[dkellermann]

A Google search says it’s a trojan from Germany, but not how to get rid of it.
I've done as suggested at http://www.geekstogo...uide-t2852.html
Spybot repeatedly finds, but cannot remove Win32.TDSS.rtk (sbi $36FD6719) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gao. When I used 'jump to', Spybot only opened Registry Editor, and gao is not found when I search the registry.

I've run the following online scans: F-Secure, Trend Micro Housecall, Kaspersky, Panda, BitDefender, Norton, and Eset. –
Kaspersky found: File Name: C:\System Volume Information\_restore{A9C08A01-F248-4873-8B01-BDBFAB10F713}\RP13\A0003448.dll (The only files in that folder are MountPointManagerRemoteDatabase (0KB) and tracking log (20KB)both modified last June)
Threat Name: Infected: Packed.Win32.Tdss.c
Comodo (my AV/firewall), MBAM, and Ad-Aware found nothing.

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:76285 Mo/Free:154 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Fri 03/20/2009|17:27
----------------------\\ Processes..
--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
--Locked-- cmdagent.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\nvsvc32.exe
--Locked-- cfp.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\notepad.exe
---------- C:\Program Files 2\Mozilla Firefox\firefox.exe
---------- C:\Program Files\Microsoft Office\Office\WINWORD.EXE
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe
----------------------\\ Search..
----------------------\\ ROOTKIT !!

1 - "C:\Rooter$\Rooter_1.txt" - Fri 03/20/2009|16:41
2 - "C:\Rooter$\Rooter_2.txt" - Fri 03/20/2009|17:27
----------------------\\ Scan completed at 17:27


OTListIt logfile created on: 3/20/2009 4:48:55 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Owner One\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 48.15 Gb Free Space | 64.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()
PRC - C:\Documents and Settings\Owner One\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aawservice [Disabled | Stopped]) -- C:\Program Files\Utilities\Ad-Aware\aawservice.exe (Lavasoft)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (cmdAgent [Auto | Running]) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gupdate1c942787e9fe88c [Disabled | Stopped]) -- File not found
SRV - (gusvc [Disabled | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [Disabled | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nmservice [Disabled | Stopped]) -- File not found
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SimpTcp [On_Demand | Stopped]) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [Disabled | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (cmdGuard [System | Running]) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys (COMODO)
DRV - (cmdHlp [System | Running]) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys (COMODO)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (exdisk [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\exdisk.sys ()
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (hp4200c [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hp4200c.sys (Hewlett-Packard)
DRV - (Inspect [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\inspect.sys (COMODO)
DRV - (NTIDrvr [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (OsaFsLoc [Auto | Running]) -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys (OSA Technologies)
DRV - (osaio [Auto | Running]) -- C:\WINDOWS\system32\drivers\osaio.sys (Avocent/OSA Technologies Inc.)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (p17filt [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\p17filt.sys (Sensaura)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (SDTHOOK [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\SDTHOOK.sys (Panda Software)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology (StarForce))
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology (StarForce))
DRV - (sfsync04 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync04.sys (Protection Technology (StarForce))
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (SMBios [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SMBios.sys (Intel Corporation)
DRV - (smbusp [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\intelsmb.sys (Intel Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (WinMTBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\WinMTBus.sys (WinMount International Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.5
FF - prefs.js..extensions.enabledItems: {00084897-021a-4361-8423-083407a033e0}:1.4
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.8
FF - prefs.js..extensions.enabledItems: {B9C8BE50-7105-4ec6-8FB4-4935C0671648}:0.5.98
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.1.0.2
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - prefs.js..extensions.enabledItems: {403304EE-066A-4a2a-8F41-F12028480A0A}:1.8.48

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\PROGRAM FILES 2\MOZILLA FIREFOX\COMPONENTS [2009/02/22 02:27:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\PROGRAM FILES 2\MOZILLA FIREFOX\PLUGINS [2009/02/08 10:42:21 | 00,000,000 | ---D | M]

