but I was a little hesitante on the ComboFix.exe since it looks like some of the message boxes had changed. Well I proceeded on anyway here are the logs

Thanks again.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\dllcache\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-11-05.05 - rtgnow 11/06/2009 8:32.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.193 [GMT -8:00]
Running from: c:\documents and settings\rtgnow\Desktop\malware\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091106-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TEST
-------\Service_test


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-04 08:34 . 2009-11-04 08:34 -------- d-----w- c:\program files\Trend Micro
2009-11-03 05:33 . 2009-11-03 05:33 -------- d-----w- c:\documents and settings\Bertalicia\Application Data\Malwarebytes
2009-11-03 04:50 . 2009-11-03 04:50 -------- d-----w- c:\documents and settings\rtgnow\Application Data\IObit
2009-11-02 07:40 . 2009-11-02 07:40 231390 ----a-w- C:\RootkitRevealer.zip
2009-11-02 07:14 . 2009-11-02 07:57 -------- d-----w- c:\documents and settings\Bertalicia\Application Data\IObit
2009-11-02 07:14 . 2009-11-02 07:14 -------- d-----w- c:\program files\IObit
2009-11-02 07:13 . 2009-11-02 07:14 7885928 ----a-w- C:\asc-setup.exe
2009-11-02 06:56 . 2009-11-02 06:56 204496 ----a-w- C:\StartUpLite.exe
2009-11-02 04:25 . 2009-11-02 04:25 126970 ----a-w- c:\documents and settings\rtgnow\Application Data\Move Networks\uninstall.exe
2009-11-01 20:54 . 2009-07-29 00:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-31 20:15 . 2009-10-31 20:15 -------- d-----w- c:\documents and settings\rtgnow\Application Data\Foxit
2009-10-31 20:14 . 2009-10-31 20:14 -------- d-----w- c:\program files\Foxit Software
2009-10-31 18:57 . 2009-10-31 18:57 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-31 18:57 . 2009-10-31 18:57 -------- d-----w- c:\program files\MSBuild
2009-10-31 18:56 . 2009-10-31 18:56 -------- d-----w- c:\program files\Reference Assemblies
2009-10-31 18:55 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-31 18:55 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-31 18:55 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-31 18:55 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-31 18:55 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-31 18:55 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-31 18:55 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-31 18:06 . 2009-10-31 18:34 -------- d-----w- c:\documents and settings\rtgnow\Local Settings\Application Data\ApplicationHistory
2009-10-31 16:11 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-10-31 15:02 . 2009-10-31 15:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-31 15:02 . 2009-10-31 15:02 -------- d-----w- c:\documents and settings\rtgnow\Local Settings\Application Data\Identities
2009-10-31 14:59 . 2009-10-31 14:59 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-31 06:04 . 2009-10-31 06:04 -------- d-----w- c:\program files\Windows Defender
2009-10-30 05:54 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 05:54 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 05:50 . 2009-10-30 05:51 -------- d-----w- c:\program files\ERUNT
2009-10-27 06:02 . 2009-10-27 06:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-27 06:02 . 2009-10-15 03:53 3839360 ----a-w- c:\windows\system32\cdintf300.dll
2009-10-27 06:01 . 2009-10-15 03:52 25984 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Deluxe\Custom\billmind.exe
2009-10-27 06:01 . 2009-10-15 03:52 25984 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\HaB\Custom\billmind.exe
2009-10-27 06:01 . 2009-10-15 03:52 25984 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe
2009-10-27 06:01 . 2009-10-15 03:52 25984 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2009-10-27 06:00 . 2009-10-27 06:01 -------- d-----w- c:\program files\Quicken
2009-10-25 19:11 . 2009-10-27 05:09 -------- d-----w- c:\documents and settings\rtgnow\Local Settings\Application Data\Eraser
2009-10-20 20:59 . 2009-10-20 20:59 -------- d-----w- c:\documents and settings\Bertalicia\Application Data\OpenDNS Updater
2009-10-20 19:21 . 2009-10-20 19:21 -------- d-sh--w- c:\documents and settings\Bertalicia\IECompatCache
2009-10-20 19:20 . 2009-10-20 19:20 -------- d-sh--w- c:\documents and settings\Bertalicia\PrivacIE
2009-10-20 19:18 . 2009-10-20 19:18 -------- d-sh--w- c:\documents and settings\Bertalicia\IETldCache
2009-10-20 18:27 . 2009-10-20 18:27 -------- d-----w- c:\documents and settings\rtgnow\Application Data\OpenDNS Updater
2009-10-20 18:27 . 2009-10-20 18:27 -------- d-----w- c:\program files\OpenDNS Updater
2009-10-20 04:13 . 2009-10-20 07:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 04:10 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-20 04:10 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-20 04:10 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-20 04:10 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-20 04:10 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-10-20 03:42 . 2009-10-20 03:42 -------- d-sh--w- c:\documents and settings\rtgnow\IECompatCache
2009-10-20 03:41 . 2009-10-20 03:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 03:40 . 2009-10-20 03:40 -------- d-sh--w- c:\documents and settings\rtgnow\PrivacIE
2009-10-20 03:37 . 2009-10-20 03:37 -------- d-sh--w- c:\documents and settings\rtgnow\IETldCache
2009-10-20 03:30 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-20 03:30 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-20 03:30 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-20 03:30 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-20 03:30 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-20 03:30 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-20 03:30 . 2009-11-04 09:19 -------- d-----w- c:\windows\ie8updates
