Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE pop ups that look like FireFox windows


  • This topic is locked This topic is locked
7 replies to this topic

#1 RichWertz

RichWertz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 February 2010 - 11:18 AM

Greetings! Thank you in advance for the work that is done here. I've been a non-registered reader of this board for what seems like forever. I've written a few academic papers on the interaction between helpers and those who need help. Of course, I'm sure you hear this all the time... I never thought I would need help! I can usually solve these kinds of problems, but this one is a real head-scratcher!

The problem is this: Internet Explorer windows pop-up at seemingly random times. They run from svchost.exe (according to Process Explorer), instead of from explorer.exe.

The IE popups sometimes disguise themselves as Firefox windows, but they are, in fact, IE windows. I do use Firefox most of the time, though.

I'm fairly certain that the issue is connected with one or all of these files:
d:\windows\system32\
kilayego.dll, bokodase.dll or rizakoyu.dll

Of course, the files may have nothing to do with the issue, but the problem really has me grabbing at straws, since I've long exhausted my hair supply.

The cause of this problem is probably related to an email I should have known better than to open... but I experienced one small moment of carelessness and now I'm in trouble.

I did read and follow all of the directions in the Preparation Guide, but DDS ran and did not produce either of the two files and GMER ran, but stopped responding after about 10 seconds. I tried both programs multiple times. I managed to get Hijack This to run and have attached that log... hopefully it is helpful. Any help that anyone can provide is greatly appreciated to the extent nobody can measure!!

If it comes down to the decision to either clean the computer or re-install the OS, I would like to try cleaning it first. I'm aware that it might not be safe in the future but I don't normally do any kind of banking or other sensative activities. I've already changed most of my passwords from my friend's lap top as soon as I realized that this was a doozie of a problem!

Thank you in advance for any help!

Kind regards,
Rich Wertz

PS- I think my issue might be similar to another recent issue posted to the board, but I'm not sure if I should follow the same directions since the help that is provided here is specialized to the individual problem: http://www.bleepingcomputer.com/forums/ind...se.dll&st=0

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:07 AM

Posted 28 February 2010 - 12:21 PM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 RichWertz

RichWertz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 February 2010 - 02:53 PM

Well, howdy, Bukeye Sam! smile.gif Thank you so much for helping me, I really appreciate it!

After Malwarebytes' Anti-Malware asked me to restart my comp, it took about a half hour to get to the login screen! I guess it had alot to remove; it said there were 20 infections! Yikes!!

When everything came back after I logged in, I notice that my Windows Automatic Updates have been turned off. I'm not sure if MBAM did this or it is a result of the larger issue, but I didn't do it and I haven't changed it back to on.

Here is the log from MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3807
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/28/2010 13:15:26
mbam-log-2010-02-28 (13-15-26).txt

Scan type: Quick Scan
Objects scanned: 167702
Time elapsed: 21 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
d:\WINDOWS\system32\kilayego.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{48f5af11-733d-423d-a974-7e5625830e9f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payuseruz (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{48f5af11-733d-423d-a974-7e5625830e9f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wolusuvel (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: d:\windows\system32\kilayego.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kilayego.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
D:\Documents and Settings\All Users\Microsoft AData (Rogue.SmartProtector) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\AVG Free 8.5 (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\CCleaner (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\Hijackthis (Rogue.Antivir2010) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\system32\kilayego.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\Documents and Settings\All Users\Microsoft AData\t.sid (Rogue.SmartProtector) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\regprot.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\AVG Free 8.5\AVG Free Tray Icon.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\AVG Free 8.5\AVG Free User Interface.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\AVG Free 8.5\Uninstall AVG Free.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\CCleaner\CCleaner Homepage.url (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\CCleaner\CCleaner.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\CCleaner\Uninstall CCleaner.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\Hijackthis\Hijackthis.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\AV\Hijackthis\Uninstall Hijackthis.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
D:\Documents and Settings\LocalService\Desktop\Your PC Protector.lnk (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
D:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\Microsoftdef.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Here is the log report from OTL:

OTL logfile created on: 2/28/2010 13:54:03 - Run 4
OTL by OldTimer - Version 3.1.30.3 Folder = D:\Documents and Settings\Richard\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.00 Mb Total Physical Memory | 258.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): d:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 68.53 Gb Total Space | 2.07 Gb Free Space | 3.02% Space Free | Partition Type: NTFS
Drive D: | 76.32 Gb Total Space | 9.28 Gb Free Space | 12.16% Space Free | Partition Type: NTFS
Drive E: | 5.98 Gb Total Space | 4.83 Gb Free Space | 80.79% Space Free | Partition Type: FAT32
Drive F: | 2.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 600.61 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive M: | 453.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive V: | 69.30 Gb Total Space | 33.85 Gb Free Space | 48.84% Space Free | Partition Type: NTFS
Drive W: | 69.30 Gb Total Space | 33.85 Gb Free Space | 48.84% Space Free | Partition Type: NTFS
Drive X: | 69.30 Gb Total Space | 33.85 Gb Free Space | 48.84% Space Free | Partition Type: NTFS

Computer Name: IPAQ
Current User Name: Richard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - D:\Documents and Settings\Richard\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - D:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - D:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - D:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - D:\Program Files\Microsoft Office 2007\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - D:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - D:\Program Files\Unlocker\UnlockerAssistant.exe ()
PRC - D:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMWDSrv.exe (UASSOFT.COM)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMCONFIG.exe (UASSOFT.COM)
PRC - D:\Program Files\AlcoholSoft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)
PRC - D:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMProcess.exe (UASSOFT.COM)
PRC - D:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe (UASSOFT.COM)
PRC - D:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
PRC - D:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - D:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
PRC - D:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - D:\Documents and Settings\Richard\Desktop\OTL.exe (OldTimer Tools)
MOD - D:\Program Files\Unlocker\UnlockerHook.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SeaPort) -- File not found
SRV - (JavaQuickStarterService) -- D:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (GoToAssist) -- D:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (avg9wd) -- D:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (gupdate) Google Update Service (gupdate) -- D:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (iPod Service) -- D:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (RichVideo) Cyberlink RichVideo Service(CRVS) -- D:\Program Files\Cyberlink\Shared files\RichVideo.exe ()
SRV - (Apple Mobile Device) -- D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (odserv) -- D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- D:\Program Files\Microsoft Office 2007\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Adobe LM Service) -- D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (Bonjour Service) -- D:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (SNMP) -- D:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
SRV - (MSMQTriggers) -- D:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
SRV - (MSMQ) -- D:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
SRV - (W3SVC) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (MSFtpsvc) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (Iprip) -- D:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
SRV - (KMWDSERVICE) -- D:\Program Files\Multimedia Keyboard Driver\KMWDSrv.exe (UASSOFT.COM)
SRV - (StarWindServiceAE) -- D:\Program Files\AlcoholSoft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- D:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (Viewpoint Manager Service) -- D:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (ose) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Macromedia Licensing Service) -- D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (Macromedia)
SRV - (FolderSize) -- D:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
SRV - (IDriverT) -- D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (SimpTcp) -- D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (LPDSVC) -- D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\S-1-5-21-1220945662-682003330-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\S-1-5-21-1220945662-682003330-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/#!/?ref=home"
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.63.20091024
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}:0.9.6
FF - prefs.js..extensions.enabledItems: {113c2360-15a3-11de-8c30-0800200c9a66}:0.9
FF - prefs.js..extensions.enabledItems: {b3f91530-1905-11de-8c30-0800200c9a66}:0.9
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: D:\Program Files\Grisoft\AVG8\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: D:\Program Files\AVG\AVG9\Firefox [2010/02/19 16:53:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\Program Files\Real2\browserrecord [2010/01/04 00:37:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{577e3214-a6d3-4bd9-b689-381f57e69bcf}: D:\Program Files\Windows Live\Writer\BlogThis\Mozilla Firefox\ [2010/02/23 15:02:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/02/26 16:19:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/02/26 16:19:18 | 000,000,000 | ---D | M]

