[AnnH]

Gurus,
I thought I had the Conficker virus, although I have not used any stick media. I have had trouble since last week with Firefox being redirected to bogus websites. I was also experiencing browser and email crashes (I use Eudora Light). I can't run regedit, and I can't navigate to many security update websites, unless I type them in manually. (Searches redirect.) I see a phantom IEexplorer running under my name whenever I reboot, but I do not have IE Explorer in my startup, and I do not even use it! (I use Firefox) I have gone through the Malware removal steps, and also tried steps recommended by my PC Tech. While my PC performance is improved, the virus/bug still exists. I am running Windows XP Professional. I have tried:
Norton Internet Security 2005 (with Antivirus)
updating Windows (virus prevented me from installing IE7)
installed and ran Spybot Search and Destroy
CWshredder
HijackThis
MalwareBytes
AVG (can't get updates, though)
ATF cleaner
ERUNT
rooter (log attached)
OLTI2 (log attached)

There is a suspicious System file running in my task list that is consuming 63386 K of memory. My laptop System file uses 164 K of memory. Besides that and the phantom IE Explorer, I can't find the source.

Ann

OTListIt logfile created on: 4/14/2009 11:53:59 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\bin\olti
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

511.49 Mb Total Physical Memory | 230.34 Mb Available Physical Memory | 45.03% Memory free
1.22 Gb Paging File | 0.96 Gb Available in Paging File | 78.81% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.51 Gb Total Space | 41.06 Gb Free Space | 55.11% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AMD
Current User Name: heinke
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\FaxTalk Messenger Pro 7.5\FTMSGSVC.EXE (Thought Communications, Inc.)
PRC - C:\Program Files\FaxTalk Messenger Pro 7.5\FAPIEXE.EXE (Thought Communications, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
PRC - C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe (Thought Communications, Inc.)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
PRC - C:\Windows\Backup\sched95.exe ()
PRC - C:\Windows\Backup\Csdm32.exe (Computer Associates International, Inc.)
PRC - C:\Program Files\Mke\Ls120\Mkewatch.exe (Matsushita-Kotobuki Electronics)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (Hewlett-Packard Co.)
PRC - C:\bin\olti\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (DOORS DB Server 9.0 00001 [Auto | Stopped]) -- C:\Program Files\Telelogic\DOORS 9.0\bin\doorsd.exe (Telelogic AB)
SRV - (FaxTalk Messenger Pro 7.5 [Auto | Running]) -- C:\Program Files\FaxTalk Messenger Pro 7.5\FTMSGSVC.EXE (Thought Communications, Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (hpqcxs08 [On_Demand | Running]) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll (Hewlett-Packard Co.)
SRV - (hpqddsvc [Auto | Running]) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll (Hewlett-Packard Co.)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Net Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZinw12.dll (Hewlett-Packard)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.dll (Hewlett-Packard)

========== Driver Services (SafeList) ==========

DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (ati2mtaa [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Cdr4_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k [System | Running]) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (cdudf_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys (Roxio)
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (dvd_2K [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\dvd_2k.sys (Roxio)
DRV - (FETNDIS [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. )
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (HCF_MSFT [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys (Conexant)
DRV - (HPZid412 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (mmc_2K [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mmc_2k.sys (Roxio)
DRV - (NtApm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NtApm.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Pwd_2k [System | Running]) -- C:\WINDOWS\System32\drivers\Pwd_2k.sys (Roxio)
DRV - (scsiscan [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\scsiscan.sys (Microsoft Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SymEvent [On_Demand | Stopped]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (Udfreadr_xp [System | Running]) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys (Roxio)
DRV - (VIAudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ac97via.sys (VIA Technologies, Inc.)
DRV - (vsdatant [On_Demand | Stopped]) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.zacksadvisor.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.29.17.141/search.html
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://stockcharts.c...com/index.html"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.0
FF - prefs.js..extensions.enabledItems: {1d5287d1-8a92-0001-1f31-1cec198018d8}:2.0.20080710
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/06 17:08:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/04/13 16:22:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\PROGRAM FILES\AVG\AVG8\TOOLBARFF [2009/04/13 16:22:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2005/01/28 16:44:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2005/01/28 16:44:28 | 00,000,000 | ---D | M]