[2009/03/05 11:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Extensions
[2009/03/05 11:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/20 16:29:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions
[2009/01/28 19:42:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{00084897-021a-4361-8423-083407a033e0}
[2009/03/16 12:54:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009/02/06 10:47:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/03/11 18:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{403304EE-066A-4a2a-8F41-F12028480A0A}
[2009/02/06 10:47:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{B9C8BE50-7105-4ec6-8FB4-4935C0671648}
[2009/01/14 13:18:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/11/09 15:18:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2008/11/09 15:18:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\[email protected]

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h ()
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.h...nosticsxp2k.cab (DeviceEnum Class)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://www.creative....101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1204390637593 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-sec...m/ols/fscax.cab (F-Secure Online Scanner 3.3)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15106/CTPID.cab (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{8db87591-ff56-11dc-9b93-001676d06dcc}\Shell - "" = AutoRun
O33 - MountPoints2\{8db87591-ff56-11dc-9b93-001676d06dcc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8db87596-ff56-11dc-9b93-001676d06dcc}\Shell - "" = AutoRun
O33 - MountPoints2\{8db87596-ff56-11dc-9b93-001676d06dcc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/03/20 16:48:19 | 00,000,098 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\Malware and Spyware Cleaning Guide.URL
[2009/03/20 16:46:18 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\OWNERO~1\Desktop\OTListIt2.exe
[2009/03/20 16:40:51 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/20 16:40:30 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\Rooter.exe
[2009/03/20 16:38:53 | 00,000,611 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\NTREGOPT.lnk
[2009/03/20 16:38:53 | 00,000,592 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\ERUNT.lnk
[2009/03/20 16:38:49 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/20 16:36:46 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\DOCUME~1\OWNERO~1\Desktop\erunt_setup.exe
[2009/03/20 16:29:11 | 00,009,334 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\SysRestorePoint_v13.zip
[2009/03/20 16:10:44 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/20 15:28:12 | 00,155,384 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2009/03/20 15:28:12 | 00,110,992 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2009/03/20 15:28:12 | 00,080,400 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2009/03/20 15:28:12 | 00,024,336 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2009/03/20 15:28:10 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2009/03/20 14:19:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/20 14:15:51 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/20 14:15:51 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/20 14:15:51 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/20 14:15:51 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/20 14:15:51 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/20 14:15:51 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/20 14:15:51 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/20 14:15:51 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/20 14:15:49 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/03/19 19:31:27 | 00,002,938 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\kaspersky report.html
[2009/03/19 01:28:52 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/17 22:22:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Application Data\OtakuSoftware
[2009/03/17 22:19:43 | 00,000,000 | ---D | C] -- C:\Program Files\DeskSpace
[2009/03/17 16:21:04 | 00,000,068 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\Desktop\Movies.URL
[2009/03/17 15:15:40 | 00,000,000 | ---D | C] -- C:\DOCUME~1\OWNERO~1\Desktop\crafts
[2009/03/17 15:04:29 | 00,000,426 | ---- | C] () -- C:\WINDOWS\{21D15DED-F125-46C8-8017-CB9F1CEB5B4D}_WiseFW.ini
[2009/03/17 14:45:21 | 00,005,700 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\My Documents\Dark Zune.theme
[2009/03/17 12:40:41 | 00,000,042 | ---- | C] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2009/03/17 12:36:56 | 00,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2009/03/17 12:34:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Application Data\Alchemy Mindworks
[2009/03/13 15:43:28 | 00,045,568 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Documents\Anne Shawl.doc
[2009/03/10 19:41:08 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{1E65648D-FEE6-4A10-AE6E-FD82DAAE84EB}
[2009/03/10 19:40:43 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{30F60971-A986-4BEC-83E3-5D5F2531A590}
[2009/03/10 19:39:06 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{438914D2-3454-4B38-AC4F-D34204727071}
[2009/03/10 19:37:38 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{C6B2832F-43D8-4E6B-8D87-20BEDCB9687D}
[2009/03/06 19:36:00 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Documents\Crochet with Wire
[2009/03/04 15:38:08 | 00,005,616 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\My Documents\My Favorite Theme.theme
[2009/02/27 20:31:14 | 00,029,112 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/02/26 20:07:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Local Settings\Application Data\Google
[2009/02/26 20:07:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\IOSUBSYS
[2009/02/26 20:07:03 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/02/25 08:05:50 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/02/22 13:49:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/02/22 13:49:43 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/02/22 13:49:36 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/02/22 13:48:16 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/02/22 13:48:16 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/02/22 13:48:15 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/02/22 13:48:15 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/02/22 13:48:15 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/02/22 13:48:15 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/02/22 13:48:15 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/02/22 13:48:14 | 00,000,000 | ---D | C] -- C:\8d60e51be0cadd4069a11a6fffb9
[2009/02/21 21:54:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/02/21 17:28:11 | 36,011,174 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Documents\Crochet for Dummies.rar
[2009/02/21 12:32:41 | 08,948,869 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Documents\crochet patterns for dummies.rar
[2009/02/18 18:03:44 | 00,005,236 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\My Documents\My Faroese Shawl.mht
[2009/02/18 18:02:57 | 00,012,571 | ---- | C] () -- C:\DOCUME~1\OWNERO~1\My Documents\Faroese Shawls.mht