[2010/02/26 16:19:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2010/02/27 21:59:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions
[2010/02/26 19:06:05 | 000,000,000 | ---D | M] (Forecastfox) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/02/26 19:03:39 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{113c2360-15a3-11de-8c30-0800200c9a66}
[2010/02/26 23:00:22 | 000,000,000 | ---D | M] (Forecastbar Enhanced) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}
[2010/02/26 23:00:07 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{b3f91530-1905-11de-8c30-0800200c9a66}
[2010/02/26 19:05:30 | 000,000,000 | ---D | M] (Web Developer) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/02/26 19:06:01 | 000,000,000 | ---D | M] (FoxClocks) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2010/02/26 19:06:07 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/02/26 19:06:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\en-US@dictionaries.addons.mozilla.org
[2010/02/26 19:05:40 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\ietab@ip.cn
[2010/02/27 16:27:11 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- D:\Program Files\Mozilla Firefox\plugins\nptgeqplugin.dll
[2008/04/09 15:21:19 | 000,163,840 | ---- | M] (CNN) -- D:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- D:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2002/08/29 07:00:00 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\NEW\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real2\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [!AVG Anti-Spyware] D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe File not found
O4 - HKLM..\Run: [AGRSMMSG] D:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [AlcxMonitor] D:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] D:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [KMCONFIG] D:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe KMConfig.exe File not found
O4 - HKLM..\Run: [MsmqIntCert] D:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [QuickTime Task] D:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] D:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] D:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [Aim6] File not found
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [AlcoholAutomount] D:\Program Files\AlcoholSoft\Alcohol 120\axcmd.exe ()
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [Google Update] D:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office 2007\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\wgafiz.lnk = D:\Documents and Settings\All Users\wgafiz.reg ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = D:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office 2007\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office 2007\Office12\ONBttnIE.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: ecollege.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: ecollege.com ([*.gradebook] * in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kaplan.edu ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kucourses.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kucourses.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: uah.edu ([*.libsys] * in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1219818887765 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1219648399890 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://D:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://D:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office 2007\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (bokodase.dll) - File not found
O20 - AppInit_DLLs: (rizakoyu.dll) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - D:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\GoToAssist: DllName - D:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - D:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - D:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O22 - SharedTaskScheduler: {a02efca2-e08d-4b53-9243-5322126f14d4} - mujuzedij - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - D:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/26 00:12:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation) - L:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2007/06/04 12:38:36 | 000,000,167 | R--- | M] () - L:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>) - M:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [2001/10/25 12:12:20 | 000,000,145 | R--- | M] () - M:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2001/10/09 17:45:36 | 000,001,044 | R--- | M] () - M:\AUTORUN.INI -- [ CDFS ]
O32 - AutoRun File - [2004/10/15 12:38:18 | 000,000,000 | ---- | M] () - V:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = L:\autorun.exe -- [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\dinstall\command - "" = L:\Setup\Directx\dxsetup.exe -- File not found
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = M:\AUTORUN.EXE -- [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>)
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\setup\command - "" = M:\Setup.exe -- [2000/08/24 11:44:18 | 000,077,824 | R--- | M] (InstallShield Software Corporation)
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = N:\autorun.exe -- File not found
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\directx\command - "" = N:\DirectX9\dxsetup.exe -- File not found
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\setup\command - "" = N:\setup.exe -- File not found
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\autorun.exe -- [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\L\Shell\setup\command - "" = L:\setup.exe -- [2007/09/12 23:59:15 | 000,311,296 | R--- | M] (Microsoft Game Studios )
O33 - MountPoints2\M\Shell - "" = AutoRun
O33 - MountPoints2\M\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\M\Shell\AutoRun\command - "" = M:\AUTORUN.EXE -- [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>)
O33 - MountPoints2\M\Shell\dinstall\command - "" = M:\Setup\DirectX\dxsetup.exe -- [2000/10/21 06:39:38 | 000,147,456 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\S\Shell - "" = AutoRun
O33 - MountPoints2\S\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\S\Shell\AutoRun\command - "" = S:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - D:\WINDOWS\system32\ias [2009/10/31 09:55:41 | 000,000,000 | ---D | M]
NetSvcs: Iprip - D:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173366603513856)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/28 13:21:05 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Richard\Recent
[2010/02/28 12:48:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/28 12:47:25 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/02/28 12:47:25 | 000,000,000 | ---D | C] -- D:\Program Files\MalwarebytesAnti-Malware
[2010/02/28 12:46:40 | 005,115,832 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Richard\Desktop\mbam-setup.exe
[2010/02/28 09:49:14 | 000,549,888 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Richard\Desktop\OTL.exe
[2010/02/28 09:38:27 | 000,000,000 | ---D | C] -- D:\Program Files\Prevx
[2010/02/28 09:38:20 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/02/27 18:50:05 | 000,000,000 | -HSD | C] -- D:\Documents and Settings\Richard\IETldCache
[2010/02/26 21:27:36 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\recovery2
[2010/02/26 16:47:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\recovered
[2010/02/26 13:53:52 | 000,000,000 | ---D | C] -- D:\Program Files\Citrix
[2010/02/26 13:53:19 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Local Settings\Application Data\Citrix
[2010/02/26 13:32:39 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sun
[2010/02/25 00:09:56 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\Anvsoft
[2010/02/24 10:24:18 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\Photo Flash Maker Professional
[2010/02/24 10:20:08 | 000,000,000 | ---D | C] -- D:\Program Files\Kelly Martens
[2010/02/24 09:45:35 | 034,390,728 | ---- | C] (Online Media Technologies Ltd. ) -- D:\Documents and Settings\Richard\Desktop\AVSSlideshowMaker.exe
[2010/02/23 15:08:28 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\WL Plugins
[2010/02/23 15:08:16 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\Windows Live
[2010/02/23 14:50:05 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Local Settings\Application Data\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Application Data\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\My Weblog Posts
[2010/02/23 08:01:10 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\My Received Files
[2010/02/23 07:57:52 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft Sync Framework
[2010/02/23 07:49:12 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documents\microsoft
[2010/02/23 07:48:50 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live SkyDrive
[2010/02/23 07:47:55 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live
[2010/02/23 07:28:02 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\Windows Live
[2010/02/22 00:15:30 | 000,000,000 | ---D | C] -- D:\Program Files\Photo Web Album
[2010/02/19 16:59:48 | 000,000,000 | ---D | C] -- D:\Program Files\Alcohol Soft
[2010/02/19 16:59:46 | 000,000,000 | ---D | C] -- D:\Program Files\Tradewinds Caravans
[2010/02/19 16:55:06 | 000,000,000 | -H-D | C] -- D:\$AVG
[2010/02/19 16:53:39 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/19 16:53:32 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\avg9
[2010/02/19 16:49:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/19 16:49:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/19 16:49:45 | 000,000,000 | --SD | M] -- D:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/19 16:49:45 | 000,000,000 | --SD | M] -- D:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/10 00:11:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/10 00:06:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/21 12:28:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Application Data\CyberLink
[2008/08/29 09:28:33 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2008/08/28 12:23:22 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2008/08/24 11:55:52 | 003,522,600 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Program Files\procexp.exe
[9 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
[4 D:\Documents and Settings\Richard\My Documents\*.tmp files -> D:\Documents and Settings\Richard\My Documents\*.tmp -> ]
[37 D:\WINDOWS\System32\dllcache\*.tmp files -> D:\WINDOWS\System32\dllcache\*.tmp -> ]
[13 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\tasks\vpqztrun.job
[2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\tasks\hxeheaew.job
[2010/02/28 13:59:09 | 000,000,986 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-682003330-839522115-1003UA.job
[2010/02/28 13:48:20 | 000,000,236 | ---- | M] () -- D:\WINDOWS\tasks\OGALogon.job
[2010/02/28 13:48:09 | 000,002,250 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/02/28 13:47:45 | 000,000,884 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/28 13:47:09 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/02/28 13:46:54 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/02/28 13:46:52 | 796,446,720 | -HS- | M] () -- D:\hiberfil.sys
[2010/02/28 13:22:43 | 017,563,648 | -H-- | M] () -- D:\Documents and Settings\Richard\NTUSER.DAT
[2010/02/28 13:22:43 | 000,000,312 | -HS- | M] () -- D:\Documents and Settings\Richard\ntuser.ini