2009-10-20 03:27 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-20 03:23 . 2009-10-20 03:27 -------- dc-h--w- c:\windows\ie8
2009-10-19 20:40 . 2009-10-19 20:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-10-19 20:09 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 17:21 . 2009-10-20 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-19 15:12 . 2009-10-19 15:12 -------- d-----w- c:\documents and settings\rtgnow\Application Data\Malwarebytes
2009-10-19 15:12 . 2009-10-19 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 15:12 . 2009-10-30 05:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 02:50 . 2009-10-31 05:29 -------- d-----w- c:\windows\BDOSCAN8
2009-10-18 18:10 . 2009-10-18 18:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-17 04:27 . 2009-10-17 04:27 -------- d-----w- c:\documents and settings\rtgnow\Local Settings\Application Data\Mozilla
2009-10-17 03:58 . 2009-10-17 03:59 -------- d-----w- c:\documents and settings\rtgnow\Local Settings\Application Data\Temp
2009-10-15 21:05 . 2009-10-15 21:19 -------- d-----w- c:\documents and settings\Bertalicia\Application Data\Orbit
2009-10-15 15:54 . 2009-10-15 15:54 -------- d-----w- c:\documents and settings\rtgnow\Application Data\GrabPro
2009-10-15 15:54 . 2009-10-16 06:06 -------- d-----w- c:\documents and settings\rtgnow\Application Data\Orbit
2009-10-14 05:47 . 2009-11-02 04:27 -------- d-----w- c:\documents and settings\rtgnow\Application Data\Move Networks
2009-10-13 23:59 . 2009-10-13 23:59 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-08 21:57 . 2009-10-08 21:57 611328 ------w- c:\windows\system32\uiautomationcore.dll
2009-10-07 20:11 . 2009-10-07 20:11 152576 ----a-w- c:\documents and settings\rtgnow\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 05:48 . 2007-02-02 19:06 30408 ----a-w- c:\documents and settings\Bertalicia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 06:20 . 2007-02-02 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 06:05 . 2007-02-02 19:44 -------- d-----w- c:\program files\CCleaner
2009-11-02 04:31 . 2003-12-08 23:33 80057 ----a-w- c:\windows\system32\nvModes.dat
2009-11-02 04:25 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\rtgnow\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-31 19:38 . 2008-12-24 08:09 30408 ----a-w- c:\documents and settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 06:01 . 2008-12-24 08:30 -------- d-----w- c:\documents and settings\rtgnow\Application Data\Intuit
2009-10-27 05:59 . 2008-12-24 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-27 05:35 . 2008-12-24 06:53 -------- d-----w- c:\documents and settings\Bertalicia\Application Data\Intuit
2009-10-19 05:28 . 2007-04-29 03:28 -------- d--h--w- c:\documents and settings\Bertalicia\Application Data\Move Networks
2009-10-08 21:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-12-08 23:11 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 21:00 . 2009-08-23 21:00 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-08-23 21:00 . 2009-08-23 21:00 426496 ------w- c:\windows\system32\imapi2.dll
2009-08-17 16:10 . 2008-12-27 08:56 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-12-27 08:57 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-12-27 08:57 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-12-27 08:57 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-12-27 08:57 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-12-27 08:57 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-12-27 08:57 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-12-27 08:57 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-12-27 08:57 97480 ----a-w- c:\windows\system32\AvastSS.scr
2007-02-06 04:57 . 2007-02-06 04:57 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-09-24 834560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"combofix"="c:\combofix\CF13962.exe" [2009-11-06 389120]
"O2USB"="o2usb.exe" - c:\windows\system32\O2USB.exe [2002-07-26 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco VPN client for Dolby Laboratories.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-12-23 1528880]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [1/22/2003 5:47 PM 3104]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/27/2008 12:57 AM 114768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [1/2/2009 12:05 AM 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/27/2008 12:57 AM 20560]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect\iPCAgent.exe [2/6/2008 10:43 PM 90112]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [1/27/2004 4:22 PM 315008]
S3 DTQ;DTQ;c:\docume~1\BERTAL~1\LOCALS~1\Temp\DTQ.exe --> c:\docume~1\BERTAL~1\LOCALS~1\Temp\DTQ.exe [?]
S3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [1/13/2002 4:25 PM 65916]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [10/3/2002 6:07 PM 611840]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [10/21/2007 1:50 AM 2688]
S3 root_repeal;root_repeal;\??\c:\windows\system32\drivers\root_repeal.sys --> c:\windows\system32\drivers\root_repeal.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [8/27/2006 11:37 PM 336256]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {34D9B5F6-8AD4-4AFA-A210-2B8B428081AF} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISLP2STA.EXE - ISLP2STA.EXE
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 08:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-11-06 9:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 17:11

