FBI MoneyPak Removal

Gerry · Jan 26, 2013

Hi,

I got the FBI MoneyPak ransom 2 days ago. Using my wifes pc, I found your site discussing it and thought it was great. You guys do a very good job!

However.... after I created the bootable flash from HitMan Pro and booted the ransomed PC, it runs Hitman Pro and says my trail license expired already and it won't remove the viruses unless I buy a version. I think I might have tried HitMan a few years ago but use Malwarebytes instead.

If I close HitMan to run Malwarebytes, the PC shuts down. If I boot without the flash, the ransom is still there.

How do I run anything else after booting with the flash?

I cazn't run the asked for scans while my pc is still ransomed.

kuttus · Jan 26, 2013

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Stage -1

Download Norton Bootable Recovery Tool from this link.
Save the Norton Bootable Recovery Tool on your computer Desktop.
After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.

http://123pcworld.com/MalwareTips/DownloadManager.PNG
When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.

If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.

http://123pcworld.com/MalwareTips/NBRT.PNG
It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...

http://123pcworld.com/MalwareTips/NBRT-2.PNG
Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.

http://123pcworld.com/MalwareTips/NBRT-3.PNG

Stage -2

Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
Click Start Scan.
When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />

What is the Operating system you are using?

After completing the scan start the computer in normal mode. Let me know the status after completing the scan...

Gerry · Jan 26, 2013

Hi,

I ran the Norton Advanced Recovery Scan on the infected PC. It found 11 items which I fixed. I then rebooted and got the same FBI Virus screen as before. I repeated the boot from cd, re-ran the scan. It found nothing. I rebooted and still have the Virus screen. I can't boot in safe mode. Running XP.

kuttus · Jan 26, 2013

Please print these instruction out so that you know what you are doing

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Download List Parts and save it to the flash drive also.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note If you do not know how to set your computer to boot from CD follow the steps here
Wait for the CD to detect your hardware and load the operating system
Your system should now display a Reatogo desktop
Note as you are running from CD it is not exactly speedy
Insert the USB with FRST
Locate the flash drive with FRST and double click
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[]Next click List Parts and then click Scan
It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

Gerry · Jan 26, 2013

Ok, doing it now. BTW, the link for OTLPENet.exe in your post doesn't work. Had to go to geekstogo web site to get it "manually". Procedding with the rest now. Thanks mucho.

Fiery · Jan 26, 2013

Gerry said:
Ok, doing it now. BTW, the link for OTLPENet.exe in your post doesn't work. Had to go to geekstogo web site to get it "manually". Procedding with the rest now. Thanks mucho.

I fixed all the links, they should work now

Sorry for the inconvenience.

Gerry · Jan 26, 2013

Yeah, none of the links worked but there was enough info for me to find them thru google. I'm not complaining though. You guys are great and can't thank you enough if this works.

Followed instructions and the 2 txt files are listed below, frst first....

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 26-01-2013 17:34:50
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [417792 2009-11-11] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM\...\Run: [dnctf] rundll32.exe "C:\Documents and Settings\Gerry\Application Data\dnctf.dll",FIsHTMLFile [180224 2013-01-24] (Pmode)
HKLM\...\Run: [zutro] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\zutro.dll",SetError [631296 2013-01-24] (IDT, Inc.)
HKLM\...\Run: [dxlat] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\dxlat.dll",WriteObject [345600 2013-01-24] ()
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKU\Gerry\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Gerry\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-08-21] (Microsoft Corporation)
HKU\Gerry\...\Run: [Sony PC Companion] "C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe" /Background [445624 2012-09-12] (Sony)
HKU\Gerry\...\Run: [AnyDVD] C:\Program Files\DVD\AnyDVD\AnyDVDtray.exe [6750448 2012-12-20] (SlySoft, Inc.)
HKU\Gerry\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Gerry\Application Data\skype.dat [57344 2010-12-09] ()
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 4.2.2.2
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Gerry\Start Menu\Programs\Startup\KatMouse.lnk
ShortcutTarget: KatMouse.lnk -> C:\Program Files\KatMouse\KatMouse.exe ()