========== Files - Modified Within 30 Days ==========

[2009/03/20 16:48:19 | 00,000,098 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\Malware and Spyware Cleaning Guide.URL
[2009/03/20 16:46:18 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\OWNERO~1\Desktop\OTListIt2.exe
[2009/03/20 16:40:30 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\Rooter.exe
[2009/03/20 16:38:53 | 00,000,611 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\NTREGOPT.lnk
[2009/03/20 16:38:53 | 00,000,592 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\ERUNT.lnk
[2009/03/20 16:36:47 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\DOCUME~1\OWNERO~1\Desktop\erunt_setup.exe
[2009/03/20 16:29:11 | 00,009,334 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\SysRestorePoint_v13.zip
[2009/03/20 15:56:27 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/20 15:55:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/20 15:54:22 | 03,651,940 | -H-- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\IconCache.db
[2009/03/20 15:28:10 | 00,155,384 | ---- | M] () -- C:\WINDOWS\System32\guard32.dll
[2009/03/20 15:28:10 | 00,110,992 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2009/03/20 15:28:10 | 00,080,400 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2009/03/20 15:28:10 | 00,024,336 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2009/03/20 14:17:35 | 00,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/20 09:07:11 | 00,000,566 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/20 09:07:11 | 00,000,282 | RHS- | M] () -- C:\boot.ini
[2009/03/20 03:08:06 | 00,156,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/19 20:40:51 | 02,933,805 | R--- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\ComboFix.exe
[2009/03/19 19:31:27 | 00,002,938 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\kaspersky report.html
[2009/03/19 09:22:38 | 00,029,360 | ---- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/17 16:27:31 | 00,500,104 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/17 16:27:31 | 00,426,400 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/17 16:27:31 | 00,065,284 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/17 16:21:04 | 00,000,068 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\Desktop\Movies.URL
[2009/03/17 15:04:40 | 00,000,426 | ---- | M] () -- C:\WINDOWS\{21D15DED-F125-46C8-8017-CB9F1CEB5B4D}_WiseFW.ini
[2009/03/17 14:45:21 | 00,005,700 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\My Documents\Dark Zune.theme
[2009/03/17 12:40:41 | 00,000,042 | ---- | M] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2009/03/13 15:43:28 | 00,045,568 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Documents\Anne Shawl.doc
[2009/03/04 15:38:08 | 00,005,616 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\My Documents\My Favorite Theme.theme
[2009/02/27 20:31:14 | 00,029,112 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/02/25 16:54:59 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/22 19:23:26 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/21 17:52:16 | 36,011,174 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Documents\Crochet for Dummies.rar
[2009/02/21 12:38:41 | 08,948,869 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Documents\crochet patterns for dummies.rar
[2009/02/18 18:03:45 | 00,005,236 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\My Documents\My Faroese Shawl.mht
[2009/02/18 18:02:59 | 00,012,571 | ---- | M] () -- C:\DOCUME~1\OWNERO~1\My Documents\Faroese Shawls.mht

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

TIA

[Advertisements]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Rorschach112]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[dkellermann]

Thank you, here's the log:

ComboFix 09-03-19.02 - Owner One 2009-03-20 20:47:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2984 [GMT -4:00]
Running from: c:\documents and settings\Owner One\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-20 20:48 . 2009-03-20 20:48 53,248 --a------ c:\temp\catchme.dll
2009-03-20 20:47 . 2009-03-20 20:47 <DIR> d-------- c:\temp\WPDNSE
2009-03-20 20:29 . 2009-03-20 20:29 <DIR> d-------- c:\temp\msoclip1
2009-03-20 16:40 . 2009-03-20 17:27 <DIR> d-------- C:\Rooter$
2009-03-20 16:38 . 2009-03-20 16:39 <DIR> d-------- c:\program files\ERUNT
2009-03-20 16:03 . 2009-03-20 16:03 <DIR> d-------- c:\temp\Comodo
2009-03-20 15:28 . 2009-03-20 15:28 <DIR> d-------- c:\temp\Themes
2009-03-20 15:28 . 2009-03-20 15:28 <DIR> d-------- c:\temp\scanners
2009-03-20 15:28 . 2009-03-20 15:28 <DIR> d-------- c:\temp\Drivers
2009-03-20 15:28 . 2009-03-20 15:28 <DIR> d-------- c:\temp\database
2009-03-20 15:28 . 2009-03-20 20:44 <DIR> d-------- c:\program files\COMODO
2009-03-20 15:27 . 2009-03-20 15:55 <DIR> d-------- c:\temp\CDIResData
2009-03-19 01:28 . 2009-03-19 01:28 <DIR> d-------- C:\VundoFix Backups
2009-03-17 22:22 . 2009-03-17 22:22 <DIR> d-------- c:\documents and settings\Owner One\Application Data\OtakuSoftware
2009-03-17 22:19 . 2009-03-17 22:20 <DIR> d-------- c:\program files\DeskSpace
2009-03-17 15:04 . 2009-03-17 15:04 426 --a------ c:\windows\{21D15DED-F125-46C8-8017-CB9F1CEB5B4D}_WiseFW.ini
2009-03-17 12:40 . 2009-03-17 12:40 42 --a------ c:\windows\AlchemyMindworksUpdateList.INI
2009-03-17 12:36 . 1999-03-15 16:39 212,992 --a------ c:\windows\ALCHUNIN.EXE
2009-03-17 12:34 . 2009-03-17 12:56 <DIR> d-------- c:\documents and settings\Owner One\Application Data\Alchemy Mindworks
2009-03-10 19:41 . 2009-03-10 19:41 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{1E65648D-FEE6-4A10-AE6E-FD82DAAE84EB}
2009-03-10 19:40 . 2009-03-10 19:40 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{30F60971-A986-4BEC-83E3-5D5F2531A590}
2009-03-10 19:39 . 2009-03-10 19:39 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{438914D2-3454-4B38-AC4F-D34204727071}
2009-03-10 19:37 . 2009-03-10 19:37 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{C6B2832F-43D8-4E6B-8D87-20BEDCB9687D}
2009-02-27 20:31 . 2009-02-27 20:31 29,112 --ah----- c:\windows\system32\mlfcache.dat
2009-02-26 20:07 . 2009-02-26 20:07 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-02-26 20:07 . 2009-02-26 20:07 <DIR> d-------- c:\program files\Google
2009-02-25 08:05 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-22 13:49 . 2009-02-22 13:49 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-22 13:49 . 2009-02-22 13:49 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-22 13:49 . 2009-02-22 13:49 <DIR> d-------- c:\program files\MSBuild
2009-02-22 13:48 . 2009-02-22 13:49 <DIR> d-------- C:\8d60e51be0cadd4069a11a6fffb9
2009-02-22 13:48 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-22 13:48 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-22 13:48 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-22 13:48 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-22 13:48 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-22 13:48 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-22 13:48 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-21 21:54 . 2009-03-20 14:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 00:43 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-03-20 20:31 --------- d-----w c:\program files\Utilities
2009-03-20 17:39 --------- d-----w c:\program files\Common Files\Intuit
2009-03-19 02:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-19 02:46 --------- d-----w c:\program files\SpywareBlaster
2009-03-17 19:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-12 16:32 --------- d-----w c:\documents and settings\Owner One\Application Data\uTorrent
2009-02-13 01:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 01:06 --------- d-----w c:\program files\Microsoft Reader
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-31 19:54 --------- d-----w c:\documents and settings\Owner One\Application Data\Pharaohs Secret
2009-01-12 19:57 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-05 05:22 29 ----a-w c:\documents and settings\Owner One\VCONFIG.DAT
2008-12-05 05:22 28 ----a-w c:\documents and settings\Owner One\PROFILE.DAT
2008-12-05 05:22 2,741 ----a-w c:\documents and settings\Owner One\CONFIG.DAT
2008-11-27 05:00 236 ----a-w c:\documents and settings\Owner One\jobq.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
--a------ 2002-03-19 17:30 45632 c:\windows\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskSpace]
--a------ 2006-11-03 20:33 1639424 c:\program files\DeskSpace\deskspace.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hplampc]
--a------ 2002-01-17 10:40 40448 c:\windows\system32\hplampc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2008-11-06 22:33 79872 c:\documents and settings\Owner One\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmraapache"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"aawservice"=3 (0x3)
"Schedule"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"Creative Service for CDROM Access"=3 (0x3)
"CTDevice_Srv"=3 (0x3)
"gupdate1c942787e9fe88c"=3 (0x3)
"nmservice"=3 (0x3)
"gusvc"=3 (0x3)
"WZCSVC"=3 (0x3)
"UPS"=3 (0x3)
"Themes"=2 (0x2)
"RemoteRegistry"=3 (0x3)
"mnmsrvc"=3 (0x3)
"WebClient"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=3 (0x3)
"SharedAccess"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"lanmanserver"=2 (0x2)
"Dnscache"=2 (0x2)
"cmdAgent"=2 (0x2)
"CiSvc"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"P17Helper"=Rundll32 P17.dll,P17Helper
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="c:\adobe\Reader\Reader_sl.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SysTrayApp"=%ProgramFiles%\IDT\WDM\sttray.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Gamesl\\Zoo Tycoon 2\\zt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Utilities\\uTorrent\\uTorrent.exe"=