[2010/02/28 13:19:42 | 000,000,888 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/28 12:49:33 | 000,000,686 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 12:46:40 | 005,115,832 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Richard\Desktop\mbam-setup.exe
[2010/02/28 12:04:04 | 056,422,506 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/28 10:09:33 | 000,293,376 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\GMER.exe
[2010/02/28 10:06:09 | 000,524,288 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\dds.pif
[2010/02/28 10:02:13 | 000,293,376 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\nudpgffc.exe
[2010/02/28 09:49:14 | 000,549,888 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Richard\Desktop\OTL.exe
[2010/02/28 09:38:20 | 000,000,050 | ---- | M] () -- D:\WINDOWS\wininit.ini
[2010/02/28 00:51:38 | 000,000,984 | ---- | M] () -- D:\Program Files\deltemp.bat
[2010/02/27 19:37:21 | 000,000,143 | ---- | M] () -- D:\WINDOWS\NeroDigital.ini
[2010/02/27 18:50:08 | 000,000,426 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{63AD31AE-8238-429E-9BE7-E5F8E1101DD1}.job
[2010/02/27 16:59:01 | 000,000,934 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-682003330-839522115-1003Core.job
[2010/02/27 16:45:58 | 000,000,566 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\deltemp.bat.lnk
[2010/02/27 00:14:45 | 000,000,839 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Richscheckers.htm.lnk
[2010/02/26 23:54:21 | 000,401,362 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\bookmarks022010.html
[2010/02/26 22:40:02 | 000,005,632 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\WordPad Document Scrap 'http___www_ehguy...'.shs
[2010/02/26 19:34:49 | 000,404,558 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\tab_mix_plus-0.3.8.1-fx.zip
[2010/02/26 16:03:20 | 000,006,456 | -H-- | M] () -- D:\WINDOWS\System32\zawajoso
[2010/02/26 15:23:23 | 000,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/26 14:05:55 | 000,000,095 | ---- | M] () -- D:\WINDOWS\System32\productregistry
[2010/02/25 10:14:04 | 002,760,493 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\20100210citymap_saltroutes.pdf
[2010/02/24 12:11:41 | 002,394,178 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Snow.mp3
[2010/02/24 10:20:30 | 034,390,728 | ---- | M] (Online Media Technologies Ltd. ) -- D:\Documents and Settings\Richard\Desktop\AVSSlideshowMaker.exe
[2010/02/23 23:35:30 | 000,000,574 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Shared Pictures.lnk
[2010/02/23 23:32:04 | 000,000,513 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\My Videos.lnk
[2010/02/23 15:10:01 | 000,001,947 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Photo Gallery.lnk
[2010/02/23 15:05:22 | 000,001,914 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Writer.lnk
[2010/02/23 14:10:39 | 002,886,144 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\LiveUpload.Facebook.msi
[2010/02/23 08:55:54 | 000,648,704 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Imageshack_upload.msi
[2010/02/23 08:13:33 | 000,320,512 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\insertlinksmartly-wlwplugin.msi
[2010/02/23 00:11:19 | 000,012,858 | ---- | M] () -- D:\WINDOWS\cdPlayer.ini
[2010/02/22 14:37:20 | 000,367,208 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\blog-02-22-2010.xml
[2010/02/21 23:57:07 | 000,029,410 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\tantan_facebookPhotos-0.3.zip
[2010/02/21 13:52:24 | 000,041,014 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\RichOlympicsShirt.jpg
[2010/02/19 23:21:01 | 000,029,298 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Olympic Schedule.xlsx
[2010/02/19 21:37:55 | 000,032,329 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Crosby_2010Vancouver2.jpg
[2010/02/19 16:58:33 | 000,142,495 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/19 16:54:06 | 000,001,507 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/19 16:54:05 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/19 16:54:05 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\avgrsstx.dll
[2010/02/19 16:54:03 | 000,113,461 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/19 16:54:03 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/19 16:53:39 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/18 17:49:19 | 002,238,041 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Early_Localization_Native_Americans_USA.jpg
[2010/02/18 17:38:48 | 000,758,667 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Non-Native-American-Nations-Territorial-Claims-over-NAFTA-countries-1750-2008.gif
[2010/02/18 16:22:34 | 000,000,600 | ---- | M] () -- D:\Documents and Settings\Richard\PUTTY.RND
[2010/02/18 07:51:04 | 000,001,690 | ---- | M] () -- D:\Documents and Settings\All Users\wgafiz.reg
[2010/02/18 07:49:43 | 000,000,561 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\ogafiz.reg
[9 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
[4 D:\Documents and Settings\Richard\My Documents\*.tmp files -> D:\Documents and Settings\Richard\My Documents\*.tmp -> ]
[37 D:\WINDOWS\System32\dllcache\*.tmp files -> D:\WINDOWS\System32\dllcache\*.tmp -> ]
[13 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/28 12:49:33 | 000,000,686 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 10:09:27 | 000,293,376 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\GMER.exe
[2010/02/28 10:05:55 | 000,524,288 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\dds.pif
[2010/02/28 10:02:05 | 000,293,376 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\nudpgffc.exe
[2010/02/28 09:38:20 | 000,000,050 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2010/02/27 16:45:58 | 000,000,566 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\deltemp.bat.lnk
[2010/02/27 00:14:45 | 000,000,839 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Richscheckers.htm.lnk
[2010/02/26 23:54:19 | 000,401,362 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\bookmarks022010.html
[2010/02/26 22:40:01 | 000,005,632 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\WordPad Document Scrap 'http___www_ehguy...'.shs
[2010/02/26 22:04:40 | 000,405,740 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\addon-1122-latest.xpi
[2010/02/26 19:33:46 | 000,404,558 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\tab_mix_plus-0.3.8.1-fx.zip
[2010/02/26 15:23:23 | 000,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/25 10:14:00 | 002,760,493 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\20100210citymap_saltroutes.pdf
[2010/02/24 12:10:07 | 002,394,178 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Snow.mp3
[2010/02/23 23:35:30 | 000,000,574 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Shared Pictures.lnk
[2010/02/23 23:32:04 | 000,000,513 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\My Videos.lnk
[2010/02/23 15:10:01 | 000,001,947 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Photo Gallery.lnk
[2010/02/23 15:05:22 | 000,001,914 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Writer.lnk
[2010/02/23 14:10:19 | 002,886,144 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\LiveUpload.Facebook.msi
[2010/02/23 08:55:52 | 000,648,704 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Imageshack_upload.msi
[2010/02/23 08:13:33 | 000,320,512 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\insertlinksmartly-wlwplugin.msi
[2010/02/22 14:37:11 | 000,367,208 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\blog-02-22-2010.xml
[2010/02/21 23:56:48 | 000,029,410 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\tantan_facebookPhotos-0.3.zip
[2010/02/21 01:32:31 | 000,041,014 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\RichOlympicsShirt.jpg
[2010/02/19 21:37:39 | 000,032,329 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Crosby_2010Vancouver2.jpg
[2010/02/19 16:54:06 | 000,001,507 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/18 17:48:59 | 002,238,041 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Early_Localization_Native_Americans_USA.jpg
[2010/02/18 17:37:12 | 000,758,667 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Non-Native-American-Nations-Territorial-Claims-over-NAFTA-countries-1750-2008.gif
[2010/02/18 07:47:01 | 000,000,561 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\ogafiz.reg
[2010/02/13 01:06:49 | 000,518,752 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/07 14:22:15 | 000,237,568 | ---- | C] () -- D:\WINDOWS\System32\lame_enc.dll
[2009/11/02 00:34:21 | 000,147,456 | ---- | C] () -- D:\WINDOWS\System32\RtlCPAPI.dll
[2009/10/31 14:49:29 | 000,007,909 | ---- | C] () -- D:\WINDOWS\System32\ftpctrs.ini
[2009/10/31 14:49:25 | 000,038,576 | ---- | C] () -- D:\WINDOWS\System32\w3ctrs.ini
[2009/10/31 14:49:24 | 000,010,225 | ---- | C] () -- D:\WINDOWS\System32\axperf.ini
[2009/10/31 14:49:17 | 000,011,435 | ---- | C] () -- D:\WINDOWS\System32\infoctrs.ini
[2009/09/09 11:53:42 | 000,028,672 | ---- | C] () -- D:\WINDOWS\System32\MFC_InstDrvDLL.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- D:\WINDOWS\System32\OGACheckControl.dll
[2009/06/17 18:43:36 | 000,000,600 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\winscp.rnd
[2009/03/23 23:56:24 | 000,765,952 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll
[2009/03/23 23:56:24 | 000,180,224 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll
[2008/09/24 06:48:55 | 000,000,152 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\ntl.ini
[2008/09/24 06:45:38 | 000,002,115 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\ntl.nws
[2008/09/15 21:25:44 | 000,000,885 | ---- | C] () -- D:\WINDOWS\entpack.ini
[2008/09/04 11:10:08 | 000,053,760 | ---- | C] () -- D:\WINDOWS\System32\ZLIB.DLL
[2008/08/29 22:45:57 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2008/08/28 13:21:38 | 000,000,350 | ---- | C] () -- D:\Program Files\deltemp2.bat
[2008/08/26 04:00:13 | 000,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2008/08/25 00:14:18 | 000,001,908 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/24 04:06:05 | 000,000,000 | ---- | C] () -- D:\WINDOWS\frontpg.ini
[2008/08/24 04:04:34 | 000,021,791 | ---- | C] () -- D:\WINDOWS\System32\smtpctrs.ini
[2008/08/24 04:04:34 | 000,001,037 | ---- | C] () -- D:\WINDOWS\System32\ntfsdrct.ini
[2008/08/24 04:04:07 | 000,001,793 | ---- | C] () -- D:\WINDOWS\System32\fxsperf.ini
[2007/10/22 19:22:35 | 000,000,125 | ---- | C] () -- D:\WINDOWS\AVERY.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- D:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- D:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- D:\WINDOWS\System32\gthrctr.ini
[2007/01/25 12:31:36 | 000,053,299 | ---- | C] () -- D:\WINDOWS\System32\pthreadVC.dll
[2006/12/02 13:18:11 | 000,000,984 | ---- | C] () -- D:\Program Files\deltemp.bat
[2006/06/24 14:55:29 | 000,000,026 | ---- | C] () -- D:\WINDOWS\FP_WMP.INI
[2005/10/24 05:13:20 | 101,102,862 | ---- | C] () -- D:\Program Files\windowblinds.zip
[2005/10/23 14:31:23 | 000,001,097 | ---- | C] () -- D:\WINDOWS\CDFACE32.INI
[2005/10/06 16:55:42 | 000,000,143 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini
[2005/09/26 07:42:36 | 000,012,858 | ---- | C] () -- D:\WINDOWS\cdPlayer.ini
[2005/09/20 20:08:25 | 000,000,144 | ---- | C] () -- D:\WINDOWS\Sierra.ini
[2005/09/20 19:22:56 | 000,000,984 | ---- | C] () -- D:\WINDOWS\STA2.ini
[2005/09/19 21:39:39 | 000,000,660 | ---- | C] () -- D:\WINDOWS\PSTUDIO.INI
[2005/05/14 19:07:43 | 000,000,061 | ---- | C] () -- D:\WINDOWS\smscfg.ini
[2004/10/26 17:39:05 | 003,375,104 | ---- | C] () -- D:\WINDOWS\System32\qt-mt331.dll
[2004/05/03 23:19:13 | 000,007,680 | ---- | C] () -- D:\WINDOWS\System32\kbdkhufr.dll
[2004/02/27 06:05:06 | 000,565,248 | ---- | C] () -- D:\WINDOWS\System32\hpotscl.dll

========== LOP Check ==========

[2009/09/18 12:52:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\acccore
[2008/09/26 22:36:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/02/26 16:11:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\avg9
[2008/08/27 00:00:23 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Grisoft
[2009/04/21 00:29:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\IconTweaker
[2009/08/31 23:01:10 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/02/28 09:38:21 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PrevxCSI
[2008/09/24 08:34:42 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/07/31 21:45:00 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Stardock
[2009/08/04 10:31:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Startup Manager
[2010/02/25 00:30:53 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/18 12:52:16 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/29 23:08:38 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\WildTangent
[2009/09/03 12:21:23 | 000,000,000 | -H-D | M] -- D:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
[2009/03/06 17:47:57 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/09/18 13:03:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\acccore
[2008/08/27 02:35:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Atari
[2008/08/24 23:14:42 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\BitTorrent
[2009/09/06 13:15:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Easy Thumbnails
[2009/04/21 00:29:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\IconTweaker
[2008/08/24 21:51:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\InterTrust
[2008/08/27 02:35:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\InterVideo
[2009/12/04 11:06:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Leadertech
[2008/09/02 11:02:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2008/11/07 18:08:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Opera
[2009/07/31 21:50:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Stardock
[2010/02/28 09:49:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\uTorrent
[2008/08/26 04:55:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Vince Valenti
[2009/12/01 12:22:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Desktop Search
[2010/02/23 15:30:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Live Writer
[2009/12/31 15:37:59 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Search
[2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\Tasks\hxeheaew.job
[2010/02/28 13:48:20 | 000,000,236 | ---- | M] () -- D:\WINDOWS\Tasks\OGALogon.job
[2010/02/27 18:50:08 | 000,000,426 | -H-- | M] () -- D:\WINDOWS\Tasks\User_Feed_Synchronization-{63AD31AE-8238-429E-9BE7-E5F8E1101DD1}.job
[2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\Tasks\vpqztrun.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\I386\sp2.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- D:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- D:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\I386\sp2.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- D:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- D:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- D:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- D:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- D:\WINDOWS\I386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- D:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- D:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- D:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- D:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- D:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- D:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll
[2007/05/17 21:34:04 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- D:\Program Files\PowerDirector\PowerDirector\EventLog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- D:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- D:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- D:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- D:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- D:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- D:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- D:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- D:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- D:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- D:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- D:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- D:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[9 D:\WINDOWS\system32\*.tmp files -> D:\WINDOWS\system32\*.tmp -> ]

========== Files - Unicode (All) ==========
[2009/06/06 00:43:45 | 000,024,064 | ---- | M] ()(D:\Documents and Settings\Richard\My Documents\?????.doc) -- D:\Documents and Settings\Richard\My Documents\天安门事件.doc
[2009/06/06 00:43:42 | 000,024,064 | ---- | C] ()(D:\Documents and Settings\Richard\My Documents\?????.doc) -- D:\Documents and Settings\Richard\My Documents\天安门事件.doc
[2009/06/04 02:24:06 | 000,019,968 | ---- | M] ()(D:\Documents and Settings\Richard\My Documents\????.doc) -- D:\Documents and Settings\Richard\My Documents\六四事件.doc
[2009/06/04 02:24:03 | 000,019,968 | ---- | C] ()(D:\Documents and Settings\Richard\My Documents\????.doc) -- D:\Documents and Settings\Richard\My Documents\六四事件.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 171 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:0A8E2C33
@Alternate Data Stream - 109 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
@Alternate Data Stream - 108 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5D114334
< End of report >

Thanks again!
-Rich

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:07 AM

Posted 01 March 2010 - 07:59 AM

You can keep auto updates disabled for now, but once we're done make sure you re-enable it.

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\wgafiz.lnk = D:\Documents and Settings\All Users\wgafiz.reg ()
    O20 - AppInit_DLLs: (bokodase.dll) - File not found
    O20 - AppInit_DLLs: (rizakoyu.dll) - File not found
    [9 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
    [4 D:\Documents and Settings\Richard\My Documents\*.tmp files -> D:\Documents and Settings\Richard\My Documents\*.tmp -> ]
    [37 D:\WINDOWS\System32\dllcache\*.tmp files -> D:\WINDOWS\System32\dllcache\*.tmp -> ]
    [13 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
    [2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\tasks\vpqztrun.job
    [2010/02/28 14:00:00 | 000,000,296 | ---- | M] () -- D:\WINDOWS\tasks\hxeheaew.job
    [2010/02/26 16:03:20 | 000,006,456 | -H-- | M] () -- D:\WINDOWS\System32\zawajoso
    @Alternate Data Stream - 171 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:0A8E2C33
    @Alternate Data Stream - 109 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
    @Alternate Data Stream - 108 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5D114334

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 RichWertz

RichWertz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 01 March 2010 - 09:11 AM

Hello, again, Buckeye Sam...

Results as instructed are attached. The initial fix log is called "OTL_03012010_083104.Txt", the scan after reboot is called "OTL_03012010_090502.Txt" I have to say that I think the issue might be fixed; I haven't experienced any of the problems I experienced before coming here for help.

If the problem is fixed (and even if there is still work to be done), I would like to thank you for taking the time to help me. Words can not adequately express how appreciative I am that you have provided me with this help. Thank you.

Kind regards,
Rich Wertz



OTL logfile created on: 3/1/2010 08:43:16 - Run 5
OTL by OldTimer - Version 3.1.30.3 Folder = D:\Program Files\AV
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.00 Mb Total Physical Memory | 279.00 Mb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): d:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 68.53 Gb Total Space | 2.12 Gb Free Space | 3.09% Space Free | Partition Type: NTFS
Drive D: | 76.32 Gb Total Space | 9.38 Gb Free Space | 12.29% Space Free | Partition Type: NTFS
Drive E: | 5.98 Gb Total Space | 4.83 Gb Free Space | 80.79% Space Free | Partition Type: FAT32
Drive F: | 2.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 600.61 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive M: | 453.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: IPAQ
Current User Name: Richard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - D:\Program Files\AV\OTL.exe (OldTimer Tools)
PRC - D:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - D:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - D:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - D:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - D:\Program Files\Microsoft Office 2007\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - D:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - D:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - D:\Program Files\Unlocker\UnlockerAssistant.exe ()
PRC - D:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
PRC - D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMWDSrv.exe (UASSOFT.COM)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMCONFIG.exe (UASSOFT.COM)
PRC - D:\Program Files\AlcoholSoft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)
PRC - D:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
PRC - D:\Program Files\Multimedia Keyboard Driver\KMProcess.exe (UASSOFT.COM)
PRC - D:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe (UASSOFT.COM)
PRC - D:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
PRC - D:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - D:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
PRC - D:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - D:\Program Files\AV\OTL.exe (OldTimer Tools)
MOD - D:\Program Files\Unlocker\UnlockerHook.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SeaPort) -- File not found
SRV - (JavaQuickStarterService) -- D:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (GoToAssist) -- D:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (avg9wd) -- D:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (gupdate) Google Update Service (gupdate) -- D:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (iPod Service) -- D:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (RichVideo) Cyberlink RichVideo Service(CRVS) -- D:\Program Files\Cyberlink\Shared files\RichVideo.exe ()
SRV - (Apple Mobile Device) -- D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (odserv) -- D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- D:\Program Files\Microsoft Office 2007\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Adobe LM Service) -- D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (Bonjour Service) -- D:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (SNMP) -- D:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
SRV - (MSMQTriggers) -- D:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
SRV - (MSMQ) -- D:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
SRV - (W3SVC) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (MSFtpsvc) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- D:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (Iprip) -- D:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
SRV - (KMWDSERVICE) -- D:\Program Files\Multimedia Keyboard Driver\KMWDSrv.exe (UASSOFT.COM)
SRV - (StarWindServiceAE) -- D:\Program Files\AlcoholSoft\Alcohol 120\StarWind\StarWindServiceAE.exe (Rocket Division Software)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- D:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (Viewpoint Manager Service) -- D:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (ose) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Macromedia Licensing Service) -- D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (Macromedia)
SRV - (FolderSize) -- D:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
SRV - (IDriverT) -- D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (SimpTcp) -- D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (LPDSVC) -- D:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\S-1-5-21-1220945662-682003330-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1220945662-682003330-839522115-1003\S-1-5-21-1220945662-682003330-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "https://login.facebook.com/login.php"
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.63.20091024
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}:0.9.6
FF - prefs.js..extensions.enabledItems: {113c2360-15a3-11de-8c30-0800200c9a66}:0.9
FF - prefs.js..extensions.enabledItems: {b3f91530-1905-11de-8c30-0800200c9a66}:0.9
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: D:\Program Files\Grisoft\AVG8\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: D:\Program Files\AVG\AVG9\Firefox [2010/02/19 16:53:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\Program Files\Real2\browserrecord [2010/01/04 00:37:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{577e3214-a6d3-4bd9-b689-381f57e69bcf}: D:\Program Files\Windows Live\Writer\BlogThis\Mozilla Firefox\ [2010/02/23 15:02:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/02/26 16:19:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/02/26 16:19:18 | 000,000,000 | ---D | M]