==================== Services (Whitelisted) ===================

2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
3 Sony PC Companion; "C:\Program Files\Sony\Sony PC Companion\PCCService.exe" [155320 2012-01-18] (Avanquest Software)
2 allegro; C:\Windows\System32\pfc.dll [x]
2 askernel; C:\Windows\System32\bmuservice.dll [x]
2 dcfssvc; C:\Windows\System32\transactional.dll [x]
2 dcstor32; C:\Windows\System32\prevxagent.dll [x]
2 filterservice; C:\Windows\System32\winvnc.dll [x]
2 hpconfig; C:\Windows\System32\sgeclient.dll [x]
2 imagesrv; C:\Windows\System32\oracleservicelocalora.dll [x]
2 ipassconnectengine; C:\Windows\System32\termservice.dll [x]
2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
2 sdcplh; C:\Windows\System32\ntsyslog.dll [x]
2 statusagent4; C:\Windows\System32\Maplom.dll [x]
2 symantecantibotagent; C:\Windows\System32\nvlddmkm.dll [x]
2 usnjsvc; C:\Windows\System32\XUIF.dll [x]
2 ZSMC301b; C:\Windows\System32\WimFltr.dll [x]

==================== Drivers (Whitelisted) ====================

1 AFS2K; C:\Windows\System32\Drivers\AFS2K.sys [35840 2004-10-07] (Oak Technology Inc.)
3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [121248 2012-08-26] (SlySoft, Inc.)
3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [176640 2008-07-25] (Broadcom Corporation)
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-08-21] (Windows (R) Server 2003 DDK provider)
3 hitmanpro35; \??\C:\WINDOWS\system32\drivers\hitmanpro36.sys [26400 2012-04-11] ()
3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51024 2003-03-08] (HP)
3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16080 2003-03-08] (HP)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21456 2003-03-08] (HP)
3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-01-25] (Malwarebytes Corporation)
3 NPF; C:\Windows\System32\drivers\NPF.sys [50704 2012-04-09] (CACE Technologies, Inc.)
3 s0016bus; C:\Windows\System32\DRIVERS\s0016bus.sys [89256 2008-05-16] (MCCI Corporation)
3 s0016mdfl; C:\Windows\System32\DRIVERS\s0016mdfl.sys [15016 2008-05-16] (MCCI Corporation)
3 s0016mdm; C:\Windows\System32\DRIVERS\s0016mdm.sys [120744 2008-05-16] (MCCI Corporation)
3 s0016mgmt; C:\Windows\System32\DRIVERS\s0016mgmt.sys [114216 2008-05-16] (MCCI Corporation)
3 s0016nd5; C:\Windows\System32\DRIVERS\s0016nd5.sys [25512 2008-05-16] (MCCI Corporation)
3 s0016obex; C:\Windows\System32\DRIVERS\s0016obex.sys [110632 2008-05-16] (MCCI Corporation)
3 s0016unic; C:\Windows\System32\DRIVERS\s0016unic.sys [115752 2008-05-16] (MCCI Corporation)
3 s616bus; C:\Windows\System32\DRIVERS\s616bus.sys [83208 2007-04-03] (MCCI Corporation)
3 s616mdfl; C:\Windows\System32\DRIVERS\s616mdfl.sys [15112 2007-04-03] (MCCI Corporation)
3 s616mdm; C:\Windows\System32\DRIVERS\s616mdm.sys [108680 2007-04-03] (MCCI Corporation)
3 s616mgmt; C:\Windows\System32\DRIVERS\s616mgmt.sys [100360 2007-04-03] (MCCI Corporation)
3 s616nd5; C:\Windows\System32\DRIVERS\s616nd5.sys [23176 2007-04-03] (MCCI Corporation)
3 s616obex; C:\Windows\System32\DRIVERS\s616obex.sys [98568 2007-04-03] (MCCI Corporation)
3 s616unic; C:\Windows\System32\DRIVERS\s616unic.sys [99080 2007-04-03] (MCCI Corporation)
3 .mrxsmb; \? [x]
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 aic78xx; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
4 Atdisk; [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