[2009/02/03 09:11:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\heinke\Application Data\mozilla\Extensions
[2009/02/03 09:11:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\heinke\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/07/11 22:41:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\heinke\Application Data\mozilla\Firefox\Profiles\3dctn35j.default\extensions
[2005/01/28 16:49:14 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2005/01/28 16:49:14 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/06 17:08:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/04/09 09:52:56 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/09 09:52:56 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/09 09:53:02 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/09 09:53:02 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/09 09:53:02 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/09 09:53:02 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/09 09:53:02 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/09 09:53:02 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/09 09:53:02 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (760 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 192.168.61.4 SPHYNX
O1 - Hosts:
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O4 - HKLM..\Run: [%%DELETE_VALUE%%] CreateCD50 File not found
O4 - HKLM..\Run: [AdaptecDirectCD] c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [FaxTalk Messenger Pro 7.5] "C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe" (Thought Communications, Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cheyenne Backup Scheduler.lnk = C:\Windows\Backup\sched95.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\Osa9.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk = C:\MSOffice\Office\Fastboot.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Drive Monitor.lnk = C:\Windows\Backup\Csdm32.exe (Computer Associates International, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Driver Configuration.lnk = C:\Program Files\Mke\Ls120\Mkewatch.exe (Matsushita-Kotobuki Electronics)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\heinke\Start Menu\Programs\Startup\MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe (SharewareOnline.com, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...ector/swdir.cab (Shockwave ActiveX Control)
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} http://codecs.micros.../i386/wmvax.cab (Reg Error: Key error.)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} http://scpwha.ops.pl...quicksilver.cab (Quicksilver Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.micr...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1239464171155 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...7874.4541550926 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} http://windowsupdate...en/actsetup.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://c:\windows\SYSTEM\dajava.cab (Reg Error: Key error.)
O16 - DPF: Internet Explorer Classes for Java file://c:\windows\SYSTEM\iejava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\SYSTEM\Userinit.exe) - C:\WINDOWS\SYSTEM\Userinit.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\ebxcicoy.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\PROGRAM FILES\QUALCOMM\EUDORA\EUSHLEXT.DLL (Qualcomm Inc.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.DOS () - [ FAT32 ]
O32 - Autorun File - C:\AUTOEXEC.VIA () - [ FAT32 ]
O32 - Autorun File - C:\AUTOEXEC.NS0 () - [ FAT32 ]
O32 - Autorun File - C:\autoexec.pbf () - [ FAT32 ]
O32 - Autorun File - C:\AUTOEXEC.OLD () - [ FAT32 ]
O32 - Autorun File - C:\autoexec.nai () - [ FAT32 ]
O32 - Autorun File - C:\Autoexec.bat () - [ FAT32 ]
O32 - Autorun File - C:\AUTOEXEC.NS1 () - [ FAT32 ]
O32 - Autorun File - C:\AUTOEXEC.BAK () - [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[13 C:\WINDOWS\*.tmp files]
[2009/04/14 11:49:44 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/14 09:40:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/14 09:36:35 | 00,000,515 | ---- | C] () -- C:\DOCUME~1\heinke\Desktop\NTREGOPT.lnk
[2009/04/14 09:36:35 | 00,000,496 | ---- | C] () -- C:\DOCUME~1\heinke\Desktop\ERUNT.lnk
[2009/04/14 09:36:22 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/13 19:20:00 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/04/13 16:40:42 | 53,639,9872 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/13 16:22:54 | 00,001,411 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\AVG Free 8.5.lnk
[2009/04/13 16:22:53 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/04/13 16:22:51 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/04/13 16:22:35 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/04/13 16:22:34 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/04/13 16:22:31 | 34,395,507 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/13 16:22:31 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/04/13 16:22:31 | 00,401,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/13 16:22:31 | 00,057,798 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/13 16:22:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/04/13 16:22:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\heinke\Application Data\AVGTOOLBAR
[2009/04/13 16:22:22 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/04/13 16:22:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/04/13 13:11:51 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/04/13 13:05:53 | 00,000,163 | ---- | C] () -- C:\WINDOWS\_ISNU.INI
[2009/04/13 13:05:49 | 00,282,206 | ---- | C] () -- C:\WINDOWS\_detmp.1
[2009/04/13 13:05:49 | 00,258,048 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\_detmp.2
[2009/04/13 08:18:39 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/13 08:18:39 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/11 18:50:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/04/11 15:49:50 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/04/11 15:25:39 | 00,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/11 15:25:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/04/11 15:24:50 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/04/11 15:24:13 | 00,007,315 | ---- | C] () -- C:\WINDOWS\System32\javasup.vxd
[2009/04/11 15:24:12 | 00,139,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaee.dll
[2009/04/11 15:24:04 | 00,171,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wjview.exe
[2009/04/11 15:24:04 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedon.reg
[2009/04/11 15:24:04 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedoff.reg
[2009/04/11 15:24:02 | 00,172,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jview.exe
[2009/04/11 15:23:59 | 00,049,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clspack.exe
[2009/04/11 14:30:30 | 00,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2009/04/11 14:29:44 | 00,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2009/04/11 14:29:21 | 00,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2009/04/11 14:29:21 | 00,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2009/04/11 14:29:21 | 00,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2009/04/11 14:29:21 | 00,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2009/04/11 14:29:21 | 00,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2009/04/11 14:29:17 | 00,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2009/04/11 14:29:17 | 00,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2009/04/11 14:29:17 | 00,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2009/04/11 14:29:17 | 00,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2009/04/11 14:29:16 | 00,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2009/04/11 14:29:16 | 00,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2009/04/11 14:29:16 | 00,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2009/04/11 14:29:16 | 00,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2009/04/11 14:29:16 | 00,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2009/04/11 14:29:16 | 00,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2009/04/11 14:29:05 | 00,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msaud32.acm
