XP firewall virus infection

**Klawdek** · 2011-03-25, 12:51

VirusTotal logs:

File name:
itijpg2.dll
Submission date:
2011-03-25 11:39:07 (UTC)
Current status:
queued (#6) queued (#3) analysing finished
Result:
1/ 41 (2.4%)

ntivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 -
AntiVir 7.11.5.70 2011.03.25 -
Antiy-AVL 2.0.3.7 2011.03.25 -
Avast 4.8.1351.0 2011.03.25 -
Avast5 5.0.677.0 2011.03.25 -
AVG 10.0.0.1190 2011.03.25 -
BitDefender 7.2 2011.03.25 -
CAT-QuickHeal 11.00 2011.03.25 -
ClamAV 0.96.4.0 2011.03.25 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8098 2011.03.25 -
DrWeb 5.0.2.03300 2011.03.25 -
eSafe 7.0.17.0 2011.03.24 -
eTrust-Vet 36.1.8235 2011.03.25 -
F-Prot 4.6.2.117 2011.03.24 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.25 -
GData 21 2011.03.25 -
Ikarus T3.1.1.97.0 2011.03.25 -
Jiangmin 13.0.900 2011.03.25 -
K7AntiVirus 9.94.4211 2011.03.25 -
McAfee 5.400.0.1158 2011.03.25 -
McAfee-GW-Edition 2010.1C 2011.03.25 -
Microsoft 1.6702 2011.03.25 -
NOD32 5984 2011.03.25 -
Norman 6.07.03 2011.03.24 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.24 -
PCTools 7.0.3.5 2011.03.25 -
Prevx 3.0 2011.03.25 -
Rising 23.50.04.05 2011.03.25 -
Sophos 4.64.0 2011.03.25 -
SUPERAntiSpyware 4.40.0.1006 2011.03.25 -
Symantec 20101.3.0.103 2011.03.25 WS.Reputation.1
TheHacker 6.7.0.1.156 2011.03.24 -
TrendMicro 9.200.0.1012 2011.03.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 -
VBA32 3.12.14.3 2011.03.24 -
VIPRE 8813 2011.03.25 -
ViRobot 2011.3.25.4376 2011.03.25 -
VirusBuster 13.6.268.0 2011.03.24 -
Additional information
Show all
MD5 : ac7f590cad75ed93229f61e3f3612d35
SHA1 : c6a162dc714cf32cb769e3bb5241f8570c701507
SHA256: eae0a03bc0428c14f4a1d87cf1e06bdda6b1b3829b05506d7892708a3b500d62

**Klawdek** · 2011-03-25, 13:05

Here is the OTL run fixes log:

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\components folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\searchbar folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\options folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\panels\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\panels folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\icons folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\uwa folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin\icon_library\Basics folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin\icon_library folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\weather folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\search folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\rss folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\dynamicElements folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\js folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\js folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\newtab\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\newtab folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\modules folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\lib folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889} folder moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20110316-062557.backup moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Fudge Muffin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 69735750 bytes
->Flash cache emptied: 456 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User
->Temp folder emptied: 17752 bytes
->Temporary Internet Files folder emptied: 8378903 bytes
->Java cache emptied: 12147831 bytes
->FireFox cache emptied: 111935770 bytes
->Flash cache emptied: 228091 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17408 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 880367 bytes
RecycleBin emptied: 70226 bytes

Total Files Cleaned = 196.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 03252011_065705

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

**Klawdek** · 2011-03-25, 14:06

Here is the OTL scan report:

OTL logfile created on: 3/25/2011 7:08:14 AM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\My Documents\Downloads\02
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 27.80 Gb Free Space | 37.30% Space Free | Partition Type: NTFS
Drive E: | 3.81 Gb Total Space | 0.18 Gb Free Space | 4.74% Space Free | Partition Type: FAT32

Computer Name: USER-8E19CF174C | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
PRC - C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\User\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (Applian Technologies, Inc.)
MOD - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (DataSvr2) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (GSService) -- C:\WINDOWS\System32\GSService.exe ()
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)

========== Driver Services (SafeList) ==========

DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (OMCI) -- C:\WINDOWS\System32\DRIVERS\OMCI.SYS File not found
DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\System32\DRIVERS\NETw5x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (truecrypt) -- C:\WINDOWS\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (npf) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (appliandMP) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (appliand) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)
DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (regi) -- C:\WINDOWS\system32\drivers\regi.sys (InterVideo)
DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (ULCDRHlp) -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys (Ulead Systems, Inc.)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C D5 24 59 F5 03 CA 01 [binary data]
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52323
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/15 00:37:45 | 000,000,000 | ---D | M]

[2010/03/24 17:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/03/25 07:02:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions
[2010/07/08 20:05:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/04 22:20:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/03/23 05:19:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/17 14:14:58 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/04 15:38:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/25 06:57:12 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (NXIECatcher Class) - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll (Xi)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (NetXfer) - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (Xi)
O3 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Ask and Record FLV Service] C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = False
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html ()
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/S.../bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 12:17:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/25 06:57:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/24 21:06:01 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/24 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Zombie RoadKill
[2011/03/21 23:19:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\MSDN
[2011/03/21 20:18:00 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/19 06:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\NetXfer
[2011/03/19 06:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Xi
[2011/03/19 06:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\Xi
[2011/03/19 00:47:36 | 000,049,664 | ---- | C] (CamStudio Group) -- C:\WINDOWS\System32\CamCodec.dll
[2011/03/19 00:47:36 | 000,000,000 | ---D | C] -- C:\Program Files\CamStudio 2.6b
[2011/03/15 01:24:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Jaksta_Technologies_Pty_L
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
[2011/03/15 01:22:44 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
[2011/03/15 00:51:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/03/15 00:50:35 | 000,000,000 | ---D | C] -- C:\Program Files\AnyMedia Player
[2011/03/15 00:49:09 | 000,000,000 | ---D | C] -- C:\Program Files\FLVCodec
[2011/03/15 00:49:06 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
[2011/03/15 00:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
[2011/03/15 00:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/03/15 00:48:51 | 000,000,000 | ---D | C] -- C:\Program Files\RipTiger
[2011/03/15 00:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Foxreal
[2011/03/15 00:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxreal
[2011/03/09 06:27:54 | 000,000,000 | ---D | C] -- C:\Program Files\Fox
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/25 07:10:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job
[2011/03/25 07:03:56 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/25 07:03:56 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/25 06:59:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/25 06:57:12 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/03/25 00:39:43 | 001,107,523 | ---- | M] () -- C:\Documents and Settings\User\My Documents\JENNETTE MCCURDY IN A BIKINI______.flv
[2011/03/25 00:37:08 | 015,759,225 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian _ Billi Bruno.flv
[2011/03/25 00:34:05 | 002,679,590 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_-1.flv
[2011/03/25 00:34:02 | 002,679,590 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_.flv
[2011/03/24 07:13:32 | 000,169,453 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/22 02:41:37 | 000,078,292 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:32:16 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 19:37:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:29 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | M] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:07 | 000,164,429 | ---- | M] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:39 | 000,194,508 | ---- | M] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | M] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | M] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | M] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:55 | 000,756,214 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | M] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/17 22:11:51 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/03/16 03:01:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/15 12:36:34 | 000,188,416 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/15 02:26:04 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Gravity 2.9.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 01:19:19 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2011/03/15 01:19:18 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/25 00:39:40 | 001,107,523 | ---- | C] () -- C:\Documents and Settings\User\My Documents\JENNETTE MCCURDY IN A BIKINI______.flv
[2011/03/25 00:34:55 | 015,759,225 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian _ Billi Bruno.flv
[2011/03/25 00:34:03 | 002,679,590 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_-1.flv
[2011/03/25 00:33:58 | 002,679,590 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_.flv
[2011/03/24 07:13:32 | 000,169,453 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/22 02:41:36 | 000,078,292 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:23:02 | 000,001,035 | ---- | C] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:25:55 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | C] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:06 | 000,164,429 | ---- | C] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:38 | 000,194,508 | ---- | C] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | C] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | C] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | C] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:53 | 000,756,214 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | C] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 00:49:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/03/15 00:48:52 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2011/02/06 07:37:22 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/07/27 00:58:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/15 19:45:44 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/07/13 01:51:24 | 000,002,432 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/10 16:55:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/05/07 00:02:14 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\User\Application Data\default.rss
[2010/05/07 00:02:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Application Data\downloads.m3u
[2010/05/06 23:58:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/12 13:13:25 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/04/04 20:56:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2010/03/31 21:41:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
[2010/03/19 14:51:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/11/06 10:54:46 | 000,188,416 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/03 12:58:02 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2009/05/03 12:17:42 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2009/05/03 10:50:31 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/03 10:50:31 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/03 10:50:30 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/05/03 10:50:29 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/03 10:45:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2009/05/03 05:08:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/09/08 10:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[1998/07/24 00:54:06 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1998/07/15 22:44:30 | 000,134,656 | ---- | C] () -- C:\WINDOWS\System32\itijpg2.dll

< End of report >

**ken545** · 2011-03-25, 15:01

Looks like those two files where ok.

Firefox has a port that it uses but cant find any data on it, are you getting any redirects from Firefox ?

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.

**Klawdek** · 2011-03-26, 00:55

Ok I installed Java.

The last instructions seem to be for a different OS.

Under XP there is no Start > Settings > Control Panel it is Start > Control Panel.

In control Panel There is no Java Plug-in Icon but there is a Java control Panel icon.

In the Java control panel there is no cache tab but there is
temporary internet files > settings >Delete files.

I went ahead and deleted temporary internet files. Is this what you meant or am I in the wrong place

**ken545** · 2011-03-26, 01:09

Yep, thats fine. Java has different versions and they show up differently on your system

How are things running now ?

**Klawdek** · 2011-03-26, 01:35

Things seem to be fine THANKS

I did notice one thing though.

During the course of this I noticed an entry about the host file in the OTL log.
C:\WINDOWS\system32\drivers\etc\Hosts

I went and looked at the host file with wordpad and noticed it only had the default first entry and nothing more. The host file was last modified during this trouble shooting session. The latest backup was from a month ago.

After finishing your instructions above I checked the host file again and it was still empty except for the default first entry.

I updated firefox and SpyBot and then ran Spybots immunization. I went and looked at the host file again and it was updated, the file size drastically increased and a backup was made by spybot. However I cannot look at it with WordPad like I could before and still can with all the backups. It shows up as a bunch of little squares like a binary file does when looked at in wordpad.

Is this any kind of problem?
I know various security products use the host file to block known attack sites and I have gotten the "Known Attack Site" message a few times in the past year so it has helped avert problems.

I am just hoping I still have that protection.

**ken545** · 2011-03-26, 01:50

Your fine, part of the fix we did with OTL reset the hosts file back to Microsoft defaults
http://www.mvps.org/winhelp2002/hosts.htm

From the OTL Fix

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

This means that the hosts file was deleted and then reset back to Microsoft defaults

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

**Klawdek** · 2011-03-26, 02:58

Ok I just want to be sure the protections that anti-malware products like spybot have not been lost from the host file. I Assume that any security products that update the host file will eventually put their entries back in.

I would like to ask a few questions if you do not mind and I hope I am not overstepping any boundaries.

Your last post seems to have answered my first question about how to improve my computer security. I will read the links you provided. Thank you.

If TeaTimer had been running would it have possibly prevented the problem?

If I had been using Drop My Rights would it have possibly prevented the problem?
http://msdn.microsoft.com/en-us/library/ms972827.aspx

I used to build my own systems and would like to do so again someday. I used to have a decent amount of computer knowledge (programming, trouble shooting, Installed a few small networks) , however I am very rusty and out of date. The landscape has changed a lot since then and now security on home and small business computers is now of major importance.

I would like to brush up on my security knowledge and someday do what you are doing and volunteer in a forum like this one. I know it will take a lot of time and effort and I would like to get started on it.

Do you have any advice on where to start?
If you know of good websites, forums or other free online sources I would appreciate it. I do not have money to buy expensive books but if you know any "must haves" maybe I can get the money up for them someday .

I am still paying for college from years ago and cannot afford any more college at this time but if you know of any free or very low cost online courses that would also be helpful.

I really appreciate the help you have given me. I think you and the others who do this deserve a round of applause

**ken545** · 2011-03-26, 03:57

Hi,

No problem at all with the questions. The TeaTimer may have alerted you to a registry change, although I think Spybot is a great program I am not a fan of the Teatimer. I use Spybot myself but have the TT disabled, I like Spyware Blaster as it does the same thing but not to much in your face.

In Spybot , you can go to Advanced Mode > Tools > Hosts File and you can add Spybots Hosts file to the current hosts file and it will add 1000s of bad sites that will be blocked . If it gives you issues you can always remove it.

I started out when Win 98 came out and have built all my own systems , probably a dozen or more for myself friends and family. Then I got more interested in malware about 8 years ago. Here is a site I cut my teeth on when building systems, it was my bible, go and join , its free and a wealth of info
http://forums.hardwareguys.com/ikonboard.cgi

Most of us helpers help in many other forums, at WhattheTech I am a classroom teacher, we have an actual classroom where you can learn to remove malware. It to is free but you will need a certain amount of commitment. It has a Freshman, Junior and Senior class and once you graduate from Senior we let you reply to live logs but your fix has to be checked by a teacher before you can post, then at that point it all depends on you and how well your doing, I went through this same classroom about 8 years ago when it was Tom Coyote, it was one of the first online Malware Removal Classrooms
http://forums.whatthetech.com/index.php?showtopic=80368

Take Care,

Ken

Thread: XP firewall virus infection

Thread Tools

Display

Posting Permissions