4 dpti2o; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
4 ini910u; [x]
4 IntelIde; [x]
1 lbrtfdc; [x]
4 mraid35x; [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 perc2; [x]
4 perc2hib; [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-01-26 18:58 - 2013-01-26 18:58 - 00000024 ____A C:\Windows\076B13B6015DA8E1.log
2013-01-26 17:34 - 2013-01-26 17:34 - 00000000 ____D C:\FRST
2013-01-26 15:59 - 2013-01-26 17:11 - 00000000 ____D C:\NBRT
2013-01-25 19:14 - 2013-01-25 19:14 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-01-24 17:15 - 2013-01-26 18:58 - 00000004 ____A C:\Documents and Settings\Gerry\Application Data\skype.ini
2013-01-24 17:11 - 2013-01-26 18:56 - 00006524 ____A C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
2013-01-24 17:11 - 2013-01-24 17:11 - 00631296 ____A (IDT, Inc.) C:\Documents and Settings\Gerry\Application Data\zutro.dll
2013-01-24 17:11 - 2013-01-24 17:11 - 00345600 ____A () C:\Documents and Settings\Gerry\Application Data\dxlat.dll
2013-01-24 17:10 - 2013-01-24 17:10 - 00180224 ____A (Pmode) C:\Documents and Settings\Gerry\Application Data\dnctf.dll
2013-01-19 20:48 - 2013-01-19 20:48 - 00018267 ____A C:\Windows\KB2799329-IE8.log
2013-01-19 20:31 - 2013-01-19 20:31 - 00016862 ____A C:\Windows\KB2753842-v2.log
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2779562$
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2757638$
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2753842-v2$
2013-01-19 20:30 - 2013-01-19 20:31 - 00013467 ____A C:\Windows\KB2779562.log
2013-01-19 20:30 - 2013-01-19 20:30 - 00019981 ____A C:\Windows\KB2761465-IE8.log
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2779030$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2770660$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2758857$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2727528$
2013-01-19 20:16 - 2013-01-19 20:16 - 00008509 ____A C:\Windows\KB2723135-v2.log
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2723135-v2$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2705219-v2$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2661254-v2$
2013-01-19 20:15 - 2013-01-19 20:15 - 00007100 ____A C:\Windows\KB2736233.log
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2749655$
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2736233$
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2712808$
2013-01-19 20:14 - 2013-01-19 20:30 - 00014312 ____A C:\Windows\KB2758857.log
2013-01-19 20:14 - 2013-01-19 20:16 - 00014347 ____A C:\Windows\KB2724197.log
2013-01-19 20:13 - 2013-01-19 20:31 - 00021709 ____A C:\Windows\KB2757638.log
2013-01-19 20:13 - 2013-01-19 20:30 - 00013211 ____A C:\Windows\KB2727528.log
2013-01-19 20:13 - 2013-01-19 20:16 - 00013881 ____A C:\Windows\KB2705219-v2.log
2013-01-19 20:13 - 2013-01-19 20:16 - 00012662 ____A C:\Windows\KB2661254-v2.log
2013-01-19 20:13 - 2013-01-19 20:15 - 00012446 ____A C:\Windows\KB2749655.log
2013-01-19 20:13 - 2013-01-19 20:15 - 00012422 ____A C:\Windows\KB2712808.log
2013-01-19 20:10 - 2013-01-19 20:10 - 00003526 ____A C:\Windows\bitssetup.log
2013-01-19 19:58 - 2013-01-19 19:58 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-28 13:54 - 2012-12-28 14:08 - 00001246 ____A C:\Documents and Settings\Gerry\My Documents\Ghost Riders In The Sky.txt