[2009/04/11 14:29:05 | 00,290,816 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\dllcache\l3codeca.acm
[2009/04/11 14:29:05 | 00,086,016 | ---- | C] (Sipro Lab Telecom Inc.) -- C:\WINDOWS\System32\dllcache\sl_anet.acm
[2009/04/11 14:29:05 | 00,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2009/04/11 14:29:02 | 00,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2009/04/11 14:28:11 | 00,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2009/04/11 14:28:11 | 00,097,117 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.hlp
[2009/04/11 14:28:11 | 00,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2009/04/11 14:28:11 | 00,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2009/04/11 14:28:11 | 00,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2009/04/11 14:28:11 | 00,001,885 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.cnt
[2009/04/11 14:28:07 | 01,307,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2009/04/11 14:28:07 | 00,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2009/04/11 14:28:07 | 00,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2009/04/11 14:28:07 | 00,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2009/04/11 14:28:07 | 00,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2009/04/11 14:28:06 | 00,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2009/04/11 14:28:05 | 00,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2009/04/11 14:28:05 | 00,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2009/04/11 14:28:05 | 00,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2009/04/11 14:28:04 | 00,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2009/04/11 14:28:04 | 00,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2009/04/11 14:28:04 | 00,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2009/04/11 14:28:04 | 00,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2009/04/11 14:28:04 | 00,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2009/04/11 14:28:04 | 00,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2009/04/11 14:28:04 | 00,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2009/04/11 14:28:04 | 00,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2009/04/11 14:28:04 | 00,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2009/04/11 14:28:04 | 00,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2009/04/11 14:28:04 | 00,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2009/04/11 14:28:04 | 00,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2009/04/11 14:28:04 | 00,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2009/04/11 14:28:03 | 00,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2009/04/11 14:28:03 | 00,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2009/04/11 14:28:03 | 00,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2009/04/11 14:28:03 | 00,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2009/04/11 14:28:03 | 00,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2009/04/11 14:28:03 | 00,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2009/04/11 14:28:03 | 00,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2009/04/11 14:28:03 | 00,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2009/04/11 14:28:03 | 00,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2009/04/11 14:28:03 | 00,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2009/04/11 14:28:03 | 00,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2009/04/11 14:28:03 | 00,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2009/04/11 14:28:03 | 00,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2009/04/11 14:28:03 | 00,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2009/04/11 14:28:03 | 00,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2009/04/11 14:28:03 | 00,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2009/04/11 14:28:03 | 00,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2009/04/11 14:28:03 | 00,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2009/04/11 14:28:03 | 00,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2009/04/11 14:28:03 | 00,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2009/04/11 14:28:03 | 00,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2009/04/11 14:28:03 | 00,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2009/04/11 14:28:03 | 00,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2009/04/11 14:28:03 | 00,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2009/04/11 14:28:03 | 00,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2009/04/11 14:28:03 | 00,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2009/04/11 14:28:03 | 00,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2009/04/11 14:28:00 | 00,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2009/04/11 14:27:59 | 00,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2009/04/11 14:27:59 | 00,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dlimport.exe
[2009/04/11 14:27:59 | 00,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2009/04/11 14:27:59 | 00,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2009/04/11 14:27:59 | 00,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2009/04/11 14:27:59 | 00,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2009/04/11 14:27:59 | 00,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2009/04/11 14:27:59 | 00,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2009/04/11 14:27:59 | 00,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2009/04/11 14:27:59 | 00,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2009/04/11 14:19:14 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2009/04/11 14:11:16 | 00,666,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/04/11 14:11:14 | 00,619,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2009/04/11 14:11:09 | 01,499,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shdocvw.dll
[2009/04/11 14:10:44 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/04/11 14:10:42 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009/04/11 14:10:41 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/04/11 14:10:39 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2009/04/11 14:10:33 | 03,067,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/04/11 12:24:02 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/04/11 12:23:52 | 00,333,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2009/04/11 11:41:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\heinke\Application Data\Malwarebytes
[2009/04/11 11:41:05 | 00,000,600 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/11 11:41:04 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/11 11:41:01 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/11 11:40:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/11 11:40:57 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/11 09:45:44 | 01,288,192 | ---- | C] () -- C:\WINDOWS\System32\dllcache\quartz.dll
[2009/04/11 09:37:20 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2009/04/11 09:28:31 | 00,074,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscms.dll
[2009/04/10 15:52:44 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2009/04/10 15:38:08 | 24,921,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/10 15:14:48 | 00,001,638 | ---- | C] () -- C:\DOCUME~1\heinke\Desktop\HijackThis.lnk
[2009/04/10 15:14:48 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/10 14:41:42 | 00,011,264 | -HS- | C] () -- C:\Thumbs.db
[2009/04/10 13:18:20 | 00,000,374 | ---- | C] () -- C:\beige111.html
[2009/04/09 15:31:03 | 00,000,153 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/09 12:06:05 | 00,000,837 | ---- | C] () -- C:\DOCUME~1\heinke\Desktop\Spybot - Search & Destroy.lnk