Pre-Run: 5,718,118,400 bytes free
Post-Run: 5,541,011,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 36DBB6DD21D98C2D2CFEAB000A4ED966
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#5
rtgnow

rtgnow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Things are still looking good, the re-directs have not returned. That Kaspersky online scan took a long time to run. Here are the results of both scans.

Thanks for the help.

Malwarebytes' Anti-Malware 1.41
Database version: 3112
Windows 5.1.2600 Service Pack 3

11/6/2009 12:34:03 PM
mbam-log-2009-11-06 (12-34-03).txt

Scan type: Quick Scan
Objects scanned: 133884
Time elapsed: 12 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, November 7, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 06, 2009 21:34:59
Records in database: 3162831
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
X:\
Y:\
Z:\

Scan statistics:
Objects scanned: 178768
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 24:39:08

No threats found. Scanned area is clean.

Selected area has been scanned.
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
open OTL click quick scan post that log
  • 0

#7
rtgnow

rtgnow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the log.

OTL logfile created on: 11/7/2009 11:43:54 PM - Run 2
OTL by OldTimer - Version 3.1.3.4 Folder = C:\Documents and Settings\rtgnow\Desktop\malware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 71.27 Mb Available Physical Memory | 13.95% Memory free
1.22 Gb Paging File | 0.82 Gb Available in Paging File | 67.17% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.15 Gb Free Space | 27.67% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS
Drive Y: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS
Drive Z: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS

Computer Name: BABY
Current User Name: rtgnow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/06 12:41:35 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/06 12:41:34 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
PRC - [2009/09/24 10:15:24 | 00,834,560 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2009/08/17 08:07:23 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/07 14:51:16 | 00,102,400 | ---- | M] () -- C:\WINDOWS\system32\OBroker.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe
PRC - [2003/08/15 12:38:14 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/15 12:37:08 | 00,618,496 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