==================== One Month Modified Files and Folders ========

2013-01-26 18:58 - 2013-01-26 18:58 - 00000024 ____A C:\Windows\076B13B6015DA8E1.log
2013-01-26 18:58 - 2013-01-24 17:15 - 00000004 ____A C:\Documents and Settings\Gerry\Application Data\skype.ini
2013-01-26 18:58 - 2010-06-12 11:02 - 00000422 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{4AE1076F-09C2-44D0-8AEA-647C5037DFD3}.job
2013-01-26 18:58 - 2009-12-28 18:00 - 00000178 __ASH C:\Documents and Settings\Gerry\ntuser.ini
2013-01-26 18:58 - 2009-03-11 12:17 - 00031864 ____A C:\Windows\SchedLgU.Txt
2013-01-26 18:58 - 2009-03-11 12:17 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-26 18:58 - 2009-03-11 12:10 - 01925922 ____A C:\Windows\WindowsUpdate.log
2013-01-26 18:58 - 2009-03-11 03:15 - 00000275 ____A C:\Windows\wiadebug.log
2013-01-26 18:56 - 2013-01-24 17:11 - 00006524 ____A C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
2013-01-26 18:56 - 2010-01-13 14:50 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-26 18:56 - 2009-12-28 18:00 - 00000062 __ASH C:\Documents and Settings\Gerry\Local Settings\desktop.ini
2013-01-26 18:56 - 2009-03-11 12:17 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-01-26 18:56 - 2009-03-11 12:16 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-01-26 18:56 - 2009-03-11 03:15 - 00000049 ____A C:\Windows\wiaservc.log
2013-01-26 18:56 - 2008-08-21 07:00 - 00012598 ____A C:\Windows\System32\wpa.dbl
2013-01-26 17:34 - 2013-01-26 17:34 - 00000000 ____D C:\FRST
2013-01-26 17:11 - 2013-01-26 15:59 - 00000000 ____D C:\NBRT
2013-01-26 15:27 - 2012-03-09 17:36 - 00001324 ____A C:\Windows\System32\d3d9caps.dat
2013-01-26 15:10 - 2010-01-13 14:50 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-26 15:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At37.job
2013-01-26 15:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At13.job
2013-01-26 14:56 - 2009-03-11 03:12 - 00566264 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-26 14:11 - 2012-04-11 14:17 - 00416320 ____A C:\Windows\setupapi.log
2013-01-25 19:15 - 2009-12-28 21:56 - 00002527 ____A C:\Documents and Settings\Gerry\Desktop\HiJackThis.lnk
2013-01-25 19:14 - 2013-01-25 19:14 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-01-24 18:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At40.job
2013-01-24 18:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At16.job
2013-01-24 17:11 - 2013-01-24 17:11 - 00631296 ____A (IDT, Inc.) C:\Documents and Settings\Gerry\Application Data\zutro.dll
2013-01-24 17:11 - 2013-01-24 17:11 - 00345600 ____A () C:\Documents and Settings\Gerry\Application Data\dxlat.dll
2013-01-24 17:10 - 2013-01-24 17:10 - 00180224 ____A (Pmode) C:\Documents and Settings\Gerry\Application Data\dnctf.dll
2013-01-24 17:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At39.job
2013-01-24 17:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At15.job
2013-01-24 16:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At38.job
2013-01-24 16:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At14.job
2013-01-24 14:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At36.job
2013-01-24 14:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At12.job
2013-01-24 13:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At35.job
2013-01-24 13:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At11.job
2013-01-24 12:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At34.job
2013-01-24 12:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At10.job
2013-01-24 11:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At33.job
2013-01-24 11:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At9.job
2013-01-24 10:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At32.job
2013-01-24 10:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At8.job
2013-01-24 09:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At31.job
2013-01-24 09:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At7.job
2013-01-24 08:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At30.job
2013-01-24 08:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At6.job
2013-01-24 07:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At29.job
2013-01-24 07:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At5.job
2013-01-24 06:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At28.job
2013-01-24 06:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At4.job
2013-01-24 05:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At27.job
2013-01-24 05:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At3.job
2013-01-24 04:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At26.job
2013-01-24 04:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At2.job
2013-01-24 03:25 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At25.job
2013-01-24 03:05 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At1.job
2013-01-24 02:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At48.job
2013-01-24 02:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At24.job
2013-01-24 01:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At47.job
2013-01-24 01:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At23.job
2013-01-24 00:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At46.job
2013-01-24 00:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At22.job
2013-01-23 23:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At45.job
2013-01-23 23:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At21.job