[2009/04/09 12:05:50 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/09 12:05:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/09 09:05:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2008/08/27 16:28:40 | 00,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/07/15 09:04:39 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2008/07/14 08:29:17 | 00,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2008/07/11 22:57:29 | 00,000,457 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/11 22:41:57 | 00,004,018 | ---- | C] () -- C:\WINDOWS\hpdj5700.ini
[2008/07/11 22:41:57 | 00,001,633 | ---- | C] () -- C:\WINDOWS\PPAAT130.ini
[2008/07/11 22:41:57 | 00,000,517 | ---- | C] () -- C:\WINDOWS\EPSQ20.INI
[2008/07/11 22:41:57 | 00,000,124 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/07/11 22:41:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OPPRINTSERVER.INI
[2008/07/11 22:41:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Eudora.ini
[2008/07/11 22:41:56 | 00,012,918 | ---- | C] () -- C:\WINDOWS\Opera.ini
[2008/07/11 22:41:56 | 00,012,476 | ---- | C] () -- C:\WINDOWS\IOS.INI
[2008/07/11 22:41:56 | 00,004,309 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[2008/07/11 22:41:56 | 00,003,455 | ---- | C] () -- C:\WINDOWS\WPR.INI
[2008/07/11 22:41:56 | 00,002,129 | ---- | C] () -- C:\WINDOWS\ascd_tmp.ini
[2008/07/11 22:41:56 | 00,001,367 | ---- | C] () -- C:\WINDOWS\Mpcwin99.ini
[2008/07/11 22:41:56 | 00,001,325 | ---- | C] () -- C:\WINDOWS\VTWAIN.INI
[2008/07/11 22:41:56 | 00,001,147 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2008/07/11 22:41:56 | 00,001,045 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/11 22:41:56 | 00,000,892 | ---- | C] () -- C:\WINDOWS\HPFDJC02.INI
[2008/07/11 22:41:56 | 00,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI
[2008/07/11 22:41:56 | 00,000,612 | ---- | C] () -- C:\WINDOWS\BUSWTY97.INI
[2008/07/11 22:41:56 | 00,000,467 | ---- | C] () -- C:\WINDOWS\qbwcd.ini
[2008/07/11 22:41:56 | 00,000,366 | ---- | C] () -- C:\WINDOWS\sxgma.ini
[2008/07/11 22:41:56 | 00,000,345 | ---- | C] () -- C:\WINDOWS\ezscsi.ini
[2008/07/11 22:41:56 | 00,000,259 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2008/07/11 22:41:56 | 00,000,232 | ---- | C] () -- C:\WINDOWS\NETSCAPE.INI
[2008/07/11 22:41:56 | 00,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI
[2008/07/11 22:41:56 | 00,000,182 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2008/07/11 22:41:56 | 00,000,177 | ---- | C] () -- C:\WINDOWS\vatwain.ini
[2008/07/11 22:41:56 | 00,000,162 | ---- | C] () -- C:\WINDOWS\VWGSMM.INI
[2008/07/11 22:41:56 | 00,000,122 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2008/07/11 22:41:56 | 00,000,121 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[2008/07/11 22:41:56 | 00,000,120 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/07/11 22:41:56 | 00,000,120 | ---- | C] () -- C:\WINDOWS\MSMAIL32.INI
[2008/07/11 22:41:56 | 00,000,114 | ---- | C] () -- C:\WINDOWS\UMAXDRV.INI
[2008/07/11 22:41:56 | 00,000,103 | ---- | C] () -- C:\WINDOWS\WEBLINK.INI
[2008/07/11 22:41:56 | 00,000,066 | ---- | C] () -- C:\WINDOWS\HPCK2.INI
[2008/07/11 22:41:56 | 00,000,066 | ---- | C] () -- C:\WINDOWS\HPCK.INI
[2008/07/11 22:41:56 | 00,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2008/07/11 22:41:56 | 00,000,050 | ---- | C] () -- C:\WINDOWS\winfile.ini
[2008/07/11 22:41:56 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2008/07/11 22:41:56 | 00,000,028 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2008/07/11 22:41:56 | 00,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2008/07/11 22:41:56 | 00,000,027 | ---- | C] () -- C:\WINDOWS\ACROGRAF.INI
[2008/07/11 22:41:56 | 00,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI
[2008/07/11 22:41:56 | 00,000,016 | ---- | C] () -- C:\WINDOWS\QH32.INI
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\RAMDIAG.INI
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\progman.ini
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PRESTOPM.INI
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PMVIEWER.INI
[2008/07/11 22:41:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\MSINFO32.INI
[2008/07/11 22:41:55 | 00,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI
[2008/07/11 22:41:55 | 00,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI
[2008/07/11 22:41:55 | 00,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI
[2008/07/11 22:41:55 | 00,000,865 | ---- | C] () -- C:\WINDOWS\DOSREP.INI
[2008/07/11 21:46:58 | 00,002,843 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/07/11 21:46:24 | 00,000,539 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/07/08 12:07:01 | 00,032,768 | ---- | C] () -- C:\WINDOWS\WebVpnRegKey6-webvpn-emssatcom-com.dll
[2006/04/20 08:34:38 | 00,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2006/04/20 08:34:24 | 00,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/08/04 12:00:00 | 00,280,576 | ---- | C] () -- C:\WINDOWS\System32\linhexq.dll
[2004/08/04 12:00:00 | 00,280,576 | ---- | C] () -- C:\WINDOWS\System32\ebxcicoy.dll
[2003/01/17 05:50:44 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2002/04/11 10:47:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
[2001/03/09 17:50:23 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll
[2000/11/27 11:24:33 | 00,020,556 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2000/04/07 16:19:52 | 00,111,104 | ---- | C] () -- C:\WINDOWS\System32\mvcl13n.dll
[2000/04/06 12:19:19 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\PMSBFN32.DLL
[2000/04/06 12:04:15 | 00,049,152 | ---- | C] () -- C:\WINDOWS\UCM_32.DLL
[2000/04/06 12:04:14 | 00,056,832 | ---- | C] () -- C:\WINDOWS\UCM_16.DLL
[2000/04/06 12:04:13 | 00,210,944 | ---- | C] () -- C:\WINDOWS\MSVCRT10.DLL
[2000/04/06 12:04:13 | 00,070,548 | ---- | C] () -- C:\WINDOWS\KPMON.DLL
[2000/04/06 12:04:13 | 00,050,176 | ---- | C] () -- C:\WINDOWS\KPCP.DLL
[2000/04/06 12:04:12 | 00,131,264 | ---- | C] () -- C:\WINDOWS\KCME0.DLL
[2000/04/06 12:04:12 | 00,098,236 | ---- | C] () -- C:\WINDOWS\KCME1.DLL
[2000/04/06 12:04:12 | 00,096,256 | ---- | C] () -- C:\WINDOWS\KPAPI.DLL
[2000/04/06 12:04:12 | 00,017,920 | ---- | C] () -- C:\WINDOWS\KCMS_SYS.DLL
[2000/04/06 12:04:10 | 00,097,914 | ---- | C] () -- C:\WINDOWS\32KCME0.DLL
[2000/04/06 12:04:08 | 00,463,888 | ---- | C] () -- C:\WINDOWS\VSTASCAN.DLL
[2000/04/06 12:04:08 | 00,182,816 | ---- | C] () -- C:\WINDOWS\UDEPP32.DLL
[2000/04/06 12:04:08 | 00,017,920 | ---- | C] () -- C:\WINDOWS\VS32.DLL
[2000/04/06 12:04:08 | 00,011,280 | ---- | C] () -- C:\WINDOWS\VS16.DLL
[2000/04/06 12:04:07 | 00,237,072 | ---- | C] () -- C:\WINDOWS\UDEPP16.DLL
[2000/04/06 12:04:03 | 00,023,552 | ---- | C] () -- C:\WINDOWS\VSCLI32.DLL
[2000/04/06 12:04:03 | 00,019,456 | ---- | C] () -- C:\WINDOWS\UMAX_CLI.DLL
[2000/04/06 11:50:21 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2000/04/06 11:50:10 | 00,093,184 | ---- | C] () -- C:\WINDOWS\KPAPI32.DLL
[2000/02/26 12:14:41 | 00,080,624 | ---- | C] () -- C:\WINDOWS\System32\SH31W32.DLL
[2000/02/25 16:44:20 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\ATIICDXX.SYS
[2000/02/25 16:33:33 | 00,028,672 | ---- | C] () -- C:\WINDOWS\OIDUTS.DLL
[2000/02/25 16:33:20 | 00,030,720 | ---- | C] () -- C:\WINDOWS\System32\sxgcpu.dll
[2000/02/08 02:05:36 | 00,110,080 | R--- | C] () -- C:\WINDOWS\System32\W32MKRC.DLL
[1999/09/23 05:01:00 | 00,093,184 | ---- | C] () -- C:\WINDOWS\System32\crush32.dll
[1999/09/23 05:01:00 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\scheidle.dll
[1999/09/23 05:01:00 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\format32.dll
[1996/07/31 00:00:00 | 00,053,760 | ---- | C] () -- C:\WINDOWS\System32\OPENENU.DLL
[1980/01/01 00:00:00 | 00,222,390 | ---- | C] () -- C:\WINDOWS\IO.SYS
[1980/01/01 00:00:00 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\MEMBG.DLL
[1980/01/01 00:00:00 | 00,000,007 | ---- | C] () -- C:\WINDOWS\MSDOS.SYS

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[13 C:\WINDOWS\*.tmp files]
[2009/04/14 10:21:14 | 00,000,743 | ---- | M] () -- C:\Documents and Settings\heinke\Start Menu\Programs\Startup\MemTurbo.lnk
[2009/04/14 10:21:04 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/04/14 10:20:02 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/14 10:19:32 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/14 10:16:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/14 10:16:02 | 53,639,9872 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/14 10:16:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/14 09:36:36 | 00,000,515 | ---- | M] () -- C:\DOCUME~1\heinke\Desktop\NTREGOPT.lnk
[2009/04/14 09:36:36 | 00,000,496 | ---- | M] () -- C:\DOCUME~1\heinke\Desktop\ERUNT.lnk
[2009/04/14 06:47:12 | 00,002,843 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/13 16:22:56 | 00,001,411 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\AVG Free 8.5.lnk
[2009/04/13 16:22:54 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/04/13 16:22:52 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/04/13 16:22:36 | 34,395,507 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/13 16:22:36 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/04/13 16:22:36 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/04/13 16:22:32 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/04/13 16:22:32 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/13 16:22:32 | 00,057,798 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/13 13:05:54 | 00,000,163 | ---- | M] () -- C:\WINDOWS\_ISNU.INI
[2009/04/13 11:24:24 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/13 11:15:48 | 00,429,666 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/13 11:15:48 | 00,374,064 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/13 11:15:48 | 00,050,532 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/13 10:18:50 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/13 08:18:40 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/11 18:55:14 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/04/11 18:50:14 | 00,228,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/11 11:41:06 | 00,000,600 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/10 16:42:46 | 00,008,192 | ---- | M] () -- C:\WINDOWS\REGULOCS.OLD
[2009/04/10 16:42:46 | 00,000,000 | ---- | M] () -- C:\WINDOWS\REGCARDS.OLD
[2009/04/10 15:14:50 | 00,001,638 | ---- | M] () -- C:\DOCUME~1\heinke\Desktop\HijackThis.lnk
[2009/04/10 14:41:44 | 00,011,264 | -HS- | M] () -- C:\Thumbs.db
[2009/04/10 13:18:22 | 00,000,374 | ---- | M] () -- C:\beige111.html
[2009/04/10 08:16:30 | 00,000,539 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/10 08:16:30 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/09 15:31:04 | 00,000,153 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/09 15:10:42 | 00,000,124 | ---- | M] () -- C:\WINDOWS\mdm.ini
[2009/04/09 12:06:06 | 00,000,837 | ---- | M] () -- C:\DOCUME~1\heinke\Desktop\Spybot - Search & Destroy.lnk
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/01 14:00:02 | 00,000,502 | ---- | M] () -- C:\WINDOWS\tasks\Tune-up Application Start.job
< End of report >
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - FAT32 - (Total:76297 Mo/Free:1087 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)

Tue 04/14/2009|11:50

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\AVG\AVG8\avgrsx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\FaxTalk Messenger Pro 7.5\FTMSGSVC.EXE
---------- C:\Program Files\FaxTalk Messenger Pro 7.5\FAPIEXE.EXE
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
---------- C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe
---------- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
---------- C:\PROGRA~1\AVG\AVG8\avgtray.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Windows\Backup\sched95.exe
---------- C:\Windows\Backup\Csdm32.exe
---------- C:\Program Files\Mke\Ls120\Mkewatch.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
---------- C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
---------- C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
---------- C:\WINDOWS\system32\taskmgr.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Tue 04/14/2009|11:50

Attached Files

•  OTListIt_log_4_14_09.Txt   99.74KB   258 downloads
•  Rooter.txt   2.58KB   201 downloads

[Advertisements]

Hi there lets see if this can get you on the road to recovery. If you are unable to download or run Combofix let me know as I have another tool in reserve

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTLI
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
  O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\ebxcicoy.dll ()
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Essexboy]

Hi there lets see if this can get you on the road to recovery. If you are unable to download or run Combofix let me know as I have another tool in reserve

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTLI
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
  O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\ebxcicoy.dll ()
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[AnnH]

Essexboy,
I reran OTList2.exe with the code you recommended. The scan is from when I came back into the system after reboot, but you may want another scan, because I see that the FireFox caches were not cleared. Let me know. I was able to download Combo-Fix, but have not yet run it. I will do so after I send this letter. The OTList2 log is here (attach said I was not permitted to uload this type of file)

========== OTLISTIT ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SysTray deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ebxcicoy.dll
C:\WINDOWS\system32\ebxcicoy.dll NOT unregistered.
C:\WINDOWS\system32\ebxcicoy.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\heinke\Local Settings\Temp\ebxcicoy.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Temp\Perflib_Perfdata_ad0.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Temp\etilqs_79W79PXCN1PDB7u1fF61 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_170.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\XUL.mfl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04142009_135905

Files moved on Reboot...
C:\Documents and Settings\heinke\Local Settings\Temp\ebxcicoy.dat moved successfully.
File C:\Documents and Settings\heinke\Local Settings\Temp\Perflib_Perfdata_ad0.dat not found!
File C:\Documents and Settings\heinke\Local Settings\Temp\etilqs_79W79PXCN1PDB7u1fF61 not found!
File C:\WINDOWS\temp\Perflib_Perfdata_170.dat not found!
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\XUL.mfl moved successfully.
C:\Documents and Settings\heinke\Local Settings\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\urlclassifier3.sqlite moved successfully.

Registry entries deleted on Reboot...

[Essexboy]

That is OK they were moved on reboot

[AnnH]

Well, I used the systray icons to turn off SpyBot and AntiVirus Free, but the AVG does not turn off. I ran ComboFIx, and ComboFix made me reboot, and so I did, and I saw that AVG stuff was still running. I tried to kill the AVG processess in the Task Manager window, but they don't die. So, I tried uninstall. It failed with this error:
Local machine : installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows: creating registry key ...
Error 0x80070005

Which makes no sense to me! I am running XP not NT.
In any case, I tried ComboFix again, but it is warning me that AVG is still running, and is telling me to disable it before clicking "ok". I don't know how to disable it! The user GUI also had no disable button.

[Essexboy]

Thats OK NT is XP just another name for it, ignore combofixes warning and run the programme please

[AnnH]

OK, ComboFix ran, I loaded the recovery console, and ComboFix completed successfully. Here is the log:

ComboFix 09-04-14.09 - heinke 04/14/2009 15:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.243 [GMT -6:00]
Running from: c:\documents and settings\heinke\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\start.exe
c:\windows\system32\_004547_.tmp.dll
c:\windows\system32\_004548_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\bszip.dll
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w C:\_OTListIt
2009-04-14 15:36 . 2009-04-14 15:36 -------- d-----w c:\program files\ERUNT
2009-04-14 01:20 . 2009-04-14 01:20 -------- d--h--w C:\$AVG8.VAULT$
2009-04-13 22:22 . 2009-04-13 22:22 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-13 22:22 . 2009-04-13 22:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-13 22:22 . 2009-04-13 22:22 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-13 22:22 . 2009-04-13 22:22 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-13 22:22 . 2009-04-13 22:22 -------- d-----w c:\documents and settings\heinke\Application Data\AVGTOOLBAR
2009-04-13 22:22 . 2009-04-13 22:22 -------- d-----w c:\program files\AVG
2009-04-13 22:22 . 2009-04-13 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 19:05 . 2009-04-13 19:05 163 ----a-w c:\windows\_ISNU.INI
2009-04-13 19:05 . 2001-04-10 11:00 258048 ----a-w c:\windows\_detmp.2
2009-04-13 19:05 . 2000-10-02 19:12 282206 ----a-w c:\windows\_detmp.1
2009-04-13 14:18 . 2009-04-13 17:24 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-13 14:18 . 2009-04-13 14:18 1409 ----a-w c:\windows\QTFont.for
2009-04-11 21:25 . 2009-04-11 21:25 -------- d-----w c:\windows\system32\KB905474
2009-04-11 21:25 . 2009-03-11 04:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-11 21:25 . 2009-03-11 04:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-11 21:25 . 2009-02-10 00:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-11 21:24 . 2009-04-11 21:24 -------- d-----w c:\program files\MSXML 6.0
2009-04-11 21:24 . 2003-02-28 22:54 7315 ----a-w c:\windows\system32\javasup.vxd
2009-04-11 21:24 . 2003-03-01 00:26 139536 ----a-w c:\windows\system32\javaee.dll
2009-04-11 21:24 . 2003-03-01 00:26 171792 ----a-w c:\windows\system32\wjview.exe
2009-04-11 21:24 . 2003-02-28 22:38 113 ----a-w c:\windows\system32\zonedon.reg
2009-04-11 21:24 . 2003-02-28 22:38 113 ----a-w c:\windows\system32\zonedoff.reg
2009-04-11 21:24 . 2003-03-01 00:26 172304 ----a-w c:\windows\system32\jview.exe
2009-04-11 21:23 . 2003-03-01 00:26 49424 ----a-w c:\windows\system32\clspack.exe
2009-04-11 20:30 . 2008-04-13 17:28 184959 ------w c:\windows\system32\dllcache\compact.wmz
2009-04-11 20:28 . 2004-08-04 18:00 97117 ------w c:\windows\system32\dllcache\mplayer2.hlp
2009-04-11 20:27 . 2008-04-14 00:12 294912 ------w c:\windows\system32\dllcache\dlimport.exe
2009-04-11 20:27 . 2004-08-04 18:00 9585 ------w c:\windows\system32\dllcache\controls.css
2009-04-11 20:27 . 2004-08-04 18:00 8298 ------w c:\windows\system32\dllcache\contents.htm
2009-04-11 20:27 . 2004-08-04 18:00 773 ------w c:\windows\system32\dllcache\cnth.gif
2009-04-11 20:27 . 2004-08-04 18:00 773 ------w c:\windows\system32\dllcache\cnt.gif
2009-04-11 20:27 . 2004-08-04 18:00 772 ------w c:\windows\system32\dllcache\cntd.gif
2009-04-11 20:27 . 2004-08-04 18:00 760 ------w c:\windows\system32\dllcache\cloapph.gif
2009-04-11 20:27 . 2004-08-04 18:00 717 ------w c:\windows\system32\dllcache\cloapp.gif
2009-04-11 20:27 . 2004-08-04 18:00 6878 ------w c:\windows\system32\dllcache\controls.js
2009-04-11 20:27 . 2004-08-04 18:00 381425 ------w c:\windows\system32\dllcache\copycd.wmv
2009-04-11 20:19 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-04-11 20:11 . 2008-10-16 01:00 666112 ------w c:\windows\system32\dllcache\wininet.dll
2009-04-11 20:11 . 2008-10-16 01:00 619520 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-11 20:11 . 2008-10-16 01:00 1499136 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-04-11 20:10 . 2008-08-14 10:09 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-11 20:10 . 2008-08-14 10:11 2189184 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-11 20:10 . 2008-08-14 09:33 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-11 20:10 . 2008-08-14 09:33 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-11 20:10 . 2008-12-12 17:01 3067904 ------w c:\windows\system32\dllcache\mshtml.dll
2009-04-11 18:24 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-11 18:23 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-04-11 17:41 . 2009-04-11 17:41 -------- d-----w c:\documents and settings\heinke\Application Data\Malwarebytes
2009-04-11 17:41 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 17:41 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 17:40 . 2009-04-11 17:41 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 17:40 . 2009-04-11 17:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:45 . 2008-05-07 05:12 1288192 ------w c:\windows\system32\dllcache\quartz.dll
2009-04-11 15:37 . 2008-10-16 20:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui
2009-04-11 15:28 . 2008-06-24 16:43 74240 ------w c:\windows\system32\dllcache\mscms.dll
2009-04-10 21:52 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-04-10 21:14 . 2009-04-10 21:14 -------- d-----w c:\program files\Trend Micro
2009-04-10 20:41 . 2009-04-10 20:41 11264 --sha-w C:\Thumbs.db
2009-04-10 19:18 . 2009-04-10 19:18 374 ----a-w C:\beige111.html
2009-04-09 21:31 . 2009-04-09 21:31 153 ----a-w c:\windows\wininit.ini
2009-04-09 18:05 . 2009-04-09 18:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-09 18:05 . 2009-04-09 18:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 20:04 . 2009-04-06 20:04 -------- d-----w c:\documents and settings\heinke\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 21:24 . 2009-04-11 21:24 2678 ----a-w c:\windows\JAVA\Packages\Data\SZDBVR93.DAT
2009-04-11 21:24 . 2009-04-11 21:24 2678 ----a-w c:\windows\JAVA\Packages\Data\8KD7DRBL.DAT
2009-04-11 21:24 . 2009-04-11 21:24 2678 ----a-w c:\windows\JAVA\Packages\Data\JTRBLFRL.DAT
2009-04-11 21:24 . 2009-04-11 21:24 2678 ----a-w c:\windows\JAVA\Packages\Data\9ZDNHZ5V.DAT
2009-04-11 21:24 . 2009-04-11 21:24 2678 ----a-w c:\windows\JAVA\Packages\Data\K1B5RHV5.DAT
2009-04-01 22:49 . 2001-02-28 21:47 200843 ----a-w C:\winzip.log
2009-03-06 23:08 . 2009-03-06 23:08 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-02-09 11:13 . 2009-02-09 11:13 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 18:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-10-30 20:46 . 2008-06-25 17:21 1422 ----a-w c:\documents and settings\heinke\Application Data\wklnhst.dat
2008-08-27 20:16 . 2008-07-18 16:02 51880 ----a-w c:\documents and settings\heinke\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-22 22:34 . 2008-07-22 22:34 129 ----a-w c:\documents and settings\heinke\Local Settings\Application Data\fusioncache.dat
2008-07-14 17:00 . 2008-07-14 17:00 32768 ----a-w c:\documents and settings\heinke\WebVpnRegKey6-webvpn-emssatcom-com.dll
2000-02-25 21:52 . 2000-02-25 21:52 266 --sh--w c:\program files\desktop.ini
2000-02-25 21:52 . 2000-02-25 21:52 11079 ---h--w c:\program files\folder.htt
2009-03-19 14:2008-06-05 14:14 56:38 . c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-08-28 12:2008-08-28 12:58 58:34 . c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-19 14:2008-08-28 12:58 35:06 . c:\program files\mozilla firefox\plugins\atmccli.dll
2009-03-19 14:2008-06-05 14:14 56:38 . c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%%DELETE_VALUE%%"="CreateCD50" [X]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-01-17 684032]
"FaxTalk Messenger Pro 7.5"="c:\program files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe" [2008-06-16 114688]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-13 1932568]

c:\documents and settings\heinke\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\Silicon Prairie Software\MemTurbo\memturbo.exe [2001-6-24 221696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cheyenne Backup Scheduler.lnk - c:\windows\Backup\sched95.exe [2000-2-26 58368]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\Osa9.exe [2001-3-8 65588]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\Fastboot.exe [1996-7-31 14848]
Smart Drive Monitor.lnk - c:\windows\Backup\Csdm32.exe [2000-2-26 31232]
Driver Configuration.lnk - c:\program files\Mke\Ls120\Mkewatch.exe [2004-7-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-9-9 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\QUALCOMM\EUDORA\EUSHLEXT.DLL" [2005-06-08 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-13 22:22 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NetworkSetup"=c:\windows\DLink.exe
"1Disk Monitor"=c:\program files\Echo\pfsview.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"ATIGART"=c:\ati\gart\atigart.exe
"AtiPTA"=Atiptaxx.exe
"FaxTalk CallControl 6.0"=c:\program files\FAXTALK MESSENGER PRO\FTClCtrl.exe /autoload
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"SxgTkBar"=SxgTkBar.exe
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"HP Component Manager"="c:\program files\HP\HPCORETECH\HPCMPMGR.EXE"
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb10.exe
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\QBOOKSW\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R2 DOORS DB Server 9.0 00001;DOORS DB Server 9.0 00001;c:\program files\Telelogic\DOORS 9.0\bin\doorsd.exe [2008-07-19 671744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-13 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-13 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-13 298264]
S2 FaxTalk Messenger Pro 7.5;FaxTalk Messenger Pro 7.5;c:\program files\FaxTalk Messenger Pro 7.5\FTMSGSVC.EXE [2008-06-16 38400]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\DRIVERS\NtApm.sys [2004-08-04 9344]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-04-13 11520]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-11 04:18]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zacksadvisor.com/
mWindow Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
Name-Space Handler: ftp\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\windows\SYSTEM32\sdph20.dll
Name-Space Handler: http\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\windows\SYSTEM32\sdph20.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a1/5.1.8.511/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\heinke\Application Data\Mozilla\Firefox\Profiles\3dctn35j.default\
FF - prefs.js: browser.startup.homepage - hxxp://stockcharts.com/index.html
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaxctrl.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPBeatnk.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npican.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava11.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava12.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava13.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJPI141_01.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnsda.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFF12.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSVGVw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 15:06
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 21:09

Pre-Run: 43,934,154,752 bytes free
Post-Run: 43,919,638,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
262 --- E O F --- 2009-04-13 16:18

[Essexboy]

A few more files to remove, how is you computer now are you still getting re-directed and phantom IE's ? Also AVG is reporting out of date could you update it

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Files
  c:\windows\_detmp.2
  c:\windows\_detmp.1
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

[AnnH]

You are awesome! The redirection problem is gone! I can search again! And yes, the phantom IE explorer is not starting up! And, I was able to successfully update AVG Anti-Virus (for the first time ever). Amazing! I have run the OTL2 again with the code you recommended. Here is the newest log:

========== FILES ==========
c:\windows\_detmp.2 moved successfully.
c:\windows\_detmp.1 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\heinke\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7b0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04142009_153230

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_7b0.dat not found!

Registry entries deleted on Reboot...

[Essexboy]

Glad to hear that, so if you are happy

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTListit and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Secunia Software inspector To check your programme update status
• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

[AnnH]

Cleanup complete, Java revised as instructed. I can't believe you were able to do this so fast! Thank you!!

On the anti-spyware recommendations, would you advise me removing SpyBot Search and Destroy and loading the Spyware Blaster instead?

A very happy customer!

AnnH

[Essexboy]

Spywareblaster is a different type of programme and totally passive it works well in conjuction with spybot (although that is a bit dated now in my opinion)

[AnnH]

Understood. I will get Spywareblaster, too then.

Thanks a million! After three days of fighting this on my own, it was like having a huge load lifted off my shoulders to get this fixed!

AnnH

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.