========== Modules (SafeList) ==========

MOD - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2003/08/15 12:37:48 | 00,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (winvnc)
SRV - File not found -- -- (UPHClean)
SRV - File not found -- -- (DTQ)
SRV - [2009/11/06 12:41:34 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/02/02 11:33:20 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/01/20 11:08:24 | 01,089,536 | ---- | M] (iPass) -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe -- (iPCAgent)
SRV - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/31 11:55:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/11/06 12:41:38 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (CitiUSBrowserHelper Class) - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [O2USB] C:\WINDOWS\System32\O2USB.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco VPN client for Dolby Laboratories.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\Program Files\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\g7ps {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll (G7 Productivity Systems, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/08 14:13:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/11/06 12:41:11 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/11/06 08:19:22 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/06 08:06:06 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/06 08:06:06 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/06 08:06:06 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/06 08:06:06 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/06 07:46:59 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/06 07:36:41 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/11/04 00:34:41 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/02 20:50:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/11/01 23:14:36 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/11/01 23:13:59 | 07,885,928 | ---- | C] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:08 | 00,204,496 | ---- | C] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 12:54:49 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/10/31 12:15:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2009/10/31 12:14:22 | 00,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2009/10/31 10:57:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/10/31 10:57:02 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/10/31 10:56:28 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/10/31 10:06:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\ApplicationHistory
[2009/10/31 07:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/10/31 07:02:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Identities
[2009/10/31 06:59:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/10/30 22:15:24 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\rtgnow\Recent
[2009/10/30 22:04:20 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/10/29 21:54:08 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/29 21:54:04 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/29 21:50:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/26 22:02:00 | 03,839,360 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf300.dll
[2009/10/26 22:00:09 | 00,000,000 | ---D | C] -- C:\Program Files\Quicken
[2009/10/25 11:11:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Eraser
[2007/02/05 20:57:11 | 00,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

========== Files - Modified Within 14 Days ==========

[2009/11/07 23:40:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/07 23:37:40 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/07 23:37:13 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/11/07 23:36:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/07 23:36:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/07 15:04:21 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\rtgnow\NTUSER.DAT
[2009/11/07 15:04:21 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\rtgnow\ntuser.ini
[2009/11/07 15:03:06 | 05,358,672 | -H-- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2009/11/06 10:56:07 | 00,000,525 | ---- | M] () -- C:\WINDOWS\HPODJC05.INI
[2009/11/06 10:53:52 | 00,267,264 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/06 08:57:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/06 08:56:41 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/06 08:19:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/06 07:32:25 | 00,731,136 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\avenger.exe
[2009/11/04 23:47:49 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:43 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 23:26:57 | 00,000,888 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/02 23:26:57 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/11/02 21:52:55 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:24 | 00,231,390 | ---- | M] () -- C:\RootkitRevealer.zip
[2009/11/01 23:14:06 | 07,885,928 | ---- | M] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:21 | 00,204,496 | ---- | M] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 20:31:01 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/11/01 19:50:18 | 00,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 19:50:18 | 00,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/01 14:34:20 | 00,002,367 | ---- | M] () -- C:\WINDOWS\HPOCSS05.INI
[2009/11/01 14:34:20 | 00,000,581 | ---- | M] () -- C:\WINDOWS\HPOTBX05.INI
[2009/11/01 12:27:37 | 00,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/31 11:38:30 | 00,030,408 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/31 11:37:16 | 00,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/29 21:25:13 | 00,001,720 | -H-- | M] () -- C:\Documents and Settings\rtgnow\My Documents\Default.rdp
[2009/10/26 23:14:06 | 00,646,757 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 22:01:21 | 00,000,120 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/26 21:51:49 | 00,347,277 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091101-114529.backup
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe

========== Files Created - No Company Name ==========

[2009/11/06 08:19:40 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/06 08:19:29 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/06 08:06:06 | 00,267,264 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/06 08:06:06 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/06 08:06:06 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/06 08:06:06 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/06 08:06:06 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/04 23:47:49 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:42 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 21:52:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:22 | 00,231,390 | ---- | C] () -- C:\RootkitRevealer.zip
[2009/10/31 11:47:39 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/10/30 22:08:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/10/26 23:14:03 | 00,646,757 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 21:59:47 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/19 20:10:46 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/10/19 20:10:46 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/10/19 20:10:46 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/10/19 20:10:45 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2009/01/24 14:05:54 | 00,999,424 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll
[2009/01/24 14:05:54 | 00,242,688 | ---- | C] () -- C:\WINDOWS\System32\cygncurses-8.dll
[2009/01/24 14:05:54 | 00,206,848 | ---- | C] () -- C:\WINDOWS\System32\cygncurses6.dll
[2009/01/24 14:05:54 | 00,158,208 | ---- | C] () -- C:\WINDOWS\System32\cygreadline6.dll
[2009/01/24 14:05:54 | 00,031,744 | ---- | C] () -- C:\WINDOWS\System32\cygintl-8.dll
[2009/01/05 14:44:10 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/12/24 01:34:13 | 05,358,672 | -H-- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2008/12/24 00:09:41 | 00,030,408 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/24 00:09:33 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\rtgnow\Application Data\desktop.ini
[2008/12/23 23:59:14 | 00,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/02/06 22:23:04 | 00,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2008/02/06 22:21:48 | 00,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/10/21 01:51:35 | 00,000,389 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/10/07 15:27:14 | 00,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/29 22:41:39 | 00,000,525 | ---- | C] () -- C:\WINDOWS\HPODJC05.INI
[2007/04/29 22:41:35 | 00,002,367 | ---- | C] () -- C:\WINDOWS\HPOCSS05.INI
[2007/04/29 22:41:35 | 00,000,581 | ---- | C] () -- C:\WINDOWS\HPOTBX05.INI
[2007/02/05 21:27:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/06/05 07:28:47 | 00,327,680 | ---- | C] () -- C:\WINDOWS\System32\AppShare-6-6-0.dll
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/01/11 08:28:03 | 00,000,223 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/07/21 07:41:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2005/07/07 12:24:45 | 00,000,754 | ---- | C] () -- C:\WINDOWS\wordpad.INI
[2003/12/09 16:57:22 | 00,000,224 | ---- | C] () -- C:\WINDOWS\I32FONTS.INI
[2003/12/09 15:25:49 | 00,000,898 | ---- | C] () -- C:\WINDOWS\lsbugs32.ini
[2003/12/09 08:57:19 | 00,007,830 | ---- | C] () -- C:\WINDOWS\uedit32.INI
[2003/12/09 08:28:31 | 00,000,177 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2003/12/08 17:19:23 | 00,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/12/08 16:45:30 | 00,000,886 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/08 05:25:28 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2003/07/29 06:18:52 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/22 17:47:34 | 00,003,104 | ---- | C] () -- C:\WINDOWS\System32\drivers\OzCrd2k.sys
[2001/10/24 12:03:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\hpomon05.dll
[2001/10/24 12:03:20 | 00,005,361 | ---- | C] () -- C:\WINDOWS\System32\hpolnk05.ini
[2001/08/23 04:00:00 | 00,000,888 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 04:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/22 10:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/12/21 11:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\G7PS
[2007/02/05 11:24:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/12/18 09:38:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2009/10/19 23:55:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/01/10 13:17:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/03/19 19:41:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/04/22 21:15:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/10/31 12:15:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2008/12/24 01:25:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\G7PS
[2009/10/15 07:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\GrabPro
[2009/11/02 20:50:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/10/20 10:27:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\OpenDNS Updater
[2009/10/15 22:06:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Orbit
[2001/08/23 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/07 23:40:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/07 23:36:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
  • 0

#8
rtgnow

rtgnow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the log.

OTL logfile created on: 11/7/2009 11:43:54 PM - Run 2
OTL by OldTimer - Version 3.1.3.4 Folder = C:\Documents and Settings\rtgnow\Desktop\malware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 71.27 Mb Available Physical Memory | 13.95% Memory free
1.22 Gb Paging File | 0.82 Gb Available in Paging File | 67.17% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.15 Gb Free Space | 27.67% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS
Drive Y: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS
Drive Z: | 270.66 Gb Total Space | 200.96 Gb Free Space | 74.25% Space Free | Partition Type: NTFS

Computer Name: BABY
Current User Name: rtgnow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/06 12:41:35 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/06 12:41:34 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
PRC - [2009/09/24 10:15:24 | 00,834,560 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2009/08/17 08:07:23 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/07 14:51:16 | 00,102,400 | ---- | M] () -- C:\WINDOWS\system32\OBroker.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe
PRC - [2003/08/15 12:38:14 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/15 12:37:08 | 00,618,496 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