2013-01-23 22:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At44.job
2013-01-23 22:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At20.job
2013-01-23 21:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At43.job
2013-01-23 21:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At19.job
2013-01-23 20:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At42.job
2013-01-23 20:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At18.job
2013-01-23 19:00 - 2012-04-05 22:09 - 00000418 ____A C:\Windows\Tasks\At41.job
2013-01-23 19:00 - 2012-04-05 22:09 - 00000416 ____A C:\Windows\Tasks\At17.job
2013-01-19 21:01 - 2012-01-09 18:40 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-19 20:56 - 2009-03-11 03:11 - 00310784 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-19 20:48 - 2013-01-19 20:48 - 00018267 ____A C:\Windows\KB2799329-IE8.log
2013-01-19 20:48 - 2009-12-28 20:26 - 00198945 ____A C:\Windows\updspapi.log
2013-01-19 20:48 - 2009-12-28 19:20 - 00000000 ____D C:\Windows\$hf_mig$
2013-01-19 20:48 - 2009-03-11 03:12 - 02544786 ____A C:\Windows\FaxSetup.log
2013-01-19 20:48 - 2009-03-11 03:12 - 01244452 ____A C:\Windows\ocgen.log
2013-01-19 20:48 - 2009-03-11 03:12 - 01183094 ____A C:\Windows\tsoc.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00886576 ____A C:\Windows\comsetup.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00886039 ____A C:\Windows\iis6.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00796680 ____A C:\Windows\msmqinst.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00533746 ____A C:\Windows\ntdtcsetup.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00448068 ____A C:\Windows\netfxocm.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00177307 ____A C:\Windows\MedCtrOC.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00141507 ____A C:\Windows\ocmsn.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00130022 ____A C:\Windows\tabletoc.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00128179 ____A C:\Windows\msgsocm.log
2013-01-19 20:48 - 2009-03-11 03:12 - 00001374 ____A C:\Windows\imsins.log
2013-01-19 20:31 - 2013-01-19 20:31 - 00016862 ____A C:\Windows\KB2753842-v2.log
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2779562$
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2757638$
2013-01-19 20:31 - 2013-01-19 20:31 - 00000000 __HDC C:\Windows\$NtUninstallKB2753842-v2$
2013-01-19 20:31 - 2013-01-19 20:30 - 00013467 ____A C:\Windows\KB2779562.log
2013-01-19 20:31 - 2013-01-19 20:13 - 00021709 ____A C:\Windows\KB2757638.log
2013-01-19 20:31 - 2009-12-28 20:36 - 00044468 ____A C:\Windows\System32\TZLog.log
2013-01-19 20:31 - 2009-03-11 03:12 - 00001374 ____A C:\Windows\imsins.BAK
2013-01-19 20:30 - 2013-01-19 20:30 - 00019981 ____A C:\Windows\KB2761465-IE8.log
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2779030$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2770660$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2758857$
2013-01-19 20:30 - 2013-01-19 20:30 - 00000000 __HDC C:\Windows\$NtUninstallKB2727528$
2013-01-19 20:30 - 2013-01-19 20:14 - 00014312 ____A C:\Windows\KB2758857.log
2013-01-19 20:30 - 2013-01-19 20:13 - 00013211 ____A C:\Windows\KB2727528.log
2013-01-19 20:16 - 2013-01-19 20:16 - 00008509 ____A C:\Windows\KB2723135-v2.log
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2723135-v2$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2705219-v2$
2013-01-19 20:16 - 2013-01-19 20:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2661254-v2$
2013-01-19 20:16 - 2013-01-19 20:14 - 00014347 ____A C:\Windows\KB2724197.log
2013-01-19 20:16 - 2013-01-19 20:13 - 00013881 ____A C:\Windows\KB2705219-v2.log
2013-01-19 20:16 - 2013-01-19 20:13 - 00012662 ____A C:\Windows\KB2661254-v2.log
2013-01-19 20:15 - 2013-01-19 20:15 - 00007100 ____A C:\Windows\KB2736233.log
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2749655$
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2736233$
2013-01-19 20:15 - 2013-01-19 20:15 - 00000000 __HDC C:\Windows\$NtUninstallKB2712808$
2013-01-19 20:15 - 2013-01-19 20:13 - 00012446 ____A C:\Windows\KB2749655.log
2013-01-19 20:15 - 2013-01-19 20:13 - 00012422 ____A C:\Windows\KB2712808.log
2013-01-19 20:10 - 2013-01-19 20:10 - 00003526 ____A C:\Windows\bitssetup.log
2013-01-19 19:59 - 2012-03-19 16:51 - 00001729 ____A C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
2013-01-19 19:58 - 2013-01-19 19:58 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-01-19 19:58 - 2011-06-19 18:54 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-01-12 12:52 - 2009-12-28 19:01 - 00002569 ____A C:\Documents and Settings\All Users\Desktop\ACDSee.lnk
2013-01-09 14:26 - 2010-04-15 17:26 - 00000908 ____A C:\Windows\Ulead32.ini
2013-01-07 23:31 - 2012-04-13 15:24 - 00662829 ____A C:\Documents and Settings\Gerry\Local Settings\Application Data\census.cache
2013-01-07 23:30 - 2012-04-13 15:24 - 00165307 ____A C:\Documents and Settings\Gerry\Local Settings\Application Data\ars.cache
2013-01-07 20:29 - 2009-12-31 18:48 - 00014957 ____A C:\Documents and Settings\Gerry\My Documents\phone3.txt
2013-01-07 18:50 - 2009-12-29 16:19 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2013-01-06 00:34 - 2008-08-21 07:00 - 06009856 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2013-01-06 00:34 - 2008-08-21 07:00 - 06009856 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-28 14:08 - 2012-12-28 13:54 - 00001246 ____A C:\Documents and Settings\Gerry\My Documents\Ghost Riders In The Sky.txt

ZeroAccess:
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@

ZeroAccess:
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-01-26 14:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP271

RP: -> 2013-01-23 23:10 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP270

RP: -> 2013-01-22 22:10 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP269

RP: -> 2013-01-21 21:10 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP268

RP: -> 2013-01-20 21:00 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP267

RP: -> 2013-01-19 20:15 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP266

RP: -> 2013-01-19 20:10 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP265

RP: -> 2013-01-19 19:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP264

RP: -> 2013-01-18 19:11 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP263

RP: -> 2013-01-17 17:42 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP262

RP: -> 2013-01-16 16:42 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP261

RP: -> 2013-01-15 15:42 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP260

RP: -> 2013-01-14 14:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP259

RP: -> 2013-01-13 13:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP258

RP: -> 2013-01-12 13:20 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP257

RP: -> 2013-01-11 11:50 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP256

RP: -> 2013-01-10 11:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP255

RP: -> 2013-01-09 11:05 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP254

RP: -> 2013-01-08 07:41 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP253

RP: -> 2013-01-07 07:07 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP252

RP: -> 2013-01-06 05:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP251

RP: -> 2013-01-05 04:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP250

RP: -> 2013-01-04 03:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP249

RP: -> 2013-01-03 02:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP248

RP: -> 2013-01-02 01:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP247

RP: -> 2013-01-01 00:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP246

RP: -> 2012-12-30 23:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP245

RP: -> 2012-12-29 22:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP244

RP: -> 2012-12-28 22:08 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP243

RP: -> 2012-12-27 21:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP242

RP: -> 2012-12-26 20:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP241

RP: -> 2012-12-25 20:07 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP240

RP: -> 2012-12-24 18:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP239

RP: -> 2012-12-23 17:56 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP238

RP: -> 2012-12-22 17:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP237

RP: -> 2012-12-21 16:56 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP236

RP: -> 2012-12-20 16:38 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP235

RP: -> 2012-12-19 15:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP234

RP: -> 2012-12-18 14:56 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP233

RP: -> 2012-12-17 14:14 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP232

RP: -> 2012-12-16 12:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP231

RP: -> 2012-12-15 11:56 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP230

RP: -> 2012-12-14 11:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP229

RP: -> 2012-12-13 10:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP228

RP: -> 2012-12-12 09:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP227

RP: -> 2012-12-11 08:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP226

RP: -> 2012-12-10 07:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP225

RP: -> 2012-12-09 06:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP224

RP: -> 2012-12-08 05:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP223

RP: -> 2012-12-07 05:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP222

RP: -> 2012-12-06 04:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP221

RP: -> 2012-12-05 03:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP220

RP: -> 2012-12-04 02:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP219

RP: -> 2012-12-03 01:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP218

RP: -> 2012-12-02 00:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP217

RP: -> 2012-11-30 23:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP216

RP: -> 2012-11-29 23:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP215

RP: -> 2012-11-28 22:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP214

RP: -> 2012-11-27 21:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP213

RP: -> 2012-11-26 20:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP212

RP: -> 2012-11-25 19:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP211

RP: -> 2012-11-24 18:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP210

RP: -> 2012-11-23 18:51 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP209