[2010/02/26 16:19:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2010/02/28 23:28:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions
[2010/02/26 19:06:05 | 000,000,000 | ---D | M] (Forecastfox) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/02/26 19:03:39 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{113c2360-15a3-11de-8c30-0800200c9a66}
[2010/02/26 23:00:22 | 000,000,000 | ---D | M] (Forecastbar Enhanced) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}
[2010/02/26 23:00:07 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{b3f91530-1905-11de-8c30-0800200c9a66}
[2010/02/26 19:05:30 | 000,000,000 | ---D | M] (Web Developer) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/02/26 19:06:01 | 000,000,000 | ---D | M] (FoxClocks) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2010/02/26 19:06:07 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/02/26 19:06:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\en-US@dictionaries.addons.mozilla.org
[2010/02/26 19:05:40 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\7fgvyvx5.default\extensions\ietab@ip.cn
[2010/03/01 08:14:50 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- D:\Program Files\Mozilla Firefox\plugins\nptgeqplugin.dll
[2008/04/09 15:21:19 | 000,163,840 | ---- | M] (CNN) -- D:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- D:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2002/08/29 07:00:00 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\NEW\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real2\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\NEW\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [!AVG Anti-Spyware] D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe File not found
O4 - HKLM..\Run: [AGRSMMSG] D:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [AlcxMonitor] D:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] D:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [KMCONFIG] D:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe KMConfig.exe File not found
O4 - HKLM..\Run: [MsmqIntCert] D:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [QuickTime Task] D:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] D:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] D:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [Aim6] File not found
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [AlcoholAutomount] D:\Program Files\AlcoholSoft\Alcohol 120\axcmd.exe ()
O4 - HKU\S-1-5-21-1220945662-682003330-839522115-1003..\Run: [Google Update] D:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office 2007\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = D:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office 2007\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office 2007\Office12\ONBttnIE.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: ecollege.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: ecollege.com ([*.gradebook] * in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kaplan.edu ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kucourses.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: kucourses.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-682003330-839522115-1003\..Trusted Domains: uah.edu ([*.libsys] * in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1219818887765 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1219648399890 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://D:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://D:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office 2007\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - D:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\GoToAssist: DllName - D:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - D:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - D:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O22 - SharedTaskScheduler: {a02efca2-e08d-4b53-9243-5322126f14d4} - mujuzedij - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - D:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/26 00:12:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation) - L:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2007/06/04 12:38:36 | 000,000,167 | R--- | M] () - L:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>) - M:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [2001/10/25 12:12:20 | 000,000,145 | R--- | M] () - M:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2001/10/09 17:45:36 | 000,001,044 | R--- | M] () - M:\AUTORUN.INI -- [ CDFS ]
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = L:\autorun.exe -- [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{8d8c7a40-b44d-11de-92f5-0013d43c555a}\Shell\dinstall\command - "" = L:\Setup\Directx\dxsetup.exe -- File not found
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = M:\AUTORUN.EXE -- [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>)
O33 - MountPoints2\{8d8c7a41-b44d-11de-92f5-0013d43c555a}\Shell\setup\command - "" = M:\Setup.exe -- [2000/08/24 11:44:18 | 000,077,824 | R--- | M] (InstallShield Software Corporation)
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell - "" = AutoRun
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\AutoRun\command - "" = N:\autorun.exe -- File not found
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\directx\command - "" = N:\DirectX9\dxsetup.exe -- File not found
O33 - MountPoints2\{8d8c7a42-b44d-11de-92f5-0013d43c555a}\Shell\setup\command - "" = N:\setup.exe -- File not found
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\autorun.exe -- [2007/08/17 15:29:12 | 001,070,488 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\L\Shell\setup\command - "" = L:\setup.exe -- [2007/09/12 23:59:15 | 000,311,296 | R--- | M] (Microsoft Game Studios )
O33 - MountPoints2\M\Shell - "" = AutoRun
O33 - MountPoints2\M\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\M\Shell\AutoRun\command - "" = M:\AUTORUN.EXE -- [2000/01/17 11:28:36 | 000,028,672 | R--- | M] (Dipl.-Ing. Stefan Krueger <skrueger@installsite.org>)
O33 - MountPoints2\M\Shell\dinstall\command - "" = M:\Setup\DirectX\dxsetup.exe -- [2000/10/21 06:39:38 | 000,147,456 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\S\Shell - "" = AutoRun
O33 - MountPoints2\S\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\S\Shell\AutoRun\command - "" = S:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/01 08:31:04 | 000,000,000 | ---D | C] -- D:\_OTL
[2010/02/28 13:21:05 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Richard\Recent
[2010/02/28 12:48:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/28 12:47:25 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/02/28 12:47:25 | 000,000,000 | ---D | C] -- D:\Program Files\MalwarebytesAnti-Malware
[2010/02/28 12:46:40 | 005,115,832 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Richard\Desktop\mbam-setup.exe
[2010/02/28 09:38:27 | 000,000,000 | ---D | C] -- D:\Program Files\Prevx
[2010/02/28 09:38:20 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/02/27 18:50:05 | 000,000,000 | -HSD | C] -- D:\Documents and Settings\Richard\IETldCache
[2010/02/26 21:27:36 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\recovery2
[2010/02/26 16:47:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\recovered
[2010/02/26 13:53:52 | 000,000,000 | ---D | C] -- D:\Program Files\Citrix
[2010/02/26 13:53:19 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Local Settings\Application Data\Citrix
[2010/02/26 13:32:39 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sun
[2010/02/25 00:09:56 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\Anvsoft
[2010/02/24 10:24:18 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\Photo Flash Maker Professional
[2010/02/24 10:20:08 | 000,000,000 | ---D | C] -- D:\Program Files\Kelly Martens
[2010/02/24 09:45:35 | 034,390,728 | ---- | C] (Online Media Technologies Ltd. ) -- D:\Documents and Settings\Richard\Desktop\AVSSlideshowMaker.exe
[2010/02/23 15:08:28 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\WL Plugins
[2010/02/23 15:08:16 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Desktop\Windows Live
[2010/02/23 14:50:05 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Local Settings\Application Data\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\Application Data\Windows Live Writer
[2010/02/23 08:01:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\My Weblog Posts
[2010/02/23 08:01:10 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Richard\My Documents\My Received Files
[2010/02/23 07:57:52 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft Sync Framework
[2010/02/23 07:49:12 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documents\microsoft
[2010/02/23 07:48:50 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live SkyDrive
[2010/02/23 07:47:55 | 000,000,000 | ---D | C] -- D:\Program Files\Windows Live
[2010/02/23 07:28:02 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\Windows Live
[2010/02/22 00:15:30 | 000,000,000 | ---D | C] -- D:\Program Files\Photo Web Album
[2010/02/19 16:59:48 | 000,000,000 | ---D | C] -- D:\Program Files\Alcohol Soft
[2010/02/19 16:59:46 | 000,000,000 | ---D | C] -- D:\Program Files\Tradewinds Caravans
[2010/02/19 16:55:06 | 000,000,000 | -H-D | C] -- D:\$AVG
[2010/02/19 16:53:39 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/19 16:53:32 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\avg9
[2010/02/19 16:49:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/19 16:49:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/19 16:49:45 | 000,000,000 | --SD | M] -- D:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/19 16:49:45 | 000,000,000 | --SD | M] -- D:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/10 00:11:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/10 00:06:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/21 12:28:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Application Data\CyberLink
[2008/08/29 09:28:33 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2008/08/28 12:23:22 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2008/08/24 11:55:52 | 003,522,600 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Program Files\procexp.exe

========== Files - Modified Within 14 Days ==========

[2010/03/01 08:35:29 | 000,000,236 | ---- | M] () -- D:\WINDOWS\tasks\OGALogon.job
[2010/03/01 08:35:26 | 000,000,884 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/01 08:35:04 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/03/01 08:34:53 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/03/01 08:34:51 | 796,446,720 | -HS- | M] () -- D:\hiberfil.sys
[2010/03/01 08:33:11 | 017,563,648 | -H-- | M] () -- D:\Documents and Settings\Richard\NTUSER.DAT
[2010/03/01 08:33:11 | 000,000,312 | -HS- | M] () -- D:\Documents and Settings\Richard\ntuser.ini
[2010/03/01 08:17:07 | 000,000,888 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/01 08:01:40 | 056,483,219 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/01 07:59:04 | 000,000,986 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-682003330-839522115-1003UA.job
[2010/02/28 22:04:47 | 000,000,426 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{63AD31AE-8238-429E-9BE7-E5F8E1101DD1}.job
[2010/02/28 16:59:00 | 000,000,934 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-682003330-839522115-1003Core.job
[2010/02/28 13:48:09 | 000,002,250 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/02/28 12:49:33 | 000,000,686 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 12:46:40 | 005,115,832 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Richard\Desktop\mbam-setup.exe
[2010/02/28 09:38:20 | 000,000,050 | ---- | M] () -- D:\WINDOWS\wininit.ini
[2010/02/28 00:51:38 | 000,000,984 | ---- | M] () -- D:\Program Files\deltemp.bat
[2010/02/27 19:37:21 | 000,000,143 | ---- | M] () -- D:\WINDOWS\NeroDigital.ini
[2010/02/27 16:45:58 | 000,000,566 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\deltemp.bat.lnk
[2010/02/27 00:14:45 | 000,000,839 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Richscheckers.htm.lnk
[2010/02/26 23:54:21 | 000,401,362 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\bookmarks022010.html
[2010/02/26 22:40:02 | 000,005,632 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\WordPad Document Scrap 'http___www_ehguy...'.shs
[2010/02/26 14:05:55 | 000,000,095 | ---- | M] () -- D:\WINDOWS\System32\productregistry
[2010/02/25 10:14:04 | 002,760,493 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\20100210citymap_saltroutes.pdf
[2010/02/24 12:11:41 | 002,394,178 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\Snow.mp3
[2010/02/24 10:20:30 | 034,390,728 | ---- | M] (Online Media Technologies Ltd. ) -- D:\Documents and Settings\Richard\Desktop\AVSSlideshowMaker.exe
[2010/02/23 23:35:30 | 000,000,574 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Shared Pictures.lnk
[2010/02/23 23:32:04 | 000,000,513 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\My Videos.lnk
[2010/02/23 15:10:01 | 000,001,947 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Photo Gallery.lnk
[2010/02/23 15:05:22 | 000,001,914 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Writer.lnk
[2010/02/23 14:10:39 | 002,886,144 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\LiveUpload.Facebook.msi
[2010/02/23 08:55:54 | 000,648,704 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\Imageshack_upload.msi
[2010/02/23 08:13:33 | 000,320,512 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\insertlinksmartly-wlwplugin.msi
[2010/02/23 00:11:19 | 000,012,858 | ---- | M] () -- D:\WINDOWS\cdPlayer.ini
[2010/02/22 14:37:20 | 000,367,208 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\blog-02-22-2010.xml
[2010/02/21 23:57:07 | 000,029,410 | ---- | M] () -- D:\Documents and Settings\Richard\Desktop\tantan_facebookPhotos-0.3.zip
[2010/02/19 16:58:33 | 000,142,495 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/19 16:54:06 | 000,001,507 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/19 16:54:05 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/19 16:54:05 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\avgrsstx.dll
[2010/02/19 16:54:03 | 000,113,461 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/19 16:54:03 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/19 16:53:39 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/18 17:49:19 | 002,238,041 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\Early_Localization_Native_Americans_USA.jpg
[2010/02/18 17:38:48 | 000,758,667 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\Non-Native-American-Nations-Territorial-Claims-over-NAFTA-countries-1750-2008.gif
[2010/02/18 16:22:34 | 000,000,600 | ---- | M] () -- D:\Documents and Settings\Richard\PUTTY.RND
[2010/02/18 07:51:04 | 000,001,690 | ---- | M] () -- D:\Documents and Settings\All Users\Copy of wgafiz.reg
[2010/02/18 07:49:43 | 000,000,561 | ---- | M] () -- D:\Documents and Settings\Richard\My Documents\ogafiz.reg

========== Files Created - No Company Name ==========

[2010/03/01 08:28:13 | 000,001,690 | ---- | C] () -- D:\Documents and Settings\All Users\Copy of wgafiz.reg
[2010/02/28 12:49:33 | 000,000,686 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 09:38:20 | 000,000,050 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2010/02/27 16:45:58 | 000,000,566 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\deltemp.bat.lnk
[2010/02/27 00:14:45 | 000,000,839 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Richscheckers.htm.lnk
[2010/02/26 23:54:19 | 000,401,362 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\bookmarks022010.html
[2010/02/26 22:40:01 | 000,005,632 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\WordPad Document Scrap 'http___www_ehguy...'.shs
[2010/02/26 22:04:40 | 000,405,740 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\addon-1122-latest.xpi
[2010/02/25 10:14:00 | 002,760,493 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\20100210citymap_saltroutes.pdf
[2010/02/24 12:10:07 | 002,394,178 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\Snow.mp3
[2010/02/23 23:35:30 | 000,000,574 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Shared Pictures.lnk
[2010/02/23 23:32:04 | 000,000,513 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\My Videos.lnk
[2010/02/23 15:10:01 | 000,001,947 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Photo Gallery.lnk
[2010/02/23 15:05:22 | 000,001,914 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Windows Live Writer.lnk
[2010/02/23 14:10:19 | 002,886,144 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\LiveUpload.Facebook.msi
[2010/02/23 08:55:52 | 000,648,704 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\Imageshack_upload.msi
[2010/02/23 08:13:33 | 000,320,512 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\insertlinksmartly-wlwplugin.msi
[2010/02/22 14:37:11 | 000,367,208 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\blog-02-22-2010.xml
[2010/02/21 23:56:48 | 000,029,410 | ---- | C] () -- D:\Documents and Settings\Richard\Desktop\tantan_facebookPhotos-0.3.zip
[2010/02/19 16:54:06 | 000,001,507 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/18 17:48:59 | 002,238,041 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\Early_Localization_Native_Americans_USA.jpg
[2010/02/18 17:37:12 | 000,758,667 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\Non-Native-American-Nations-Territorial-Claims-over-NAFTA-countries-1750-2008.gif
[2010/02/18 07:47:01 | 000,000,561 | ---- | C] () -- D:\Documents and Settings\Richard\My Documents\ogafiz.reg
[2010/02/13 01:06:49 | 000,518,752 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/07 14:22:15 | 000,237,568 | ---- | C] () -- D:\WINDOWS\System32\lame_enc.dll
[2009/11/02 00:34:21 | 000,147,456 | ---- | C] () -- D:\WINDOWS\System32\RtlCPAPI.dll
[2009/10/31 14:49:29 | 000,007,909 | ---- | C] () -- D:\WINDOWS\System32\ftpctrs.ini
[2009/10/31 14:49:25 | 000,038,576 | ---- | C] () -- D:\WINDOWS\System32\w3ctrs.ini
[2009/10/31 14:49:24 | 000,010,225 | ---- | C] () -- D:\WINDOWS\System32\axperf.ini
[2009/10/31 14:49:17 | 000,011,435 | ---- | C] () -- D:\WINDOWS\System32\infoctrs.ini
[2009/09/09 11:53:42 | 000,028,672 | ---- | C] () -- D:\WINDOWS\System32\MFC_InstDrvDLL.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- D:\WINDOWS\System32\OGACheckControl.dll
[2009/06/17 18:43:36 | 000,000,600 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\winscp.rnd
[2009/03/23 23:56:24 | 000,765,952 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll
[2009/03/23 23:56:24 | 000,180,224 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll
[2008/09/24 06:48:55 | 000,000,152 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\ntl.ini
[2008/09/24 06:45:38 | 000,002,115 | ---- | C] () -- D:\Documents and Settings\Richard\Application Data\ntl.nws
[2008/09/15 21:25:44 | 000,000,885 | ---- | C] () -- D:\WINDOWS\entpack.ini
[2008/09/04 11:10:08 | 000,053,760 | ---- | C] () -- D:\WINDOWS\System32\ZLIB.DLL
[2008/08/29 22:45:57 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2008/08/28 13:21:38 | 000,000,350 | ---- | C] () -- D:\Program Files\deltemp2.bat
[2008/08/26 04:00:13 | 000,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2008/08/25 00:14:18 | 000,001,908 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/24 04:06:05 | 000,000,000 | ---- | C] () -- D:\WINDOWS\frontpg.ini
[2008/08/24 04:04:34 | 000,021,791 | ---- | C] () -- D:\WINDOWS\System32\smtpctrs.ini
[2008/08/24 04:04:34 | 000,001,037 | ---- | C] () -- D:\WINDOWS\System32\ntfsdrct.ini
[2008/08/24 04:04:07 | 000,001,793 | ---- | C] () -- D:\WINDOWS\System32\fxsperf.ini
[2007/10/22 19:22:35 | 000,000,125 | ---- | C] () -- D:\WINDOWS\AVERY.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- D:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- D:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- D:\WINDOWS\System32\gthrctr.ini
[2007/01/25 12:31:36 | 000,053,299 | ---- | C] () -- D:\WINDOWS\System32\pthreadVC.dll
[2006/12/02 13:18:11 | 000,000,984 | ---- | C] () -- D:\Program Files\deltemp.bat
[2006/06/24 14:55:29 | 000,000,026 | ---- | C] () -- D:\WINDOWS\FP_WMP.INI
[2005/10/24 05:13:20 | 101,102,862 | ---- | C] () -- D:\Program Files\windowblinds.zip
[2005/10/23 14:31:23 | 000,001,097 | ---- | C] () -- D:\WINDOWS\CDFACE32.INI
[2005/10/06 16:55:42 | 000,000,143 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini
[2005/09/26 07:42:36 | 000,012,858 | ---- | C] () -- D:\WINDOWS\cdPlayer.ini
[2005/09/20 20:08:25 | 000,000,144 | ---- | C] () -- D:\WINDOWS\Sierra.ini
[2005/09/20 19:22:56 | 000,000,984 | ---- | C] () -- D:\WINDOWS\STA2.ini
[2005/09/19 21:39:39 | 000,000,660 | ---- | C] () -- D:\WINDOWS\PSTUDIO.INI
[2005/05/14 19:07:43 | 000,000,061 | ---- | C] () -- D:\WINDOWS\smscfg.ini
[2004/10/26 17:39:05 | 003,375,104 | ---- | C] () -- D:\WINDOWS\System32\qt-mt331.dll
[2004/05/03 23:19:13 | 000,007,680 | ---- | C] () -- D:\WINDOWS\System32\kbdkhufr.dll
[2004/02/27 06:05:06 | 000,565,248 | ---- | C] () -- D:\WINDOWS\System32\hpotscl.dll

========== LOP Check ==========

[2009/09/18 12:52:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\acccore
[2008/09/26 22:36:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/02/26 16:11:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\avg9
[2008/08/27 00:00:23 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Grisoft
[2009/04/21 00:29:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\IconTweaker
[2009/08/31 23:01:10 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/02/28 09:38:21 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PrevxCSI
[2008/09/24 08:34:42 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/07/31 21:45:00 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Stardock
[2009/08/04 10:31:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Startup Manager
[2010/02/25 00:30:53 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/18 12:52:16 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/29 23:08:38 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\WildTangent
[2009/09/03 12:21:23 | 000,000,000 | -H-D | M] -- D:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
[2009/03/06 17:47:57 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/09/18 13:03:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\acccore
[2008/08/27 02:35:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Atari
[2008/08/24 23:14:42 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\BitTorrent
[2009/09/06 13:15:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Easy Thumbnails
[2009/04/21 00:29:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\IconTweaker
[2008/08/24 21:51:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\InterTrust
[2008/08/27 02:35:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\InterVideo
[2009/12/04 11:06:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Leadertech
[2008/09/02 11:02:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2008/11/07 18:08:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Opera
[2009/07/31 21:50:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Stardock
[2010/02/28 09:49:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\uTorrent
[2008/08/26 04:55:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Vince Valenti
[2009/12/01 12:22:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Desktop Search
[2010/02/23 15:30:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Live Writer
[2009/12/31 15:37:59 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Richard\Application Data\Windows Search
[2010/03/01 08:35:29 | 000,000,236 | ---- | M] () -- D:\WINDOWS\Tasks\OGALogon.job
[2010/02/28 22:04:47 | 000,000,426 | -H-- | M] () -- D:\WINDOWS\Tasks\User_Feed_Synchronization-{63AD31AE-8238-429E-9BE7-E5F8E1101DD1}.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/06/06 00:43:45 | 000,024,064 | ---- | M] ()(D:\Documents and Settings\Richard\My Documents\?????.doc) -- D:\Documents and Settings\Richard\My Documents\天安门事件.doc
[2009/06/06 00:43:42 | 000,024,064 | ---- | C] ()(D:\Documents and Settings\Richard\My Documents\?????.doc) -- D:\Documents and Settings\Richard\My Documents\天安门事件.doc
[2009/06/04 02:24:06 | 000,019,968 | ---- | M] ()(D:\Documents and Settings\Richard\My Documents\????.doc) -- D:\Documents and Settings\Richard\My Documents\六四事件.doc
[2009/06/04 02:24:03 | 000,019,968 | ---- | C] ()(D:\Documents and Settings\Richard\My Documents\????.doc) -- D:\Documents and Settings\Richard\My Documents\六四事件.doc
< End of report >

Attached Files


Edited by Buckeye_Sam, 01 March 2010 - 04:33 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:07 AM

Posted 01 March 2010 - 04:36 PM

Looks good to me! thumbup2.gif


Follow these steps to remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Windows Vista System Restore Guide

    Renable system restore with instructions from the appropriate tutorial above.

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif





Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 RichWertz

RichWertz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 02 March 2010 - 01:31 AM

thumbup.gif

Hi Buckeye Sam...

You're list of preventative and maintenance measures took much longer than I thought to complete! I have to tell you that my machine is working so much better now and with no sign of the troubles that brought me here.

Thank you so much for your time and the solution to my problem. I can't thank you enough!

Kind regards,
Rich Wertz

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:07 AM

Posted 02 March 2010 - 08:13 AM

I'm glad I could help you out! smile.gif


Now that your malware problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the Malware Response Team and we will reopen it for you.
Include the address of this topic in your request.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users