========== Modules (SafeList) ==========

MOD - [2009/11/06 00:21:43 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rtgnow\Desktop\malware\OTL.exe
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2003/08/15 12:37:48 | 00,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (winvnc)
SRV - File not found -- -- (UPHClean)
SRV - File not found -- -- (DTQ)
SRV - [2009/11/06 12:41:34 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/17 08:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/17 08:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/17 08:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 07:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/02/02 11:33:20 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/04/20 08:34:26 | 01,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/01/20 11:08:24 | 01,089,536 | ---- | M] (iPass) -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/01/19 19:06:22 | 00,090,112 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPCAgent.exe -- (iPCAgent)
SRV - [2003/06/24 17:32:00 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/03/19 02:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/31 11:55:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/11/06 12:41:38 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (CitiUSBrowserHelper Class) - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [O2USB] C:\WINDOWS\System32\O2USB.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco VPN client for Dolby Laboratories.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\Program Files\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\g7ps {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll (G7 Productivity Systems, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/08 14:13:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/11/06 12:41:11 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/11/06 08:19:22 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/06 08:06:06 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/06 08:06:06 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/06 08:06:06 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/06 08:06:06 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/06 07:46:59 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/06 07:36:41 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/11/04 00:34:41 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/02 20:50:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/11/01 23:14:36 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/11/01 23:13:59 | 07,885,928 | ---- | C] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:08 | 00,204,496 | ---- | C] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 12:54:49 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/10/31 12:15:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2009/10/31 12:14:22 | 00,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2009/10/31 10:57:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/10/31 10:57:02 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/10/31 10:56:28 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/10/31 10:06:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\ApplicationHistory
[2009/10/31 07:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/10/31 07:02:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Identities
[2009/10/31 06:59:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/10/30 22:15:24 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\rtgnow\Recent
[2009/10/30 22:04:20 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/10/29 21:54:08 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/29 21:54:04 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/29 21:50:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/26 22:02:00 | 03,839,360 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf300.dll
[2009/10/26 22:00:09 | 00,000,000 | ---D | C] -- C:\Program Files\Quicken
[2009/10/25 11:11:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\Eraser
[2007/02/05 20:57:11 | 00,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

========== Files - Modified Within 14 Days ==========

[2009/11/07 23:40:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/07 23:37:40 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/07 23:37:13 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/11/07 23:36:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/07 23:36:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/07 15:04:21 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\rtgnow\NTUSER.DAT
[2009/11/07 15:04:21 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\rtgnow\ntuser.ini
[2009/11/07 15:03:06 | 05,358,672 | -H-- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2009/11/06 10:56:07 | 00,000,525 | ---- | M] () -- C:\WINDOWS\HPODJC05.INI
[2009/11/06 10:53:52 | 00,267,264 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/06 08:57:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/06 08:56:41 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/06 08:19:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/06 07:32:25 | 00,731,136 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\avenger.exe
[2009/11/04 23:47:49 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:43 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 23:26:57 | 00,000,888 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/02 23:26:57 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/11/02 21:52:55 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:24 | 00,231,390 | ---- | M] () -- C:\RootkitRevealer.zip
[2009/11/01 23:14:06 | 07,885,928 | ---- | M] (IObit ) -- C:\asc-setup.exe
[2009/11/01 22:56:21 | 00,204,496 | ---- | M] (Malwarebytes) -- C:\StartUpLite.exe
[2009/11/01 20:31:01 | 00,080,057 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/11/01 19:50:18 | 00,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 19:50:18 | 00,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/01 14:34:20 | 00,002,367 | ---- | M] () -- C:\WINDOWS\HPOCSS05.INI
[2009/11/01 14:34:20 | 00,000,581 | ---- | M] () -- C:\WINDOWS\HPOTBX05.INI
[2009/11/01 12:27:37 | 00,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/31 11:38:30 | 00,030,408 | ---- | M] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/31 11:37:16 | 00,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/29 21:25:13 | 00,001,720 | -H-- | M] () -- C:\Documents and Settings\rtgnow\My Documents\Default.rdp
[2009/10/26 23:14:06 | 00,646,757 | ---- | M] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 22:01:21 | 00,000,120 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/26 21:51:49 | 00,347,277 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091101-114529.backup
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe

========== Files Created - No Company Name ==========

[2009/11/06 08:19:40 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/06 08:19:29 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/06 08:06:06 | 00,267,264 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/06 08:06:06 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/06 08:06:06 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/06 08:06:06 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/06 08:06:06 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/04 23:47:49 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 00:34:42 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\HijackThis.lnk
[2009/11/02 21:52:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ICITTRMNPYAIXS
[2009/11/01 23:40:22 | 00,231,390 | ---- | C] () -- C:\RootkitRevealer.zip
[2009/10/31 11:47:39 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/10/30 22:08:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/10/26 23:14:03 | 00,646,757 | ---- | C] () -- C:\Documents and Settings\rtgnow\Desktop\VideoCard_impact.pdf
[2009/10/26 21:59:47 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/10/19 20:10:46 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/10/19 20:10:46 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/10/19 20:10:46 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/10/19 20:10:45 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2009/01/24 14:05:54 | 00,999,424 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll
[2009/01/24 14:05:54 | 00,242,688 | ---- | C] () -- C:\WINDOWS\System32\cygncurses-8.dll
[2009/01/24 14:05:54 | 00,206,848 | ---- | C] () -- C:\WINDOWS\System32\cygncurses6.dll
[2009/01/24 14:05:54 | 00,158,208 | ---- | C] () -- C:\WINDOWS\System32\cygreadline6.dll
[2009/01/24 14:05:54 | 00,031,744 | ---- | C] () -- C:\WINDOWS\System32\cygintl-8.dll
[2009/01/05 14:44:10 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/12/24 01:34:13 | 05,358,672 | -H-- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\IconCache.db
[2008/12/24 00:09:41 | 00,030,408 | ---- | C] () -- C:\Documents and Settings\rtgnow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/24 00:09:33 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\rtgnow\Application Data\desktop.ini
[2008/12/23 23:59:14 | 00,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/02/06 22:23:04 | 00,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2008/02/06 22:21:48 | 00,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/10/21 01:51:35 | 00,000,389 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/10/07 15:27:14 | 00,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/29 22:41:39 | 00,000,525 | ---- | C] () -- C:\WINDOWS\HPODJC05.INI
[2007/04/29 22:41:35 | 00,002,367 | ---- | C] () -- C:\WINDOWS\HPOCSS05.INI
[2007/04/29 22:41:35 | 00,000,581 | ---- | C] () -- C:\WINDOWS\HPOTBX05.INI
[2007/02/05 21:27:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/06/05 07:28:47 | 00,327,680 | ---- | C] () -- C:\WINDOWS\System32\AppShare-6-6-0.dll
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/01/11 08:28:03 | 00,000,223 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/07/21 07:41:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2005/07/07 12:24:45 | 00,000,754 | ---- | C] () -- C:\WINDOWS\wordpad.INI
[2003/12/09 16:57:22 | 00,000,224 | ---- | C] () -- C:\WINDOWS\I32FONTS.INI
[2003/12/09 15:25:49 | 00,000,898 | ---- | C] () -- C:\WINDOWS\lsbugs32.ini
[2003/12/09 08:57:19 | 00,007,830 | ---- | C] () -- C:\WINDOWS\uedit32.INI
[2003/12/09 08:28:31 | 00,000,177 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2003/12/08 17:19:23 | 00,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/12/08 16:45:30 | 00,000,886 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/08 05:25:28 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2003/07/29 06:18:52 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/22 17:47:34 | 00,003,104 | ---- | C] () -- C:\WINDOWS\System32\drivers\OzCrd2k.sys
[2001/10/24 12:03:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\hpomon05.dll
[2001/10/24 12:03:20 | 00,005,361 | ---- | C] () -- C:\WINDOWS\System32\hpolnk05.ini
[2001/08/23 04:00:00 | 00,000,888 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 04:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/22 10:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/12/21 11:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\G7PS
[2007/02/05 11:24:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/12/18 09:38:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2009/10/19 23:55:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/01/10 13:17:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/03/19 19:41:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/04/22 21:15:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/10/31 12:15:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Foxit
[2008/12/24 01:25:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\G7PS
[2009/10/15 07:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\GrabPro
[2009/11/02 20:50:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\IObit
[2009/10/20 10:27:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\OpenDNS Updater
[2009/10/15 22:06:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rtgnow\Application Data\Orbit
[2001/08/23 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/07 23:40:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/07 23:36:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.



Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#10
rtgnow

rtgnow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks again for all your help.
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP