[PeggyV]

Hello -- I'm needing assistance cleaning up my granddaughter's laptop. (She's a college student - heavy into Facebook, and IPOD music and picture downloading.) I've followed your malware removal guide, and got *some* of the spyware/virus stuff off, but a few stubborn one's remain. (AVG Virus scanner called one "Trojan Horse Backdoor PcClient.2.ar and PCClient.2.AT.) However, Avg scanner is now saying the computer is clean, but I just heard one of the "talking virus" ads -- saying we had won a Nintendo Wii. So it's still there hiding I'm afraid.
I'm also unable to do any upgrades from Microsoft's site -- it hangs. I also can't run Help and Support, or the System Information programs on the laptop. (They show an hourglass briefly and then nothing.) I've copied the Rooter.txt and the OTlistit.txt below (It won't create an "Extras.txt" file.)

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:57224 Mo/Free:1216 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [Removable] (Total:120 Mo/Free:63 Mo)

Thu 03/26/2009|10:24

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Documents and Settings\Em\Desktop\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Thu 03/26/2009|10:25

----------------------\\ Scan completed at 10:25

OTListIt logfile created on: 3/26/2009 10:25:55 AM - Run 10
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\Em\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 72.82% Memory free
3.35 Gb Paging File | 3.10 Gb Available in Paging File | 92.61% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 37.19 Gb Free Space | 66.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 120.73 Mb Total Space | 63.59 Mb Free Space | 52.67% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMILY
Current User Name: Em
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Documents and Settings\Em\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (0L81CY3S7W0 [Disabled | Stopped]) -- File not found
SRV - (23KJWN [Disabled | Stopped]) -- File not found
SRV - (2B585B5 [Disabled | Stopped]) -- File not found
SRV - (6to4 [Auto | Running]) -- C:\WINDOWS\system32\6to4v32.dll ()
SRV - (8OO5O [Disabled | Stopped]) -- File not found
SRV - (Apple Mobile Device [Disabled | Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Disabled | Stopped]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ccwiz [Disabled | Stopped]) -- File not found
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DgVip_Service [Disabled | Stopped]) -- File not found
SRV - (DWMRCS [Disabled | Stopped]) -- C:\WINDOWS\SYSTEM32\DWRCS.EXE (DameWare Development LLC)
SRV - (F5P3KNCC73 [Disabled | Stopped]) -- File not found
SRV - (F8Z5L5Q [Disabled | Stopped]) -- File not found
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (FwcAgent [Disabled | Stopped]) -- C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe (Microsoft ® Corporation)
SRV - (HCE13QIBP [Disabled | Stopped]) -- File not found
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IBMPMSVC [Disabled | Stopped]) -- C:\WINDOWS\system32\ibmpmsvc.exe ()
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [Disabled | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Irmon [Auto | Running]) -- C:\WINDOWS\System32\irmon.dll (Microsoft Corporation)
SRV - (JavaQuickStarterService [Disabled | Stopped]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (jdyk [Disabled | Stopped]) -- File not found
SRV - (jldk [Disabled | Stopped]) -- File not found
SRV - (jlqk [Disabled | Stopped]) -- File not found
SRV - (JQ33FQ21X [Disabled | Stopped]) -- File not found
SRV - (jqjk [Disabled | Stopped]) -- File not found
SRV - (jqka [Disabled | Stopped]) -- File not found
SRV - (jqtk [Disabled | Stopped]) -- File not found
SRV - (jtqa [Disabled | Stopped]) -- File not found
SRV - (jwka [Disabled | Stopped]) -- File not found
SRV - (jwmk [Disabled | Stopped]) -- File not found
SRV - (jwqa [Disabled | Stopped]) -- File not found
SRV - (jwqk [Disabled | Stopped]) -- File not found
SRV - (jwtk [Disabled | Stopped]) -- File not found
SRV - (Lavasoft Ad-Aware Service [Disabled | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (LBTServ [Disabled | Stopped]) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (MDM [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mstsc [Disabled | Stopped]) -- C:\WINDOWS\System32\mstsc.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (OL2VNFYC0GS [Disabled | Stopped]) -- File not found
SRV - (ose [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Portable Media Serial [Disabled | Stopped]) -- File not found
SRV - (Q1JO6D [Disabled | Stopped]) -- File not found
SRV - (R95MDJ [Disabled | Stopped]) -- File not found
SRV - (RCZAXNA [Disabled | Stopped]) -- File not found
SRV - (RL7W6BORIDB [Disabled | Stopped]) -- File not found
SRV - (T2TI2BKXN [Disabled | Stopped]) -- File not found
SRV - (TSG55AHBB [Disabled | Stopped]) -- File not found
SRV - (U3IDB9OS [Disabled | Stopped]) -- File not found
SRV - (VHOGX4 [Disabled | Stopped]) -- File not found
SRV - (Windows_Twains [Disabled | Stopped]) -- File not found
SRV - (WMPNetworkSvc [Disabled | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (X4QIT7BI [Disabled | Stopped]) -- File not found
SRV - (ZBFROERBN [Disabled | Stopped]) -- File not found

========== Driver Services (SafeList) ==========

DRV - (ADIHdAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (AEAudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\AEAudio.sys (Andrea Electronics Corporation)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atmeltpm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atmeltpm.sys (Atmel, Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (e1express [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e1e5132.sys (Intel Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSFHWAZL [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (iastor [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (IBMPMDRV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys (Lenovo.)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (LHidFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys (Logitech, Inc.)
DRV - (LMouFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys (Logitech, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NETw4x32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\NETw4x32.sys (Intel Corporation)
DRV - (NSCIRDA [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nscirda.sys (National Semiconductor Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (Smapint [System | Running]) -- C:\WINDOWS\System32\drivers\Smapint.sys (Microsoft Corporation)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (TDSMAPI [System | Running]) -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS ()
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 00000000;
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/03/24 17:11:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/21 11:02:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/08 12:27:17 | 00,000,000 | ---D | M]

[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Extensions
[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Firefox\Profiles\qtl4nlkn.default\extensions
[2009/03/08 17:31:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/07 15:41:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/08 12:27:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/03/07 15:40:53 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/07 15:40:53 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/19 18:28:04 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/19 18:28:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/19 18:28:04 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/19 18:28:04 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/19 18:28:04 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/19 18:28:04 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/19 18:28:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Microsoft Firewall Client Name Space Service Provider] - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft ® Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1196868946421 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll (Logitech, Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/03/26 10:24:53 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/26 10:24:45 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Em\Desktop\Rooter.exe
[2009/03/26 10:24:37 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Em\Desktop\OTListIt2.exe
[2009/03/24 19:32:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\HouseCall 6.6
[2009/03/24 19:31:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Sun
[2009/03/24 17:22:13 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/03/24 17:11:31 | 00,107,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/24 17:11:31 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/24 17:11:31 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/03/24 17:11:26 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/24 17:11:24 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/03/24 17:11:19 | 34,448,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/24 17:11:19 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/24 17:11:19 | 00,401,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/24 17:11:19 | 00,066,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/24 17:11:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/03/24 16:55:10 | 00,055,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/03/23 15:32:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/03/22 09:37:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Malwarebytes
[2009/03/21 23:37:20 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/03/21 23:37:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/03/21 11:49:12 | 00,007,919 | ---- | C] () -- C:\DOCUME~1\Em\My Documents\test.xlsx
[2009/03/21 11:35:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\AdobeUM
[2009/03/21 11:35:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Adobe
[2009/03/21 11:35:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/03/21 11:07:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Macromedia
[2009/03/21 11:02:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Mozilla
[2009/03/21 11:02:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Mozilla
[2009/03/21 09:36:13 | 00,070,016 | ---- | C] () -- C:\Documents and Settings\Em\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/21 09:28:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Microsoft Help
[2009/03/15 13:35:06 | 05,886,648 | -H-- | C] () -- C:\Documents and Settings\Em\Local Settings\Application Data\IconCache.db
[2009/03/15 13:23:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Adobe
[2009/03/15 12:38:11 | 00,000,073 | -HS- | C] () -- C:\DOCUME~1\Em\My Documents\desktop.ini
[2009/03/15 12:38:11 | 00,000,000 | R--D | C] -- C:\DOCUME~1\Em\My Documents\My Pictures
[2009/03/15 12:38:11 | 00,000,000 | R--D | C] -- C:\DOCUME~1\Em\My Documents\My Music
[2009/03/15 12:38:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Em\Application Data\desktop.ini
[2009/03/15 12:38:06 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Em\Application Data\Microsoft
[2009/03/15 12:38:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Microsoft
[2009/03/08 15:08:11 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/08 14:52:20 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 14:44:45 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/03/08 14:44:39 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/03/08 14:44:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/03/08 14:18:25 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/03/08 14:18:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/03/07 16:23:55 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/07 16:23:55 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/07 16:23:53 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/07 16:23:52 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/05 21:24:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/05 20:51:32 | 00,001,372 | ---- | C] () -- C:\Program Files\CQ0TO8BGG.bat
[2009/03/05 20:45:49 | 00,001,377 | ---- | C] () -- C:\Program Files\GSGR5AC05.bat
[2009/03/05 20:35:34 | 00,001,380 | ---- | C] () -- C:\Program Files\GXE4SHMOA.bat
[2009/03/05 17:10:45 | 00,001,366 | ---- | C] () -- C:\Program Files\DG0KDG.bat
[2009/03/04 23:30:29 | 00,001,368 | ---- | C] () -- C:\Program Files\NISD3YC.bat
[2009/03/04 19:16:35 | 00,001,366 | ---- | C] () -- C:\Program Files\NS738567Z5J.bat
[2009/03/04 18:31:36 | 00,001,377 | ---- | C] () -- C:\Program Files\VVN4BC.bat
[2009/03/04 17:13:54 | 00,001,372 | ---- | C] () -- C:\Program Files\QI2JU.bat
[2009/03/04 15:37:46 | 00,001,369 | ---- | C] () -- C:\Program Files\G7S9EXQVVS.bat
[2009/03/02 16:14:28 | 00,001,370 | ---- | C] () -- C:\Program Files\Q9ZBQ3A2GBUH.bat
[2009/03/02 16:01:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/02 16:01:16 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/03/02 16:01:12 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/03/02 15:41:29 | 00,001,373 | ---- | C] () -- C:\Program Files\2TJCUY.bat
[2009/03/02 15:26:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/02 15:23:09 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2009/03/02 15:18:35 | 00,001,369 | ---- | C] () -- C:\Program Files\9Y5VBUL.bat
[2009/03/02 15:11:33 | 00,001,363 | ---- | C] () -- C:\Program Files\T6G0L.bat
[2009/03/02 15:02:32 | 00,001,372 | ---- | C] () -- C:\Program Files\IGO405.bat
[2009/03/02 14:23:26 | 00,001,380 | ---- | C] () -- C:\Program Files\V24X6R3GO.bat
[2009/03/02 13:36:50 | 00,001,371 | ---- | C] () -- C:\Program Files\KGS4HC.bat
[2009/03/02 13:34:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/03/26 10:21:44 | 34,448,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/26 10:20:24 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/26 10:20:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/26 10:20:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/25 23:39:40 | 00,066,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/24 21:22:06 | 05,886,648 | -H-- | M] () -- C:\Documents and Settings\Em\Local Settings\Application Data\IconCache.db
[2009/03/24 17:11:31 | 00,107,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/24 17:11:31 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/24 17:11:31 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/03/24 17:11:26 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/24 17:11:24 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/03/24 17:11:19 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/24 17:11:19 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/24 16:24:11 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/24 16:24:11 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/24 16:24:11 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/03/24 00:00:44 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Em\Desktop\OTListIt2.exe
[2009/03/24 00:00:30 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Em\Desktop\Rooter.exe
[2009/03/23 15:34:05 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/03/22 09:23:32 | 00,000,073 | -HS- | M] () -- C:\DOCUME~1\Em\My Documents\desktop.ini
[2009/03/21 23:37:53 | 00,033,866 | ---- | M] () -- C:\WINDOWS\System32\info.dat
[2009/03/21 23:35:48 | 00,160,764 | ---- | M] () -- C:\WINDOWS\System32\ljcbol.key
[2009/03/21 23:04:48 | 00,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\beep.sys
[2009/03/21 23:04:48 | 00,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\beep.sys
[2009/03/21 11:49:13 | 00,007,919 | ---- | M] () -- C:\DOCUME~1\Em\My Documents\test.xlsx
[2009/03/21 09:36:13 | 00,070,016 | ---- | M] () -- C:\Documents and Settings\Em\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/08 15:00:30 | 00,526,534 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 15:00:30 | 00,445,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 15:00:30 | 00,072,554 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 14:52:03 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/08 14:51:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 14:28:53 | 00,352,023 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090308-143049.backup
[2009/03/07 16:23:55 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/02 16:01:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/03/02 16:01:16 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/03/02 13:51:54 | 00,050,578 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090308-142853.backup

========== Alternate Data Streams ==========

@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080824.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080727.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080327.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080109.vbs:Bookmarks
@Alternate Data Stream - 6555 bytes -> C:\WINDOWS\commonXP_20080327.vbs:Undo
@Alternate Data Stream - 364 bytes -> C:\WINDOWS\commonXP_20080109.vbs:Undo
@Alternate Data Stream - 21608 bytes -> C:\WINDOWS\commonXP_20080824.vbs:Undo
@Alternate Data Stream - 19182 bytes -> C:\WINDOWS\commonXP_20080727.vbs:Undo
< End of report >

Thanks,

Peggy V.

[Advertisements]

hello

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  SRV - (0L81CY3S7W0 [Disabled | Stopped]) -- File not found
  SRV - (23KJWN [Disabled | Stopped]) -- File not found
  SRV - (2B585B5 [Disabled | Stopped]) -- File not found
  SRV - (6to4 [Auto | Running]) -- C:\WINDOWS\system32\6to4v32.dll ()
  SRV - (8OO5O [Disabled | Stopped]) -- File not found
  SRV - (ccwiz [Disabled | Stopped]) -- File not found
  SRV - (DgVip_Service [Disabled | Stopped]) -- File not found
  SRV - (F5P3KNCC73 [Disabled | Stopped]) -- File not found
  SRV - (F8Z5L5Q [Disabled | Stopped]) -- File not found
  SRV - (HCE13QIBP [Disabled | Stopped]) -- File not found
  SRV - (jdyk [Disabled | Stopped]) -- File not found
  SRV - (jldk [Disabled | Stopped]) -- File not found
  SRV - (jlqk [Disabled | Stopped]) -- File not found
  SRV - (JQ33FQ21X [Disabled | Stopped]) -- File not found
  SRV - (jqjk [Disabled | Stopped]) -- File not found
  SRV - (jqka [Disabled | Stopped]) -- File not found
  SRV - (jqtk [Disabled | Stopped]) -- File not found
  SRV - (jtqa [Disabled | Stopped]) -- File not found
  SRV - (jwka [Disabled | Stopped]) -- File not found
  SRV - (jwmk [Disabled | Stopped]) -- File not found
  SRV - (jwqa [Disabled | Stopped]) -- File not found
  SRV - (jwqk [Disabled | Stopped]) -- File not found
  SRV - (jwtk [Disabled | Stopped]) -- File not found
  SRV - (OL2VNFYC0GS [Disabled | Stopped]) -- File not found
  SRV - (Portable Media Serial [Disabled | Stopped]) -- File not found
  SRV - (Q1JO6D [Disabled | Stopped]) -- File not found
  SRV - (R95MDJ [Disabled | Stopped]) -- File not found
  SRV - (RCZAXNA [Disabled | Stopped]) -- File not found
  SRV - (RL7W6BORIDB [Disabled | Stopped]) -- File not found
  SRV - (T2TI2BKXN [Disabled | Stopped]) -- File not found
  SRV - (TSG55AHBB [Disabled | Stopped]) -- File not found
  SRV - (U3IDB9OS [Disabled | Stopped]) -- File not found
  SRV - (VHOGX4 [Disabled | Stopped]) -- File not found
  SRV - (Windows_Twains [Disabled | Stopped]) -- File not found
  SRV - (X4QIT7BI [Disabled | Stopped]) -- File not found
  SRV - (ZBFROERBN [Disabled | Stopped]) -- File not found
  [2009/03/05 20:51:32 | 00,001,372 | ---- | C] () -- C:\Program Files\CQ0TO8BGG.bat
  [2009/03/05 20:45:49 | 00,001,377 | ---- | C] () -- C:\Program Files\GSGR5AC05.bat
  [2009/03/05 20:35:34 | 00,001,380 | ---- | C] () -- C:\Program Files\GXE4SHMOA.bat
  [2009/03/05 17:10:45 | 00,001,366 | ---- | C] () -- C:\Program Files\DG0KDG.bat
  [2009/03/04 23:30:29 | 00,001,368 | ---- | C] () -- C:\Program Files\NISD3YC.bat
  [2009/03/04 19:16:35 | 00,001,366 | ---- | C] () -- C:\Program Files\NS738567Z5J.bat
  [2009/03/04 18:31:36 | 00,001,377 | ---- | C] () -- C:\Program Files\VVN4BC.bat
  [2009/03/04 17:13:54 | 00,001,372 | ---- | C] () -- C:\Program Files\QI2JU.bat
  [2009/03/04 15:37:46 | 00,001,369 | ---- | C] () -- C:\Program Files\G7S9EXQVVS.bat
  [2009/03/02 16:14:28 | 00,001,370 | ---- | C] () -- C:\Program Files\Q9ZBQ3A2GBUH.bat
  [2009/03/02 15:41:29 | 00,001,373 | ---- | C] () -- C:\Program Files\2TJCUY.bat
  [2009/03/02 15:18:35 | 00,001,369 | ---- | C] () -- C:\Program Files\9Y5VBUL.bat
  [2009/03/02 15:11:33 | 00,001,363 | ---- | C] () -- C:\Program Files\T6G0L.bat
  [2009/03/02 15:02:32 | 00,001,372 | ---- | C] () -- C:\Program Files\IGO405.bat
  [2009/03/02 14:23:26 | 00,001,380 | ---- | C] () -- C:\Program Files\V24X6R3GO.bat
  [2009/03/02 13:36:50 | 00,001,371 | ---- | C] () -- C:\Program Files\KGS4HC.bat
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Rorschach112]

hello

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  SRV - (0L81CY3S7W0 [Disabled | Stopped]) -- File not found
  SRV - (23KJWN [Disabled | Stopped]) -- File not found
  SRV - (2B585B5 [Disabled | Stopped]) -- File not found
  SRV - (6to4 [Auto | Running]) -- C:\WINDOWS\system32\6to4v32.dll ()
  SRV - (8OO5O [Disabled | Stopped]) -- File not found
  SRV - (ccwiz [Disabled | Stopped]) -- File not found
  SRV - (DgVip_Service [Disabled | Stopped]) -- File not found
  SRV - (F5P3KNCC73 [Disabled | Stopped]) -- File not found
  SRV - (F8Z5L5Q [Disabled | Stopped]) -- File not found
  SRV - (HCE13QIBP [Disabled | Stopped]) -- File not found
  SRV - (jdyk [Disabled | Stopped]) -- File not found
  SRV - (jldk [Disabled | Stopped]) -- File not found
  SRV - (jlqk [Disabled | Stopped]) -- File not found
  SRV - (JQ33FQ21X [Disabled | Stopped]) -- File not found
  SRV - (jqjk [Disabled | Stopped]) -- File not found
  SRV - (jqka [Disabled | Stopped]) -- File not found
  SRV - (jqtk [Disabled | Stopped]) -- File not found
  SRV - (jtqa [Disabled | Stopped]) -- File not found
  SRV - (jwka [Disabled | Stopped]) -- File not found
  SRV - (jwmk [Disabled | Stopped]) -- File not found
  SRV - (jwqa [Disabled | Stopped]) -- File not found
  SRV - (jwqk [Disabled | Stopped]) -- File not found
  SRV - (jwtk [Disabled | Stopped]) -- File not found
  SRV - (OL2VNFYC0GS [Disabled | Stopped]) -- File not found
  SRV - (Portable Media Serial [Disabled | Stopped]) -- File not found
  SRV - (Q1JO6D [Disabled | Stopped]) -- File not found
  SRV - (R95MDJ [Disabled | Stopped]) -- File not found
  SRV - (RCZAXNA [Disabled | Stopped]) -- File not found
  SRV - (RL7W6BORIDB [Disabled | Stopped]) -- File not found
  SRV - (T2TI2BKXN [Disabled | Stopped]) -- File not found
  SRV - (TSG55AHBB [Disabled | Stopped]) -- File not found
  SRV - (U3IDB9OS [Disabled | Stopped]) -- File not found
  SRV - (VHOGX4 [Disabled | Stopped]) -- File not found
  SRV - (Windows_Twains [Disabled | Stopped]) -- File not found
  SRV - (X4QIT7BI [Disabled | Stopped]) -- File not found
  SRV - (ZBFROERBN [Disabled | Stopped]) -- File not found
  [2009/03/05 20:51:32 | 00,001,372 | ---- | C] () -- C:\Program Files\CQ0TO8BGG.bat
  [2009/03/05 20:45:49 | 00,001,377 | ---- | C] () -- C:\Program Files\GSGR5AC05.bat
  [2009/03/05 20:35:34 | 00,001,380 | ---- | C] () -- C:\Program Files\GXE4SHMOA.bat
  [2009/03/05 17:10:45 | 00,001,366 | ---- | C] () -- C:\Program Files\DG0KDG.bat
  [2009/03/04 23:30:29 | 00,001,368 | ---- | C] () -- C:\Program Files\NISD3YC.bat
  [2009/03/04 19:16:35 | 00,001,366 | ---- | C] () -- C:\Program Files\NS738567Z5J.bat
  [2009/03/04 18:31:36 | 00,001,377 | ---- | C] () -- C:\Program Files\VVN4BC.bat
  [2009/03/04 17:13:54 | 00,001,372 | ---- | C] () -- C:\Program Files\QI2JU.bat
  [2009/03/04 15:37:46 | 00,001,369 | ---- | C] () -- C:\Program Files\G7S9EXQVVS.bat
  [2009/03/02 16:14:28 | 00,001,370 | ---- | C] () -- C:\Program Files\Q9ZBQ3A2GBUH.bat
  [2009/03/02 15:41:29 | 00,001,373 | ---- | C] () -- C:\Program Files\2TJCUY.bat
  [2009/03/02 15:18:35 | 00,001,369 | ---- | C] () -- C:\Program Files\9Y5VBUL.bat
  [2009/03/02 15:11:33 | 00,001,363 | ---- | C] () -- C:\Program Files\T6G0L.bat
  [2009/03/02 15:02:32 | 00,001,372 | ---- | C] () -- C:\Program Files\IGO405.bat
  [2009/03/02 14:23:26 | 00,001,380 | ---- | C] () -- C:\Program Files\V24X6R3GO.bat
  [2009/03/02 13:36:50 | 00,001,371 | ---- | C] () -- C:\Program Files\KGS4HC.bat
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[PeggyV]

Hello -- I ran the OTL2 custom/scan fix, and posting the new OTL2 log per your instructions. I also ran the rootrepeal and copied it's report below.
====================================
OTListIt logfile created on: 3/26/2009 6:38:46 PM - Run 11
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\Em\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 73.15% Memory free
3.35 Gb Paging File | 3.10 Gb Available in Paging File | 92.52% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 37.10 Gb Free Space | 66.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMILY
Current User Name: Em
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\Em\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Disabled | Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Disabled | Stopped]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DWMRCS [Disabled | Stopped]) -- C:\WINDOWS\SYSTEM32\DWRCS.EXE (DameWare Development LLC)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (FwcAgent [Disabled | Stopped]) -- C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe (Microsoft ® Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IBMPMSVC [Disabled | Stopped]) -- C:\WINDOWS\system32\ibmpmsvc.exe ()
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [Disabled | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Irmon [Auto | Running]) -- C:\WINDOWS\System32\irmon.dll (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Lavasoft Ad-Aware Service [Disabled | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (LBTServ [Disabled | Stopped]) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (MDM [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mstbsvc [Auto | Stopped]) -- C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe (Microsoft Corp.)
SRV - (mstsc [Disabled | Stopped]) -- C:\WINDOWS\System32\mstsc.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (WMPNetworkSvc [Disabled | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ADIHdAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (AEAudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\AEAudio.sys (Andrea Electronics Corporation)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atmeltpm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atmeltpm.sys (Atmel, Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (e1express [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e1e5132.sys (Intel Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSFHWAZL [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (iastor [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (IBMPMDRV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys (Lenovo.)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (LHidFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys (Logitech, Inc.)
DRV - (LMouFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys (Logitech, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NETw4x32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\NETw4x32.sys (Intel Corporation)
DRV - (NSCIRDA [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nscirda.sys (National Semiconductor Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (Smapint [System | Running]) -- C:\WINDOWS\System32\drivers\Smapint.sys (Microsoft Corporation)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (TDSMAPI [System | Running]) -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS ()
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 00000000;
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/03/24 17:11:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/08 12:27:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/21 11:02:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/08 12:27:17 | 00,000,000 | ---D | M]

[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Extensions
[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/21 11:02:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Em\Application Data\mozilla\Firefox\Profiles\qtl4nlkn.default\extensions
[2009/03/26 14:44:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/07 15:41:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/08 12:27:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/03/26 14:44:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/03/07 15:40:53 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/07 15:40:53 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/19 18:28:04 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/19 18:28:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/19 18:28:04 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/19 18:28:04 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/19 18:28:04 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/19 18:28:04 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/19 18:28:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Microsoft Firewall Client Name Space Service Provider] - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft ® Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1196868946421 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll (Logitech, Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/03/26 18:29:31 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/03/26 14:44:33 | 00,000,000 | ---D | C] -- C:\Program Files\MSN
[2009/03/26 10:24:53 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/26 10:24:45 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Em\Desktop\Rooter.exe
[2009/03/26 10:24:37 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Em\Desktop\OTListIt2.exe
[2009/03/24 19:32:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\HouseCall 6.6
[2009/03/24 19:31:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Sun
[2009/03/24 17:22:13 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/03/24 17:11:31 | 00,107,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/24 17:11:31 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/24 17:11:31 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/03/24 17:11:26 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/24 17:11:24 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/03/24 17:11:19 | 34,448,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/24 17:11:19 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/24 17:11:19 | 00,401,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/24 17:11:19 | 00,066,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/24 17:11:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/03/24 16:55:10 | 00,055,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/03/23 15:32:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/03/22 09:37:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Malwarebytes
[2009/03/21 23:37:20 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/03/21 23:37:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/03/21 11:49:12 | 00,007,919 | ---- | C] () -- C:\Documents and Settings\Em\My Documents\test.xlsx
[2009/03/21 11:35:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\AdobeUM
[2009/03/21 11:35:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Adobe
[2009/03/21 11:35:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/03/21 11:07:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Macromedia
[2009/03/21 11:02:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Mozilla
[2009/03/21 11:02:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Mozilla
[2009/03/21 09:36:13 | 00,070,016 | ---- | C] () -- C:\Documents and Settings\Em\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/21 09:28:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Microsoft Help
[2009/03/15 13:35:06 | 05,886,648 | -H-- | C] () -- C:\Documents and Settings\Em\Local Settings\Application Data\IconCache.db
[2009/03/15 13:23:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Application Data\Adobe
[2009/03/15 12:38:11 | 00,000,073 | -HS- | C] () -- C:\Documents and Settings\Em\My Documents\desktop.ini
[2009/03/15 12:38:11 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Em\My Documents\My Pictures
[2009/03/15 12:38:11 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Em\My Documents\My Music
[2009/03/15 12:38:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Em\Application Data\desktop.ini
[2009/03/15 12:38:06 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Em\Application Data\Microsoft
[2009/03/15 12:38:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Em\Local Settings\Application Data\Microsoft
[2009/03/08 15:08:11 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/08 14:52:20 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 14:44:45 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/03/08 14:44:39 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/03/08 14:44:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/03/08 14:18:25 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/03/08 14:18:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/03/07 16:23:55 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/07 16:23:55 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/07 16:23:53 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/07 16:23:52 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/05 21:24:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/02 16:01:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/02 16:01:16 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/03/02 16:01:12 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/03/02 15:26:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/02 15:23:09 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2009/03/02 13:34:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/03/26 18:37:16 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/26 18:36:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/26 18:36:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/26 10:21:44 | 34,448,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/03/25 23:39:40 | 00,066,382 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/03/24 21:22:06 | 05,886,648 | -H-- | M] () -- C:\Documents and Settings\Em\Local Settings\Application Data\IconCache.db
[2009/03/24 17:11:31 | 00,107,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/03/24 17:11:31 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/03/24 17:11:31 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/03/24 17:11:26 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/03/24 17:11:24 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/03/24 17:11:19 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/03/24 17:11:19 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/03/24 16:24:11 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/24 16:24:11 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/24 16:24:11 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/03/24 00:00:44 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Em\Desktop\OTListIt2.exe
[2009/03/24 00:00:30 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Em\Desktop\Rooter.exe
[2009/03/23 15:34:05 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/03/22 09:23:32 | 00,000,073 | -HS- | M] () -- C:\Documents and Settings\Em\My Documents\desktop.ini
[2009/03/21 23:37:53 | 00,033,866 | ---- | M] () -- C:\WINDOWS\System32\info.dat
[2009/03/21 23:35:48 | 00,160,764 | ---- | M] () -- C:\WINDOWS\System32\ljcbol.key
[2009/03/21 23:04:48 | 00,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\beep.sys
[2009/03/21 23:04:48 | 00,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\beep.sys
[2009/03/21 11:49:13 | 00,007,919 | ---- | M] () -- C:\Documents and Settings\Em\My Documents\test.xlsx
[2009/03/21 09:36:13 | 00,070,016 | ---- | M] () -- C:\Documents and Settings\Em\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/08 15:00:30 | 00,526,534 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 15:00:30 | 00,445,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 15:00:30 | 00,072,554 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 14:52:03 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/08 14:51:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/08 14:28:53 | 00,352,023 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090308-143049.backup
[2009/03/07 16:23:55 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/02 16:01:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/03/02 16:01:16 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/03/02 13:51:54 | 00,050,578 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090308-142853.backup

========== Alternate Data Streams ==========

@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080824.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080727.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080327.vbs:Bookmarks
@Alternate Data Stream - 8 bytes -> C:\WINDOWS\commonXP_20080109.vbs:Bookmarks
@Alternate Data Stream - 6555 bytes -> C:\WINDOWS\commonXP_20080327.vbs:Undo
@Alternate Data Stream - 364 bytes -> C:\WINDOWS\commonXP_20080109.vbs:Undo
@Alternate Data Stream - 21608 bytes -> C:\WINDOWS\commonXP_20080824.vbs:Undo
@Alternate Data Stream - 19182 bytes -> C:\WINDOWS\commonXP_20080727.vbs:Undo
< End of report >
===================================================
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/26 18:43
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xADA19000 Size: 778240 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA55B000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\f848e2a1-2ce3-48d3-937d-eefe17a55c3e.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba8f887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba8f8c10
======================================

Thanks,

Peggy V

[Rorschach112]

hello

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

• Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
• Under File Age at the top, change it from 30 days to 90 days
• Under Additional Scans check the boxes beside Reg - ActiveX StubPath, Reg - App Paths, Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - ICQ Agent, Reg - NetSvcs, Reg - Print Monitors, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
• Under Rootkit Search change it to Yes
• Under the Custom Scans box at the bottom left paste the following in
  
  %systemroot%\*.lte
  %systemroot%\*.smf
  %systemroot%\*.tsp
  %systemroot%\Prefetch\*.* /s
  %systemroot%\system32\drivers\*.dat
  %systemroot%\system32\*.aef
  %systemroot%\system32\drivers\*.aef
  %systemroot%\Temp\bca4e2da.$$$
  %systemroot%\Temp\ed47fa.$
  %systemroot%\Temp\fa56d7ec.$$$
  %systemroot%\Temp\*.$$$
  %systemroot%\System32\antiwpa.dll
  %systemroot%\SYSTEM32\wpa.dll
  %systemroot%\setup\scripts\biestart.exe
  %systemroot%\system32\drivers\royal.sys
  %System%\AcroIeHelpe.dll
  %SYSTEMDRIVE%\*.epk
  %systemroot%\*.epk
  %systemroot%\system32\*.epk
  %systemroot%\system32\bb*.dat
  %systemroot%\system32\cookie*.dat
  %systemroot%\system32\kaxs.dat
  %systemroot%\system32\ps*.dat
  %systemroot%\system32\*32.sys
  %systemroot%\*.dr
  %SYSTEMDRIVE%\*.dr
  %systemroot%\system32\*.dr
  %systemroot%\system32\nods32.dll
  %systemroot%\*.res
  %SYSTEMDRIVE%\*.res
  %systemroot%\system32\*.res
  %systemroot%\system32\sockins32.dll
  %systemroot%\system32\Spool\*.*
  %systemroot%\system32\Spool\*.exe
  %systemroot%\system32\Spool\*.rar /s
  %systemroot%\system32\Spool\*.zip /s
  %systemroot%\system32\Spool\*.dat /s
  %ProgramFiles%\MSN Messenger\*.zip
  %ProgramFiles%\MSN Messenger\*.exe
  %ProgramFiles%\MSN Messenger\*.rar.
  %SYSTEMDRIVE%\*.zip
  %SYSTEMDRIVE%\*.rar
  %SYSTEMDRIVE%\*.exe
  %SYSTEMDRIVE%\*.dll
  %systemroot%\*.zip
  %systemroot%\*.rar
  %systemroot%\system32\*.zip
  %systemroot%\system32\*.rar
  %PROGRAMFILES%\*.*
  %DESKTOP%\*.zip
  %DESKTOP%\*.rar
  %DESKTOP%\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %PROGRAMFILES%\Common Files\*bak*.
  %systemroot%\SYSTEM32\*bak*.
  %PROGRAMFILES%\*bak*.
  %systemroot%\ime\imjp8_1\*bak*.
  %PROGRAMFILES%\QuickTime\*bak*.
  %PROGRAMFILES%\Viewpoint\Viewpoint Manager\*bak*.
  %PROGRAMFILES%\Analog Devices\Core\*bak*.
  %SYSTEMDRIVE%\hp\KBD\*bak*.
  %PROGRAMFILES%\Adobe\Photoshop Album Starter Edition\3.2\Apps\*bak*.
  %PROGRAMFILES%\BillP Studios\WinPatrol\*bak*.
  %PROGRAMFILES%\BroadJump\Client Foundation\*bak*.
  %PROGRAMFILES%\Common Files\Real\Update_OB\*bak*.
  %PROGRAMFILES%\Common Files\Sonic\Update Manager\*bak*.
  %PROGRAMFILES%\\Google\GoogleToolbarNotifier\*bak*.
  %PROGRAMFILES%\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\*bak*.
  %PROGRAMFILES%\Yahoo!\Messenger\*bak*.
  %USERNAME%\*.zip
  %USERNAME%\*.rar
  %USERNAME%\*.exe
  %USERPROFILE%\*.zip
  %USERPROFILE%\*.rar
  %USERPROFILE%\*.exe
  %ALLUSERSPROFILE%\*.zip
  %ALLUSERSPROFILE%\*.rar
  %ALLUSERSPROFILE%\*.exe
  %SYSTEMDRIVE%\*.
  %PROGRAMFILES%\*.
  %PROGRAMFILES%\Internet Explorer\*.*
  %PROGRAMFILES%\Internet Explorer\PLUGINS\*.*
  %PROGRAMFILES%\Internet Explorer\*.zip /s
  %PROGRAMFILES%\Internet Explorer\*.rar /s
  %PROGRAMFILES%\Internet Explorer\*.exe /s
  %SYSTEMDRIVE%\*.dat
  %SYSTEMDRIVE%\*.sys
  %SYSTEMROOT%\*.dat
  %SYSTEMROOT%\*.sys
  %systemroot%\system32\drivers\*.exe /s
  %systemroot%\system32\drivers\*.zip /s
  %systemroot%\system32\drivers\*.rar /s
  %systemroot%\system\*.exe /s
  %systemroot%\system\*.zip /s
  %systemroot%\system\*.rar /s
  %systemroot%\AppPatch\*.exe /s
  %systemroot%\AppPatch\*.zip /s
  %systemroot%\AppPatch\*.rar /s
  %systemroot%\Cache\*.*
  %systemroot%\Downloaded Program Files\*.*
  %systemroot%\Fonts\*.exe /s
  %systemroot%\Fonts\*.zip /s
  %systemroot%\Fonts\*.rar /s
  %systemroot%\Fonts\*.dll /s
  %systemroot%\Help\*.exe /s
  %systemroot%\Help\*.zip /s
  %systemroot%\Help\*.rar /s
  %systemroot%\Tasks\*.*
  %APPDATA%\*.sys
  %APPDATA%\Google\*.*
  %systemroot%\system32\serauth1.dll
  %systemroot%\system32\serauth2.dll
  %systemroot%\system32\sysaudio.sys
  %systemroot%\system32\wdmaud.sys
  %systemroot%\system32\aeaudio.sys
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\serauth1.dll /rs
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\serauth2.dll /rs
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\sysaudio.sys /rs
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\aeaudio.sys /rs
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\wdmaud.sys /rs
  %PROGRAMFILES%\*TinyProxy*.
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
  HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs
  %systemroot%\system32\inf\*.exe /s
  %systemroot%\system32\inf\*.zip /s
  %systemroot%\system32\inf\*.rar /s
  %systemroot%\system32\inf\*.dll /s
  %APPDATA%\Opera\Opera\profile\widgets\*.*
  %PROGRAMFILES%\Opera\program\plugins\*.* /s
  %APPDATA%\Opera\Opera\profile\toolbar\*.* /s
  %systemroot%\Web\*.exe /s
  %systemroot%\Web\*.dat /s
  %systemroot%\Web\*.dll /s
  %systemroot%\Web\*.sys /s
  %systemroot%\Web\*.zip /s
  %systemroot%\Web\*.rar /s
  %systemroot%\Wbem\*.exe /s
  %systemroot%\Wbem\*.rar /s
  %systemroot%\Wbem\*.zip /s
  %systemroot%\Wbem\*.dll /s
  %systemroot%\Wbem\*.sys /s
  %systemroot%\Wbem\*.dat /s
  %systemroot%\twain_32\*.exe
  %systemroot%\twain_32\*.dat
  %systemroot%\twain_32\*.dll
  %systemroot%\twain_32\*.sys /s
  %systemroot%\twain_32\*.zip /s
  %systemroot%\twain_32\*.rar /s
  %systemroot%\system\*.sys /s
  %systemroot%\system\*.dat /s
  %systemroot%\WinSxS\*.exe /s
  %systemroot%\WinSxS\*.dat /s
  %systemroot%\WinSxS\*.sys /s
  %systemroot%\WinSxS\*.zip /s
  %systemroot%\WinSxS\*.rar /s
  %systemroot%\Sun\*.dll /s
  %systemroot%\Sun\*.rar /s
  %systemroot%\Sun\*.zip /s
  %systemroot%\Sun\*.exe /s
  %systemroot%\Sun\*.sys /s
  %systemroot%\Sun\*.dat /s
  %systemroot%\srchasst\*.rar /s
  %systemroot%\srchasst\*.zip /s
  %systemroot%\srchasst\*.exe /s
  %systemroot%\srchasst\*.dat /s
  %systemroot%\srchasst\*.sys /s
  %systemroot%\Shellnew\*.rar /s
  %systemroot%\Shellnew\*.zip /s
  %systemroot%\Shellnew\*.dat /s
  %systemroot%\Shellnew\*.exe /s
  %systemroot%\Shellnew\*.sys /s
  %systemroot%\Shellnew\*.dll /s
  %systemroot%\Security\*.rar /s
  %systemroot%\Security\*.zip /s
  %systemroot%\Security\*.dat /s
  %systemroot%\Security\*.exe /s
  %systemroot%\Security\*.sys /s
  %systemroot%\Security\*.dll /s
  %systemroot%\Resources\*.rar /s
  %systemroot%\Resources\*.zip /s
  %systemroot%\Resources\*.dat /s
  %systemroot%\Resources\*.exe /s
  %systemroot%\Resources\*.sys /s
  %systemroot%\Repair\*.sys /s
  %systemroot%\Repair\*.exe /s
  %systemroot%\Repair\*.dll /s
  %systemroot%\Repair\*.zip /s
  %systemroot%\Repair\*.rar /s
  %systemroot%\Registration\*.exe /s
  %systemroot%\Registration\*.dat /s
  %systemroot%\Registration\*.zip /s
  %systemroot%\Registration\*.rar /s
  %systemroot%\Registration\*.dll /s
  %systemroot%\Registration\*.sys /s
  %systemroot%\RegisteredPackages\*.rar /s
  %systemroot%\RegisteredPackages\*.zip /s
  %systemroot%\pss\*.rar /s
  %systemroot%\pss\*.zip /s
  %systemroot%\pss\*.exe /s
  %systemroot%\pss\*.dll /s
  %systemroot%\pss\*.dat /s
  %systemroot%\pss\*.sys /s
  %systemroot%\Provisioning\*.rar /s
  %systemroot%\Provisioning\*.zip /s
  %systemroot%\Provisioning\*.exe /s
  %systemroot%\Provisioning\*.sys /s
  %systemroot%\Provisioning\*.dat /s
  %systemroot%\Provisioning\*.dll /s
  %systemroot%\PIF\*.*
  %systemroot%\PeerNet\*.rar /s
  %systemroot%\PeerNet\*.zip /s
  %systemroot%\PeerNet\*.dat /s
  %systemroot%\PeerNet\*.sys /s
  %systemroot%\PeerNet\*.exe /s
  %systemroot%\PcTel\*.rar /s
  %systemroot%\PcTel\*.zip /s
  %systemroot%\Offline Web Pages\*.exe /s
  %systemroot%\Offline Web Pages\*.zip /s
  %systemroot%\Offline Web Pages\*.rar /s
  %systemroot%\Offline Web Pages\*.sys /s
  %systemroot%\Offline Web Pages\*.dat /s
  %systemroot%\network diagnostic\*.sys /s
  %systemroot%\network diagnostic\*.rar /s
  %systemroot%\network diagnostic\*.zip /s
  %systemroot%\network diagnostic\*.dat /s
  %systemroot%\mui\*.*
  %systemroot%\msapps\*.*
  %systemroot%\msagent\*.zip /s
  %systemroot%\msagent\*.rar /s
  %systemroot%\msagent\*.sys /s
  %systemroot%\msagent\*.dat /s
  %systemroot%\minidump\*.*
  %systemroot%\media\*.sys /s
  %systemroot%\media\*.dat /s
  %systemroot%\media\*.rar /s
  %systemroot%\media\*.zip /s
  %systemroot%\media\*.exe /s
  %systemroot%\media\*.dll /s
  %systemroot%\Help\*.sys /s
  %systemroot%\Help\*.dat /s
  %systemroot%\ie7\*.sys /s
  %systemroot%\ie7\*.zip /s
  %systemroot%\ie7\*.rar /s
  %systemroot%\ie7\*.dat /s
  %systemroot%\ie7updates\*.sys /s
  %systemroot%\ie7updates\*.zip /s
  %systemroot%\ie7updates\*.rar /s
  %systemroot%\ime\*.sys /s
  %systemroot%\ime\*.zip /s
  %systemroot%\ime\*.rar /s
  %systemroot%\inf\*.sys /s
  %systemroot%\inf\*.dat /s
  %systemroot%\installer\*.sys /s
  %systemroot%\installer\*.zip /s
  %systemroot%\installer\*.rar /s
  %systemroot%\installer\*.dat /s
  %systemroot%\internet logs\*.sys /s
  %systemroot%\Cursors\*.rar /s
  %systemroot%\Cursors\*.sys /s
  %systemroot%\Cursors\*.exe /s
  %systemroot%\Cursors\*.dat /s
  %systemroot%\Cursors\*.zip /s
  %systemroot%\Cursors\*.vbs /s
  %systemroot%\Cursors\*.dll /s
  %systemroot%\Config\*.*
  %systemroot%\Config\*.rar /s
  %systemroot%\Config\*.sys /s
  %systemroot%\Config\*.exe /s
  %systemroot%\Config\*.dat /s
  %systemroot%\internet logs\*.dat /s
  %systemroot%\Assembly\*sys /s
  %systemroot%\Assembly\*.rar /s
  %systemroot%\internet logs\*.rar /s
  %systemroot%\AppPatch\*.sys
  %systemroot%\AppPatch\*.dat
  %systemroot%\internet logs\*.zip /s
  %systemroot%\internet logs\*.exe /s
  %systemroot%\internet logs\*.dll /s
  %systemroot%\l2schemas\*.sys /s
  %systemroot%\l2schemas\*.dat /s
  %systemroot%\l2schemas\*.rar /s
  %systemroot%\l2schemas\*.zip /s
  %systemroot%\l2schemas\*.exe /s
  %systemroot%\l2schemas\*.dll /s
  %systemroot%\Fonts\*.dat /s
  %systemroot%\Fonts\*.sys /s
  %systemroot%\Debug\*.rar /s
  %systemroot%\Debug\*.sys /s
  %systemroot%\Debug\*.exe /s
  %systemroot%\Debug\*.dat /s
  %systemroot%\Debug\*.zip /s
  %systemroot%\Debug\*.dll /s
  %systemroot%\ehome\*.dll /s
  %systemroot%\ehome\*.sys /s
  %systemroot%\ehome\*.rar /s
  %systemroot%\ehome\*.dat /s
  %systemroot%\ehome\*.zip /s
  %systemroot%\Connection Wizard\*.dat /s
  %systemroot%\Connection Wizard\*.exe /s
  %systemroot%\Connection Wizard\*.sys /s
  %systemroot%\Connection Wizard\*.rar /s
  %systemroot%\Connection Wizard\*.zip /s
  %systemroot%\Connection Wizard\*.*
  %systemroot%\system32\1025\*.*
  %systemroot%\system32\1028\*.*
  %systemroot%\system32\1031\*.*
  %systemroot%\system32\1033\*.exe
  %systemroot%\system32\1033\*.sys
  %systemroot%\system32\1033\*.zip
  %systemroot%\system32\1033\*.rar
  %systemroot%\system32\1033\*.dat
  %systemroot%\system32\1037\*.*
  %systemroot%\system32\1041\*.*
  %systemroot%\system32\1042\*.*
  %systemroot%\system32\1054\*.*
  %systemroot%\system32\2052\*.*
  %systemroot%\system32\3076\*.*
  %systemroot%\system32\appmgmt\*.exe /s
  %systemroot%\system32\appmgmt\*.sys /s
  %systemroot%\system32\appmgmt\*.dll /s
  %systemroot%\system32\appmgmt\*.dat /s
  %systemroot%\system32\appmgmt\*.zip /s
  %systemroot%\system32\appmgmt\*.rar /s
  %systemroot%\system32\bits\*.rar /s
  %systemroot%\system32\bits\*.zip /s
  %systemroot%\system32\bits\*.exe /s
  %systemroot%\system32\bits\*.dat /s
  %systemroot%\system32\bits\*.sys /s
  %systemroot%\system32\catroot\*.rar /s
  %systemroot%\system32\catroot\*.zip /s
  %systemroot%\system32\catroot\*.dll /s
  %systemroot%\system32\catroot\*.sys /s
  %systemroot%\system32\catroot\*.exe /s
  %systemroot%\system32\catroot\*.dat /s
  %systemroot%\system32\catroot2\*.rar /s
  %systemroot%\system32\catroot2\*.zip /s
  %systemroot%\system32\catroot2\*.exe /s
  %systemroot%\system32\catroot2\*.dat /s
  %systemroot%\system32\catroot2\*.dll /s
  %systemroot%\system32\catroot2\*.sys /s
  %systemroot%\system32\com\*.sys /s
  %systemroot%\system32\com\*.zip /s
  %systemroot%\system32\com\*.rar /s
  %systemroot%\system32\config\*.rar /s
  %systemroot%\system32\config\*.zip /s
  %systemroot%\system32\config\*.sys /s
  %systemroot%\system32\config\*.dll /s
  %systemroot%\system32\config\*.exe /s
  %systemroot%\system32\dhcp\*.*
  %systemroot%\system32\DirectX\*.rar /s
  %systemroot%\system32\DirectX\*.zip /s
  %systemroot%\system32\DirectX\*.sys /s
  %systemroot%\system32\DirectX\*.dll /s
  %systemroot%\system32\DirectX\*.exe /s
  %systemroot%\system32\DirectX\*.dat /s
  %systemroot%\system32\Dllcache\*.zip /s
  %systemroot%\system32\Dllcache\*.rar /s
  %systemroot%\system32\drivers\*.dat
  %systemroot%\system32\drivers\*.exe /s
  %systemroot%\system32\drivers\*.zip /s
  %systemroot%\system32\drivers\*.rar /s
  %systemroot%\system32\drvstore\*.dat
  %systemroot%\system32\drvstore\*.exe /s
  %systemroot%\system32\drvstore\*.zip /s
  %systemroot%\system32\drvstore\*.rar /s
  %systemroot%\system32\en\*.dat /s
  %systemroot%\system32\en\*.exe /s
  %systemroot%\system32\en\*.zip /s
  %systemroot%\system32\en\*.rar /s
  %systemroot%\system32\en\*.sys /s
  %systemroot%\system32\en\*.sys /s
  %systemroot%\system32\en\*.dat /s
  %systemroot%\system32\en-us\*.exe /s
  %systemroot%\system32\en-us\*.zip /s
  %systemroot%\system32\en-us\*.rar /s
  %systemroot%\system32\en-us\*.dll /s
  %systemroot%\system32\export\*.*
  %systemroot%\system32\GroupPolicy\*.sys /s
  %systemroot%\system32\GroupPolicy\*.dat /s
  %systemroot%\system32\GroupPolicy\*.exe /s
  %systemroot%\system32\GroupPolicy\*.zip /s
  %systemroot%\system32\GroupPolicy\*.rar /s
  %systemroot%\system32\GroupPolicy\*.dll /s
  %systemroot%\system32\ias\*.sys /s
  %systemroot%\system32\ias\*.dat /s
  %systemroot%\system32\ias\*.exe /s
  %systemroot%\system32\ias\*.zip /s
  %systemroot%\system32\ias\*.rar /s
  %systemroot%\system32\ias\*.dll /s
  %systemroot%\system32\icsxml\*.sys /s
  %systemroot%\system32\icsxml\*.dat /s
  %systemroot%\system32\icsxml\*.exe /s
  %systemroot%\system32\icsxml\*.zip /s
  %systemroot%\system32\icsxml\*.rar /s
  %systemroot%\system32\icsxml\*.dll /s
  %systemroot%\system32\ime\*.sys /s
  %systemroot%\system32\ime\*.dat /s
  %systemroot%\system32\ime\*.zip /s
  %systemroot%\system32\ime\*.rar /s
  %systemroot%\system32\inetsrv\*.sys /s
  %systemroot%\system32\inetsrv\*.dat /s
  %systemroot%\system32\inetsrv\*.exe /s
  %systemroot%\system32\inetsrv\*.zip /s
  %systemroot%\system32\inetsrv\*.rar /s
  %systemroot%\system32\LogFiles\*.sys /s
  %systemroot%\system32\LogFiles\*.dat /s
  %systemroot%\system32\LogFiles\*.exe /s
  %systemroot%\system32\LogFiles\*.zip /s
  %systemroot%\system32\LogFiles\*.rar /s
  %systemroot%\system32\LogFiles\*.dll /s
  %systemroot%\system32\Macromed\*.sys /s
  %systemroot%\system32\Macromed\*.dat /s
  %systemroot%\system32\Macromed\*.zip /s
  %systemroot%\system32\Macromed\*.rar /s
  %systemroot%\system32\Microsoft\*.sys /s
  %systemroot%\system32\Microsoft\*.dat /s
  %systemroot%\system32\Microsoft\*.exe /s
  %systemroot%\system32\Microsoft\*.zip /s
  %systemroot%\system32\Microsoft\*.rar /s
  %systemroot%\system32\Microsoft\*.dll /s
  %systemroot%\system32\Msdtc\*.sys /s
  %systemroot%\system32\Msdtc\*.dat /s
  %systemroot%\system32\Msdtc\*.exe /s
  %systemroot%\system32\Msdtc\*.zip /s
  %systemroot%\system32\Msdtc\*.rar /s
  %systemroot%\system32\Msdtc\*.dll /s
  %systemroot%\system32\Mui\*.sys /s
  %systemroot%\system32\Mui\*.dat /s
  %systemroot%\system32\Mui\*.exe /s
  %systemroot%\system32\Mui\*.zip /s
  %systemroot%\system32\Mui\*.rar /s
  %systemroot%\system32\npp\*.sys /s
  %systemroot%\system32\npp\*.dat /s
  %systemroot%\system32\npp\*.zip /s
  %systemroot%\system32\npp\*.rar /s
  %systemroot%\system32\NtMsData\*.sys /s
  %systemroot%\system32\NtMsData\*.dat /s
  %systemroot%\system32\NtMsData\*.exe /s
  %systemroot%\system32\NtMsData\*.zip /s
  %systemroot%\system32\NtMsData\*.rar /s
  %systemroot%\system32\NtMsData\*.dll /s
  %systemroot%\system32\oobe\*.sys /s
  %systemroot%\system32\oobe\*.dat /s
  %systemroot%\system32\oobe\*.zip /s
  %systemroot%\system32\oobe\*.rar /s
  %systemroot%\system32\PreInstall\*.sys /s
  %systemroot%\system32\PreInstall\*.dat /s
  %systemroot%\system32\PreInstall\*.exe /s
  %systemroot%\system32\PreInstall\*.zip /s
  %systemroot%\system32\PreInstall\*.rar /s
  %systemroot%\system32\PreInstall\*.dll /s
  %systemroot%\system32\ras\*.sys /s
  %systemroot%\system32\ras\*.dat /s
  %systemroot%\system32\ras\*.exe /s
  %systemroot%\system32\ras\*.zip /s
  %systemroot%\system32\ras\*.rar /s
  %systemroot%\system32\ras\*.dll /s
  %systemroot%\system32\ReInstallBackups\*.dat /s
  %systemroot%\system32\ReInstallBackups\*.zip /s
  %systemroot%\system32\ReInstallBackups\*.rar /s
  %systemroot%\system32\Restore\*.sys /s
  %systemroot%\system32\Restore\*.zip /s
  %systemroot%\system32\Restore\*.rar /s
  %systemroot%\system32\Restore\*.dll /s
  %systemroot%\system32\Scripting\*.sys /s
  %systemroot%\system32\Scripting\*.dat /s
  %systemroot%\system32\Scripting\*.exe /s
  %systemroot%\system32\Scripting\*.zip /s
  %systemroot%\system32\Scripting\*.rar /s
  %systemroot%\system32\Scripting\*.dll /s
  %systemroot%\system32\Setup\*.sys /s
  %systemroot%\system32\Setup\*.dat /s
  %systemroot%\system32\Setup\*.exe /s
  %systemroot%\system32\Setup\*.zip /s
  %systemroot%\system32\Setup\*.rar /s
  %systemroot%\system32\ShellExt\*.*
  %systemroot%\system32\SoftwareDistribution\*.sys /s
  %systemroot%\system32\SoftwareDistribution\*.dat /s
  %systemroot%\system32\SoftwareDistribution\*.exe /s
  %systemroot%\system32\SoftwareDistribution\*.zip /s
  %systemroot%\system32\SoftwareDistribution\*.rar /s
  %systemroot%\system32\URTTEmp\*.sys /s
  %systemroot%\system32\URTTEmp\*.dat /s
  %systemroot%\system32\URTTEmp\*.zip /s
  %systemroot%\system32\URTTEmp\*.rar /s
  %systemroot%\system32\USMT\*.sys /s
  %systemroot%\system32\USMT\*.dat /s
  %systemroot%\system32\USMT\*.zip /s
  %systemroot%\system32\USMT\*.rar /s
  %systemroot%\system32\Wbem\*.sys /s
  %systemroot%\system32\Wbem\*.zip /s
  %systemroot%\system32\Wbem\*.rar /s
  %systemroot%\system32\Wins\*.*
  %systemroot%\system32\Xircom\*.*
  %systemroot%\system32\XPSViewer\*.sys /s
  %systemroot%\system32\XPSViewer\*.dat /s
  %systemroot%\system32\XPSViewer\*.zip /s
  %systemroot%\system32\XPSViewer\*.rar /s
  %systemroot%\system32\XPSViewer\*.dll /s
  %COMMONPROGRAMFILES%\*.sys /s
  %COMMONPROGRAMFILES%\*.zip /s
  %COMMONPROGRAMFILES%\*.rar /s
  %COMMONPROGRAMFILES%\*.*
  %ProgramFiles%\Movie Maker\*.dll
  %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
  %systemroot%\java\apps\*.*
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  %systemroot%\winstart.bat
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD
  HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts|Startup /rs
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
  %systemroot%\system32\basequu32.dll
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
  
  
  
  
  
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

[PeggyV]

Hello -- I ran the Otscanit2 and it froze in a dos window running the catchme.exe. It's just sitting there - no disk activity. What should I do from there? (also, should I be connected to the Internet while I'm running this?)

THanks,

Peggy V.

Edited by PeggyV, 26 March 2009 - 08:44 PM.

[PeggyV]

Sorry! It wasn't frozen after all. (It just took awhile.) I've attached the OTscanit.txt file.

THanks,

Peggy V.

Attached Files

•  OTScanIt.Txt   444.14KB   511 downloads

[Rorschach112]

hello

Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\uTorrent\uTorrent.exe" -> C:\Program Files\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Services [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
YN -> "0L81CY3S7W0" ->
YN -> "23KJWN" ->
YN -> "2B585B5" ->
YN -> "8OO5O" ->
YN -> "F5P3KNCC73" ->
YN -> "F8Z5L5Q" ->
YN -> "jdyk" ->
YN -> "jldk" ->
YN -> "jlqk" ->
YN -> "JQ33FQ21X" ->
YN -> "jqjk" ->
YN -> "jqka" ->
YN -> "jqtk" ->
YN -> "jtqa" ->
YN -> "jwka" ->
YN -> "jwmk" ->
YN -> "jwqa" ->
YN -> "jwqk" ->
YN -> "jwtk" ->
YN -> "OL2VNFYC0GS" ->
YN -> "Q1JO6D" ->
YN -> "R95MDJ" ->
YN -> "RCZAXNA" ->
YN -> "RL7W6BORIDB" ->
YN -> "sopidkc" ->
YN -> "T2TI2BKXN" ->
YN -> "TSG55AHBB" ->
YN -> "U3IDB9OS" ->
YN -> "VHOGX4" ->
YN -> "Windows_Twains" ->
YN -> "WMPNetworkSvc" ->
YN -> "X4QIT7BI" ->
YN -> "ZBFROERBN" ->
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk -> %SystemDrive%\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LOGITE~1.EXE
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Ad-Watch hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Lavasoft\Ad-Aware\AAWTray.exe
YN -> Explorer hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\system32\msrstart.exe
YN -> KernelFaultCheck hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
[Files/Folders - Created Within 90 Days]
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> _OTListIt -> %SystemDrive%\_OTListIt
NY -> Rooter$ -> %SystemDrive%\Rooter$
NY -> XVWB11BX9N2.bat -> %ProgramFiles%\XVWB11BX9N2.bat
NY -> M1SXB.bat -> %ProgramFiles%\M1SXB.bat
NY -> J5ASC4GSES.bat -> %ProgramFiles%\J5ASC4GSES.bat
NY -> qq2.bmp -> %SystemRoot%\System32\qq2.bmp
NY -> 6UF3L.bat -> %ProgramFiles%\6UF3L.bat
NY -> 2QSEJ2V1UC1V.bat -> %ProgramFiles%\2QSEJ2V1UC1V.bat
NY -> 7LYXBD7UR3SX.bat -> %ProgramFiles%\7LYXBD7UR3SX.bat
NY -> KY4HN8W4UHI1.bat -> %ProgramFiles%\KY4HN8W4UHI1.bat
[Files/Folders - Modified Within 90 Days]
NY -> D6WD5T.bat -> %ProgramFiles%\D6WD5T.bat
NY -> FPC6OW7VXR1.bat -> %ProgramFiles%\FPC6OW7VXR1.bat
NY -> BXD6ERXC29.bat -> %ProgramFiles%\BXD6ERXC29.bat
NY -> YKNQ2LDI.bat -> %ProgramFiles%\YKNQ2LDI.bat
NY -> JQJUSOCY.bat -> %ProgramFiles%\JQJUSOCY.bat
NY -> TSCLFE.bat -> %ProgramFiles%\TSCLFE.bat
NY -> CJ91MEU43ET.bat -> %ProgramFiles%\CJ91MEU43ET.bat
NY -> NJ7FHEGVFP.bat -> %ProgramFiles%\NJ7FHEGVFP.bat
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> XVWB11BX9N2.bat -> %ProgramFiles%\XVWB11BX9N2.bat
NY -> M1SXB.bat -> %ProgramFiles%\M1SXB.bat
NY -> J5ASC4GSES.bat -> %ProgramFiles%\J5ASC4GSES.bat
NY -> 6UF3L.bat -> %ProgramFiles%\6UF3L.bat
NY -> 2QSEJ2V1UC1V.bat -> %ProgramFiles%\2QSEJ2V1UC1V.bat
NY -> 7LYXBD7UR3SX.bat -> %ProgramFiles%\7LYXBD7UR3SX.bat
NY -> KY4HN8W4UHI1.bat -> %ProgramFiles%\KY4HN8W4UHI1.bat
[Custom Scans]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irorcj\ ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ynwerygd\ ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yxkwkpdh\ ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yzdoaxts\ ->
NY -> 2QSEJ2V1UC1V.bat -> C:\Program Files\2QSEJ2V1UC1V.bat
NY -> 6UF3L.bat -> C:\Program Files\6UF3L.bat
NY -> 7LYXBD7UR3SX.bat -> C:\Program Files\7LYXBD7UR3SX.bat
NY -> BXD6ERXC29.bat -> C:\Program Files\BXD6ERXC29.bat
NY -> CJ91MEU43ET.bat -> C:\Program Files\CJ91MEU43ET.bat
NY -> D6WD5T.bat -> C:\Program Files\D6WD5T.bat
NY -> FPC6OW7VXR1.bat -> C:\Program Files\FPC6OW7VXR1.bat
NY -> J5ASC4GSES.bat -> C:\Program Files\J5ASC4GSES.bat
NY -> JQJUSOCY.bat -> C:\Program Files\JQJUSOCY.bat
NY -> KY4HN8W4UHI1.bat -> C:\Program Files\KY4HN8W4UHI1.bat
NY -> M1SXB.bat -> C:\Program Files\M1SXB.bat
NY -> NJ7FHEGVFP.bat -> C:\Program Files\NJ7FHEGVFP.bat
NY -> TSCLFE.bat -> C:\Program Files\TSCLFE.bat
NY -> XVWB11BX9N2.bat -> C:\Program Files\XVWB11BX9N2.bat
NY -> YKNQ2LDI.bat -> C:\Program Files\YKNQ2LDI.bat
NY -> _OTListIt -> C:\_OTListIt
NY -> Rooter$ -> C:\Rooter$
NY -> FTCG0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\FTCG0.exe
NY -> JBNL0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JBNL0.exe
NY -> JLRB0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JLRB0.exe
NY -> JOFB0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JOFB0.exe
NY -> OPBH0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\OPBH0.exe
NY -> RVKU0.exe -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\RVKU0.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

[PeggyV]

Hello -- Here's the last log:

[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\uTorrent\uTorrent.exe deleted successfully.
[Registry - Additional Scans - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\0L81CY3S7W0 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\23KJWN deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\2B585B5 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\8OO5O deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\F5P3KNCC73 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\F8Z5L5Q deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jdyk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jldk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jlqk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\JQ33FQ21X deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jqjk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jqka deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jqtk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jtqa deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jwka deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jwmk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jwqa deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jwqk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\jwtk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\OL2VNFYC0GS deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\Q1JO6D deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\R95MDJ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\RCZAXNA deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\RL7W6BORIDB deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\sopidkc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\T2TI2BKXN deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\TSG55AHBB deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\U3IDB9OS deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\VHOGX4 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\Windows_Twains deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\WMPNetworkSvc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\X4QIT7BI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\\ZBFROERBN deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk\ deleted successfully.
File C:\WINDOWS\pss\ogitech Desktop Messenger.lnk not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ad-Watch hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Explorer hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
[Files/Folders - Created Within 90 Days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\_OTListIt\MovedFiles\03262009_183445 folder moved successfully.
C:\_OTListIt\MovedFiles\03262009_182931\Program Files folder moved successfully.
C:\_OTListIt\MovedFiles\03262009_182931 folder moved successfully.
C:\_OTListIt\MovedFiles folder moved successfully.
C:\_OTListIt folder moved successfully.
C:\Rooter$ folder moved successfully.
C:\Program Files\XVWB11BX9N2.bat moved successfully.
C:\Program Files\M1SXB.bat moved successfully.
C:\Program Files\J5ASC4GSES.bat moved successfully.
C:\WINDOWS\System32\qq2.bmp moved successfully.
C:\Program Files\6UF3L.bat moved successfully.
C:\Program Files\2QSEJ2V1UC1V.bat moved successfully.
C:\Program Files\7LYXBD7UR3SX.bat moved successfully.
C:\Program Files\KY4HN8W4UHI1.bat moved successfully.
[Files/Folders - Modified Within 90 Days]
C:\Program Files\D6WD5T.bat moved successfully.
C:\Program Files\FPC6OW7VXR1.bat moved successfully.
C:\Program Files\BXD6ERXC29.bat moved successfully.
C:\Program Files\YKNQ2LDI.bat moved successfully.
C:\Program Files\JQJUSOCY.bat moved successfully.
C:\Program Files\TSCLFE.bat moved successfully.
C:\Program Files\CJ91MEU43ET.bat moved successfully.
C:\Program Files\NJ7FHEGVFP.bat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
File C:\Program Files\XVWB11BX9N2.bat not found!
File C:\Program Files\M1SXB.bat not found!
File C:\Program Files\J5ASC4GSES.bat not found!
File C:\Program Files\6UF3L.bat not found!
File C:\Program Files\2QSEJ2V1UC1V.bat not found!
File C:\Program Files\7LYXBD7UR3SX.bat not found!
File C:\Program Files\KY4HN8W4UHI1.bat not found!
[Custom Scans]
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irorcj\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ynwerygd\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yxkwkpdh\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yzdoaxts\ deleted successfully.
File/Folder C:\Program Files\2QSEJ2V1UC1V.bat not found.
File/Folder C:\Program Files\6UF3L.bat not found.
File/Folder C:\Program Files\7LYXBD7UR3SX.bat not found.
File/Folder C:\Program Files\BXD6ERXC29.bat not found.
File/Folder C:\Program Files\CJ91MEU43ET.bat not found.
File/Folder C:\Program Files\D6WD5T.bat not found.
File/Folder C:\Program Files\FPC6OW7VXR1.bat not found.
File/Folder C:\Program Files\J5ASC4GSES.bat not found.
File/Folder C:\Program Files\JQJUSOCY.bat not found.
File/Folder C:\Program Files\KY4HN8W4UHI1.bat not found.
File/Folder C:\Program Files\M1SXB.bat not found.
File/Folder C:\Program Files\NJ7FHEGVFP.bat not found.
File/Folder C:\Program Files\TSCLFE.bat not found.
File/Folder C:\Program Files\XVWB11BX9N2.bat not found.
File/Folder C:\Program Files\YKNQ2LDI.bat not found.
File/Folder C:\_OTListIt not found.
File/Folder C:\Rooter$ not found.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\FTCG0.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JBNL0.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JLRB0.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\JOFB0.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\OPBH0.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\RVKU0.exe moved successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.9.0 fix logfile created on 03272009_091102

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...




Thanks,

~Peggy V.

[Rorschach112]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[PeggyV]

Hello -- That didn't take very long at all -- here it is:


Thanks,

Peggy

Attached Files

•  log.txt   15.31KB   461 downloads

[Rorschach112]

no need to attach these logs


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\windows\System32\nrifnn.fsl
C:\windows\System32\slztel.fsl
C:\windows\System32\dikqnt.fdf
c:\windows\RemoteAbc.exe
c:\windows\system32\iuctl.dll
c:\windows\system32\ap1394.sys
Folder::

Registry::

Driver::
mstsc
ap1394
winErs
uzdoax
arxmxo

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[PeggyV]

Here's the latest log:


ComboFix 09-03-26.03 - Em 2009-03-27 20:35:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1132 [GMT -5:00]
Running from: c:\documents and settings\Em\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Em\Desktop\CFSCRIPT.TXT
FW: Symantec Endpoint Protection *enabled*

FILE ::
c:\windows\RemoteAbc.exe
c:\windows\system32\ap1394.sys
c:\windows\System32\dikqnt.fdf
c:\windows\system32\iuctl.dll
c:\windows\System32\nrifnn.fsl
c:\windows\System32\slztel.fsl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iuctl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AP1394
-------\Legacy_ARXMXO
-------\Legacy_MSTSC
-------\Legacy_UZDOAX
-------\Legacy_WINERS
-------\Service_ap1394
-------\Service_arxmxo
-------\Service_mstsc
-------\Service_uzdoax
-------\Service_winErs


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-27 12:11 . 2009-03-27 12:11 <DIR> d-------- c:\program files\Support Tools
2009-03-27 09:11 . 2009-03-27 09:11 <DIR> d-------- C:\_OTScanIt
2009-03-26 20:02 . 2009-03-26 20:30 <DIR> d-------- C:\tshoot
2009-03-26 18:42 . 2009-03-26 18:42 0 --a------ c:\documents and settings\Em\settings.dat
2009-03-24 16:55 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-23 15:32 . 2009-03-23 15:32 <DIR> d-------- c:\windows\ERUNT
2009-03-22 09:37 . 2009-03-22 09:37 <DIR> d-------- c:\documents and settings\Em\Application Data\Malwarebytes
2009-03-21 23:37 . 2009-03-21 23:37 <DIR> d-------- c:\program files\AVG
2009-03-21 11:35 . 2009-03-21 11:45 <DIR> d-------- c:\documents and settings\Em\Application Data\AdobeUM
2009-03-15 13:17 . 2009-03-26 20:11 <DIR> d--hs---- c:\documents and settings\Em\UserData
2009-03-15 12:38 . 2009-03-26 18:42 <DIR> d-------- c:\documents and settings\Em
2009-03-08 14:44 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Lavasoft
2009-03-08 14:44 . 2009-03-26 20:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 14:18 . 2009-03-26 20:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 14:18 . 2009-03-26 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 12:27 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-07 16:23 . 2009-03-07 16:23 <DIR> d-------- c:\documents and settings\jokoloc\Application Data\Malwarebytes
2009-03-05 21:48 . 2009-03-05 22:56 <DIR> d-------- c:\documents and settings\jokoloc\.housecall6.6
2009-03-05 21:24 . 2009-03-05 21:24 <DIR> d-------- c:\program files\Trend Micro
2009-03-02 16:01 . 2009-03-02 16:01 0 --a------ c:\windows\nsreg.dat
2009-03-02 15:26 . 2009-03-02 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 15:23 . 2009-03-05 20:58 <DIR> d-------- c:\program files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 19:44 --------- d-----w c:\program files\Java
2009-03-22 05:50 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-22 05:42 --------- d-----w c:\program files\Microsoft MapPoint
2009-03-22 05:42 --------- d-----w c:\program files\Microsoft Firewall Client 2004
2009-03-22 05:32 --------- d-----w c:\program files\Common Files\Motive
2009-03-22 05:29 --------- d-----w c:\program files\Apple Software Update
2009-03-22 04:04 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2009-03-21 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-21 14:30 --------- d-----w c:\program files\Microsoft Works
2009-03-08 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Aventail
2009-03-08 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 02:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-08 02:54 --------- d-----w c:\program files\Logitech
2009-03-07 21:17 --------- d-----w c:\documents and settings\jokoloc\Application Data\LimeWire
2009-03-06 01:57 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-02 19:23 --------- d-----w c:\program files\Yahoo!
2009-03-02 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-24 21:12 --------- d-----w c:\documents and settings\jokoloc\Application Data\uTorrent
2009-02-22 22:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 05:31 --------- d-----w c:\program files\Common Files\Adobe
2009-02-13 23:57 --------- d-----w c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-09 23:30 --------- d-----w c:\program files\WinSCP3
2009-02-09 23:29 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-09 23:22 --------- d---a-w c:\program files\SAV_win
2009-02-09 23:22 --------- d---a-w c:\program files\SAV_VISTA
.

------- Sigcheck -------

2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB935839$\kernel32.dll
2009-02-09 15:32 984576 3ea8b19f01d786fcae249ea2336fbf39 c:\windows\system32\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-27_15.37.39.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-27 20:33:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-28 01:37:45 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-27 20:33:48 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-28 01:37:45 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-27 20:33:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 01:37:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SetupLD.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sndsrvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spbbcsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcr32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcrmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe ]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xnlscn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2076597496-1563261944-1256410061-83411\Scripts\Logon\0\0]
"Script"=REG_Conf.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Firewall Client Management.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk
backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 05:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Portable Media Serial"=2 (0x2)
"mstsc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LBTServ"=3 (0x3)
"KingDuuBa"=2 (0x2)
"iPassConnectEngine"=3 (0x3)
"idsvc"=3 (0x3)
"HCE13QIBP"=2 (0x2)
"FwcAgent"=2 (0x2)
"DWMRCS"=2 (0x2)
"DgVip_Service"=2 (0x2)
"ClipSrv"=2 (0x2)
"ccwiz"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"NgVpnMgr"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=2 (0x2)
"iPCAgent"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"As32Svc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IBMPMSVC"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:*:Disabled:Sav Management

S2 MediapCentere;MS Mediae Control pCenter;c:\windows\System32\svchost.exe -k krnlsvc [2004-08-04 14336]
S2 ResMan;Remote Access Manager Connection ;c:\windows\System32\svchost.exe -k ResMan [2004-08-04 14336]
S2 Symants;Symantec Network Servic;c:\windows\system32\SVCHOST.EXE -k Symants [2004-08-04 14336]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys --> c:\windows\system32\DRIVERS\ngfilter.sys [?]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys --> c:\windows\system32\DRIVERS\nglog.sys [?]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys --> c:\windows\system32\DRIVERS\ngvpn.sys [?]
S4 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [2004-06-09 115544]

--- Other Services/Drivers In Memory ---

*Deregistered* - Dnsresolve

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
snwery REG_MULTI_SZ snwery
cxkwkp REG_MULTI_SZ cxkwkp
ResMan REG_MULTI_SZ ResMan
uzdoax REG_MULTI_SZ uzdoax
WinErp REG_MULTI_SZ WinErp
winErs REG_MULTI_SZ winErs
xxcsdl REG_MULTI_SZ xxcsdl
krnlsvc REG_MULTI_SZ MediapCentere
Symants REG_MULTI_SZ Symants
netsvc REG_MULTI_SZ netsvc
irorcj REG_MULTI_SZ irorcj
arxmxo REG_MULTI_SZ arxmxo
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 20:39:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lqyfef]
"ServiceDll"="%SystemRoot%\System32\slztel.fsl"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Symants]
"ServiceDll"="%SystemRoot%\System32\dikqnt.fdf"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\

[HKEY_USERS\S-1-5-21-2147800216-2383975547-74669015-1021\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-03-27 20:41:19 - machine was rebooted [Em]
ComboFix-quarantined-files.txt 2009-03-28 01:41:17
ComboFix2.txt 2009-03-27 20:38:22

Pre-Run: 40,137,957,376 bytes free
Post-Run: 40,121,688,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
269 --- E O F --- 2009-01-16 19:08:27


Thanks,

~Peggy V.

[Rorschach112]

hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[PeggyV]

Hello -- here's the MBam log and Kapersky report. Am I still infected?

Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 2

3/28/2009 12:04:15 PM
mbam-log-2009-03-28 (12-04-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 238203
Time elapsed: 50 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\FTCG0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\JBNL0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\JLRB0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\JOFB0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\OPBH0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp\RVKU0.exe (Trojan.Agent) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 17:59:24
Records in database: 1981585
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 148898
Threat name: 38
Infected objects: 83
Suspicious objects: 0
Duration of the scan: 02:18:51


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01580000.VBN Infected: Backdoor.Win32.Small.hks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01640000.VBN Infected: Backdoor.Win32.Agent.iba 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\025C0001.VBN Infected: Trojan.Win32.Agent.amzw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\025C0002.VBN Infected: Trojan.Win32.Agent.amzw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\025C0003.VBN Infected: Trojan-Downloader.Win32.Agent.bbmd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04580000.VBN Infected: Trojan.Win32.Agent.bjxs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D80000.VBN Infected: Backdoor.Win32.Small.hks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D80002.VBN Infected: Trojan-Downloader.JS.Iframe.adu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05A40000.VBN Infected: Trojan.Win32.Agent.bjxs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05A40001.VBN Infected: Trojan-Downloader.Win32.Agent.bbmd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100000.VBN Infected: Trojan-Downloader.Win32.Helminthos.mk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100001.VBN Infected: Backdoor.Win32.Small.hkr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100002.VBN Infected: Trojan.Win32.Agent.bqnz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100003.VBN Infected: Trojan.Win32.Agent.bqnz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100004.VBN Infected: Trojan.Win32.Agent.bqnz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100005.VBN Infected: Trojan.Win32.Agent.bqnz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100008.VBN Infected: Backdoor.Win32.Agent.acqe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Backdoor.Win32.Agent.iba 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09400000.VBN Infected: Trojan-Downloader.Win32.Agent.akwa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09A40000.VBN Infected: Trojan.Win32.AntiAV.agb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09AC0000.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040000.VBN Infected: Worm.Win32.Agent.sp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040001.VBN Infected: Trojan-Downloader.Win32.Agent.bfym 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040002.VBN Infected: Trojan.Win32.Agent.bitx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040003.VBN Infected: Backdoor.Win32.Agent.abqp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040004.VBN Infected: Backdoor.Win32.Agent.acqe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040005.VBN Infected: Rootkit.Win32.Agent.gll 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C040006.VBN Infected: Backdoor.Win32.Hupigon.frpl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C9C0000.VBN Infected: Trojan.Win32.Slefdel.bto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C9C0001.VBN Infected: Trojan.Win32.Slefdel.bto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00000.VBN Infected: Trojan-Downloader.Win32.Agent.bfym 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN Infected: Backdoor.Win32.Hupigon.evhi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FE00000.VBN Infected: Backdoor.Win32.Agent.iba 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10180000.VBN Infected: Trojan-Dropper.Win32.Agent.adxn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\14600000.VBN Infected: Exploit.Win32.IMG-ANI.ac 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\05.exe.bac_a00416 Infected: Backdoor.Win32.Hupigon.dgls 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\18467.exe.bac_a00416 Infected: Trojan-Downloader.Win32.Agent.bjsd 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\20081.exe.bac_a00416 Infected: Backdoor.Win32.Hupigon.blto 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\41.exe.bac_a00416 Infected: Trojan-Downloader.Win32.Agent.bjsd 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\6334.exe.bac_a00416 Infected: Trojan-Downloader.Win32.Agent.bjsd 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\atgpeu.fsl.bac_a00416 Infected: Backdoor.Win32.PcClient.aekf 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\fz.vbe.bac_a00416 Infected: Trojan-Downloader.VBS.Small.l 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\nrifnn.fsl.bac_a00416 Infected: Backdoor.Win32.PcClient.aekf 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\slztel.fsl.bac_a00416 Infected: Backdoor.Win32.PcClient.aekf 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\snmp.sys.bac_a00416 Infected: Backdoor.Win32.IRCBot.hqg 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_18965067250.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_21722269277.bk.bac_a00416 Infected: Trojan.Win32.Agent.bpgn 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_315718495163.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_315984624176.bk.bac_a00416 Infected: Trojan.Win32.Agent.bovc 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_316112379508.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_509286785111.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_543019826558.bk.bac_a00416 Infected: Trojan.Win32.Agent.bpgn 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_578735710111.bk.bac_a00416 Infected: Trojan.Win32.Agent.bpgn 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_640137410392.bk.bac_a00416 Infected: Trojan.Win32.Agent.bpgn 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_678368360692.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine\tmpxr_719662631975.bk.bac_a00416 Infected: Packed.Win32.Koblu.a 1
C:\Program Files\Symantec AntiVirus\dl.vbe Infected: Trojan-Downloader.VBS.Small.gt 1
C:\Program Files\Symantec AntiVirus\s.vbs Infected: Trojan-Downloader.JS.Small.co 1
C:\WINDOWS\system32\Ipripv32.dll Infected: Trojan.Win32.Obfuscated.acrg 1
C:\WINDOWS\system32\Nwsapv32.dll Infected: Trojan.Win32.Obfuscated.acrg 1
C:\WINDOWS\system32\WmdmPv32.dll Infected: Trojan.Win32.Obfuscated.acrg 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\2QSEJ2V1UC1V.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\6UF3L.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\7LYXBD7UR3SX.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\BXD6ERXC29.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\CJ91MEU43ET.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\D6WD5T.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\FPC6OW7VXR1.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\M1SXB.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\NJ7FHEGVFP.bat Infected: Trojan.BAT.Agent.me 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\TSCLFE.bat Infected: Trojan.BAT.Agent.me 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\XVWB11BX9N2.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files\YKNQ2LDI.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\2TJCUY.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\9Y5VBUL.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\CQ0TO8BGG.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\DG0KDG.bat Infected: Trojan.BAT.Agent.mc 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\GSGR5AC05.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\NS738567Z5J.bat Infected: Trojan.BAT.Agent.me 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\Q9ZBQ3A2GBUH.bat Infected: Trojan.BAT.Agent.me 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\QI2JU.bat Infected: Trojan.BAT.Agent.me 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\T6G0L.bat Infected: Trojan.BAT.Agent.md 1
C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files\V24X6R3GO.bat Infected: Trojan.BAT.Agent.md 1

The selected area was scanned.

Thanks,

~Peggy V.

[Rorschach112]

yep theres still more

Please download OTMoveIt3 by OldTimer

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files\Symantec AntiVirus\dl.vbe
  C:\Program Files\Symantec AntiVirus\s.vbs
  C:\WINDOWS\system32\Ipripv32.dll
  C:\WINDOWS\system32\Nwsapv32.dll
  C:\WINDOWS\system32\WmdmPv32.dll
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)