R2 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2008-01-08 11018]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2008-01-08 8704]
R3 WinMTBus;WinMount Bus;c:\windows\system32\drivers\WinMTBus.sys [2008-04-01 196224]
S0 lrxdlo;lrxdlo;c:\windows\system32\drivers\lmkf.sys --> c:\windows\system32\drivers\lmkf.sys [?]
S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys [2008-01-08 14074]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2008-10-29 9312]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-03-20 1452032]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-02-29 44928]
S4 gupdate1c942787e9fe88c;Google Update Service (gupdate1c942787e9fe88c); [x]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com
mStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\CavEmLSP.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Owner One\Application Data\Mozilla\Firefox\Profiles\n0y9n3ds.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files 2\OpenOfficePortable\App\openoffice\program\npsoplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 20:48:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Stardock\WindowBlinds]
@DACL=(02 0000)

[HKEY_USERS\.Default\Software\Stardock\WindowBlinds\WB5.ini\WBLiteFX]
@DACL=(02 0000)
DUMPHIVE0.003 (REGF)

[HKEY_USERS\S-1-5-21-839522115-1364589140-2147167427-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-839522115-1364589140-2147167427-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56FC7481-BFB6-842E-AEC8-2D9A29D16C58}*]
"jahejjefalcnabmbaenc"=hex:66,61,6d,6d,66,68,70,61,6c,6f,63,68,00,00
"papckkhadnkekalfeapemekphmhining"=hex:65,61,6d,6d,69,68,68,62,61,6d,00,68
"hahejjefalcnabmb"=hex:6e,62,6d,6d,68,68,6c,69,6a,6f,6d,6f,6f,64,65,6e,65,66,
68,62,70,70,69,6d,63,68,64,6a,69,69,62,61,6c,62,63,6b,65,61,70,65,69,61,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(524)
c:\windows\system32\CavEmLSP.dll
.
Completion time: 2009-03-20 20:50:02
ComboFix-quarantined-files.txt 2009-03-21 00:50:00

Pre-Run: 51,742,707,712 bytes free
Post-Run: 51,726,266,368 bytes free

205 --- E O F --- 2009-03-20 07:01:28

[Rorschach112]

hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[dkellermann]

Here ya go...

3/21/2009 10:39:51 AM
mbam-log-2009-03-21 (10-39-51).txt

Scan type: Quick Scan
Objects scanned: 68168
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:(No malicious items detected)

Memory Modules Infected:(No malicious items detected)

Registry Keys Infected:(No malicious items detected)

Registry Values Infected:(No malicious items detected)

Registry Data Items Infected:(No malicious items detected)

Folders Infected:(No malicious items detected)

Files Infected:(No malicious items detected)

AND...
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 21, 2009 16:40:48
Records in database: 1945614
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 68538
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:03:43

No malware has been detected. The scan area is clean.

The selected area was scanned.

Only thing is, now Spybot has now found 5 entries, for Win32.TDSS.rtk (and spybot is giving the error [The instruction at "0x04fa8c07" referenced memory at "0x00000400". The memory could not be "read"; and a runtime error 216] when I exit it}

[Rorschach112]

post a new HJT log

[dkellermann]

You've been busy today... I really appreciate your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:54 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Utilities\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files 2\Mozilla Firefox\firefox.exe
C:\Program Files\Utilities\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative....101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204390637593
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15106/CTPID.cab
O20 - AppInit_DLLs:
O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3042 bytes


OTListIt logfile created on: 3/21/2009 2:22:09 PM - Run 4
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Owner One\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 48.21 Gb Free Space | 64.71% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D
Current User Name: Owner One
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Owner One\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aawservice [Disabled | Stopped]) -- C:\Program Files\Utilities\Ad-Aware\aawservice.exe (Lavasoft)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gupdate1c942787e9fe88c [Disabled | Stopped]) -- File not found
SRV - (gusvc [Disabled | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [Disabled | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nmservice [Disabled | Stopped]) -- File not found
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SimpTcp [On_Demand | Stopped]) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [Disabled | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (exdisk [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\exdisk.sys ()
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (hp4200c [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hp4200c.sys (Hewlett-Packard)
DRV - (NTIDrvr [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (OsaFsLoc [Auto | Running]) -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys (OSA Technologies)
DRV - (osaio [Auto | Running]) -- C:\WINDOWS\system32\drivers\osaio.sys (Avocent/OSA Technologies Inc.)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (p17filt [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\p17filt.sys (Sensaura)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (SDTHOOK [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\SDTHOOK.sys (Panda Software)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology (StarForce))
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology (StarForce))
DRV - (sfsync04 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync04.sys (Protection Technology (StarForce))
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (SMBios [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SMBios.sys (Intel Corporation)
DRV - (smbusp [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\intelsmb.sys (Intel Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (WinMTBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\WinMTBus.sys (WinMount International Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\S-1-5-21-839522115-1364589140-2147167427-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.5
FF - prefs.js..extensions.enabledItems: {00084897-021a-4361-8423-083407a033e0}:1.4
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.8
FF - prefs.js..extensions.enabledItems: {B9C8BE50-7105-4ec6-8FB4-4935C0671648}:0.5.98
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.1.0.2
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - prefs.js..extensions.enabledItems: {403304EE-066A-4a2a-8F41-F12028480A0A}:1.8.48

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\PROGRAM FILES 2\MOZILLA FIREFOX\COMPONENTS [2009/02/22 02:27:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\PROGRAM FILES 2\MOZILLA FIREFOX\PLUGINS [2009/02/08 10:42:21 | 00,000,000 | ---D | M]

[2009/03/05 11:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Extensions
[2009/03/05 11:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/20 16:29:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions
[2009/01/28 19:42:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{00084897-021a-4361-8423-083407a033e0}
[2009/03/16 12:54:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009/02/06 10:47:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/03/11 18:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{403304EE-066A-4a2a-8F41-F12028480A0A}
[2009/02/06 10:47:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{B9C8BE50-7105-4ec6-8FB4-4935C0671648}
[2009/01/14 13:18:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/11/09 15:18:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2008/11/09 15:18:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner One\Application Data\mozilla\Firefox\Profiles\n0y9n3ds.default\extensions\[email protected]

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = [binary data]
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\CavEmLSP.dll (COMODO)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O15 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O15 - HKU\S-1-5-21-839522115-1364589140-2147167427-1003\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.h...nosticsxp2k.cab (DeviceEnum Class)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://www.creative....101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1204390637593 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-sec...m/ols/fscax.cab (F-Secure Online Scanner 3.3)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15106/CTPID.cab (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{8db87591-ff56-11dc-9b93-001676d06dcc}\Shell - "" = AutoRun
O33 - MountPoints2\{8db87591-ff56-11dc-9b93-001676d06dcc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8db87596-ff56-11dc-9b93-001676d06dcc}\Shell - "" = AutoRun
O33 - MountPoints2\{8db87596-ff56-11dc-9b93-001676d06dcc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/03/21 10:34:31 | 00,000,154 | ---- | C] () -- C:\Documents and Settings\Owner One\Desktop\Kaspersky website.URL
[2009/03/20 20:56:32 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/20 20:50:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/20 20:47:10 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/03/20 20:47:06 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/03/20 20:47:05 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/20 20:33:41 | 02,934,169 | R--- | C] () -- C:\Documents and Settings\Owner One\Desktop\ComboFix.exe
[2009/03/20 20:29:16 | 00,051,712 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Anne shaw text.doc
[2009/03/20 16:46:18 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner One\Desktop\OTListIt2.exe
[2009/03/20 16:40:51 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/20 16:40:30 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Owner One\Desktop\Rooter.exe
[2009/03/20 16:38:53 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Owner One\Desktop\NTREGOPT.lnk
[2009/03/20 16:38:53 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner One\Desktop\ERUNT.lnk
[2009/03/20 16:38:49 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/20 16:29:11 | 00,009,334 | ---- | C] () -- C:\Documents and Settings\Owner One\Desktop\SysRestorePoint_v13.zip
[2009/03/20 15:28:10 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2009/03/20 14:15:51 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/20 14:15:51 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/20 14:15:51 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/20 14:15:51 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/20 14:15:51 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/20 14:15:51 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/20 14:15:51 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/20 14:15:51 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/19 01:28:52 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/17 22:22:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Application Data\OtakuSoftware
[2009/03/17 22:19:43 | 00,000,000 | ---D | C] -- C:\Program Files\DeskSpace
[2009/03/17 15:15:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Desktop\crafts
[2009/03/17 15:04:29 | 00,000,426 | ---- | C] () -- C:\WINDOWS\{21D15DED-F125-46C8-8017-CB9F1CEB5B4D}_WiseFW.ini
[2009/03/17 14:45:21 | 00,005,700 | ---- | C] () -- C:\Documents and Settings\Owner One\My Documents\Dark Zune.theme
[2009/03/17 12:40:41 | 00,000,042 | ---- | C] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2009/03/17 12:36:56 | 00,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2009/03/17 12:34:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Application Data\Alchemy Mindworks
[2009/03/10 19:41:08 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{1E65648D-FEE6-4A10-AE6E-FD82DAAE84EB}
[2009/03/10 19:40:43 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{30F60971-A986-4BEC-83E3-5D5F2531A590}
[2009/03/10 19:39:06 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{438914D2-3454-4B38-AC4F-D34204727071}
[2009/03/10 19:37:38 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{C6B2832F-43D8-4E6B-8D87-20BEDCB9687D}
[2009/03/06 19:36:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Crochet with Wire
[2009/03/04 15:38:08 | 00,005,616 | ---- | C] () -- C:\Documents and Settings\Owner One\My Documents\My Favorite Theme.theme
[2009/02/27 20:31:14 | 00,029,112 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/02/26 20:07:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner One\Local Settings\Application Data\Google
[2009/02/26 20:07:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\IOSUBSYS
[2009/02/26 20:07:03 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/02/25 08:05:50 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/02/22 13:49:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/02/22 13:49:43 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/02/22 13:49:36 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/02/22 13:48:16 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/02/22 13:48:16 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/02/22 13:48:15 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/02/22 13:48:15 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/02/22 13:48:15 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/02/22 13:48:15 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/02/22 13:48:15 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/02/22 13:48:14 | 00,000,000 | ---D | C] -- C:\8d60e51be0cadd4069a11a6fffb9
[2009/02/21 21:54:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/02/21 17:28:11 | 36,011,174 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Crochet for Dummies.rar
[2009/02/21 12:32:41 | 08,948,869 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\crochet patterns for dummies.rar

========== Files - Modified Within 30 Days ==========

[2009/03/21 10:34:31 | 00,000,154 | ---- | M] () -- C:\Documents and Settings\Owner One\Desktop\Kaspersky website.URL
[2009/03/20 21:19:39 | 00,051,712 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Anne shaw text.doc
[2009/03/20 20:48:57 | 00,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/20 20:46:47 | 00,000,566 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/20 20:46:47 | 00,000,282 | RHS- | M] () -- C:\boot.ini
[2009/03/20 20:46:37 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/20 20:46:08 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/20 20:33:58 | 02,934,169 | R--- | M] () -- C:\Documents and Settings\Owner One\Desktop\ComboFix.exe
[2009/03/20 16:46:18 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner One\Desktop\OTListIt2.exe
[2009/03/20 16:40:30 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Owner One\Desktop\Rooter.exe
[2009/03/20 16:38:53 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Owner One\Desktop\NTREGOPT.lnk
[2009/03/20 16:38:53 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner One\Desktop\ERUNT.lnk
[2009/03/20 16:29:11 | 00,009,334 | ---- | M] () -- C:\Documents and Settings\Owner One\Desktop\SysRestorePoint_v13.zip
[2009/03/20 15:54:22 | 03,651,940 | -H-- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\IconCache.db
[2009/03/20 03:08:06 | 00,156,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/19 09:22:38 | 00,029,360 | ---- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/17 16:27:31 | 00,500,104 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/17 16:27:31 | 00,426,400 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/17 16:27:31 | 00,065,284 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/17 15:04:40 | 00,000,426 | ---- | M] () -- C:\WINDOWS\{21D15DED-F125-46C8-8017-CB9F1CEB5B4D}_WiseFW.ini
[2009/03/17 14:45:21 | 00,005,700 | ---- | M] () -- C:\Documents and Settings\Owner One\My Documents\Dark Zune.theme
[2009/03/17 12:40:41 | 00,000,042 | ---- | M] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2009/03/04 15:38:08 | 00,005,616 | ---- | M] () -- C:\Documents and Settings\Owner One\My Documents\My Favorite Theme.theme
[2009/02/27 20:31:14 | 00,029,112 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/02/25 16:54:59 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/22 19:23:26 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner One\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/21 17:52:16 | 36,011,174 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Crochet for Dummies.rar
[2009/02/21 12:38:41 | 08,948,869 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\crochet patterns for dummies.rar

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >


The 5 instances that spybot finds are all in HKEY_LOCAL_MACHINE_SYSTEM\ControlSet002\gaopdxserv.sys (\group\imagepath\start\type

[Rorschach112]

wouldn't worry about that

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[dkellermann]

It won't run on my computer...

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00ae0004

[Rorschach112]

do this

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[dkellermann]

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 16:04:14
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56FC7481-BFB6-842E-AEC8-2D9A29D16C58}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56FC7481-BFB6-842E-AEC8-2D9A29D16C58}@jahejjefalcnabmbaenc 0x66 0x61 0x6D 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56FC7481-BFB6-842E-AEC8-2D9A29D16C58}@papckkhadnkekalfeapemekphmhining 0x65 0x61 0x6D 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56FC7481-BFB6-842E-AEC8-2D9A29D16C58}@hahejjefalcnabmb 0x6E 0x62 0x6D 0x6D ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- EOF - GMER 1.0.15 ----

[Rorschach112]

Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

• Click the Pt. Restauration button and press OK to the prompts.
• Click the Corbeille button and press OK to the prompt.
• Click the Fichiers temp button and press OK to the prompt.
• Click the Recherche button and let it run ( it may look like it freezes but let it continue )
• Once it is done click the Suppression button and let it remove anything it finds.
• Close the program

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
  
• Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

[dkellermann]

Ok, Thanks for the help!

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.