RP: -> 2012-11-23 04:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP208

RP: -> 2012-11-22 03:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP207

RP: -> 2012-11-21 02:54 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP206

RP: -> 2012-11-20 01:56 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP205

RP: -> 2012-11-19 01:55 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP204

RP: -> 2012-11-18 01:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP203

RP: -> 2012-11-17 00:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP202

RP: -> 2012-11-16 00:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP201

RP: -> 2012-11-14 23:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP200

RP: -> 2012-11-13 22:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP199

RP: -> 2012-11-12 21:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP198

RP: -> 2012-11-11 20:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP197

RP: -> 2012-11-10 19:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP196

RP: -> 2012-11-09 18:42 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP195

RP: -> 2012-11-08 17:31 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP194

RP: -> 2012-11-07 16:31 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP193

RP: -> 2012-11-06 15:30 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP192

RP: -> 2012-11-05 15:17 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP191

RP: -> 2012-11-04 15:15 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP190

RP: -> 2012-11-03 14:16 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP189

RP: -> 2012-11-02 14:01 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP188

RP: -> 2012-11-01 13:26 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP187

RP: -> 2012-10-31 13:01 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP186

RP: -> 2012-10-30 12:01 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP185

RP: -> 2012-10-29 11:01 - 024576 _restore{606ECAD8-DF55-435C-B95E-F7D9C5CB4B8C}\RP184

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2039.36 MB
Available physical RAM: 1778.64 MB
Total Pagefile: 1870.05 MB
Available Pagefile: 1804.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.54 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:372.61 GB) (Free:304.6 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (KINGSTON) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32
4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 373 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 373 GB 32 KB
=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 373 GB Healthy
=========================================================
==================== End Of Log ============================

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 26-01-2013 at 17:37:59
Windows XP (X86)
Running From: D:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 2039.36 MB
Available physical RAM: 1817.61 MB
Total Pagefile: 1870.05 MB
Available Pagefile: 1802.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 2009.38 MB

======================= Partitions =========================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:372.61 GB) (Free:304.6 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (KINGSTON) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32
4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 373 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 373 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 373 GB Healthy
======================================================================================================

****** End Of Log ******

kuttus · Jan 26, 2013

Thank you Gerry,

On a clean PC, open notepad and copy & paste the following:

HKLM\...\Run: [dnctf] rundll32.exe "C:\Documents and Settings\Gerry\Application Data\dnctf.dll",FIsHTMLFile [180224 2013-01-24] (Pmode)
HKLM\...\Run: [zutro] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\zutro.dll",SetError [631296 2013-01-24] (IDT, Inc.)
HKLM\...\Run: [dxlat] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\dxlat.dll",WriteObject [345600 2013-01-24] ()
HKU\Gerry\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Gerry\Application Data\skype.dat [57344 2010-12-09] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 4.2.2.2

C:\Windows\076B13B6015DA8E1.log
C:\Documents and Settings\Gerry\Application Data\skype.ini
C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
C:\Documents and Settings\Gerry\Application Data\zutro.dll
C:\Documents and Settings\Gerry\Application Data\dxlat.dll
C:\Documents and Settings\Gerry\Application Data\dnctf.dll
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\assembly\GAC\Desktop.ini

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

<hr>
While in OTLPE, double click the OTLPE icon.

Select the Windows folder of the infected drive if it asks for a location.
When asked Do you wish to load the remote registry, select Yes.
When asked Do you wish to load remote user profile(s) for scanning, select Yes.
Ensure the box Automatically Load All Remaining Users is checked and press OK.
OTL should now start
Click the Scan All Users checkbox.
Change Standard Registry to All
Check the boxes beside LOP Check and Purity Check
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

Gerry · Jan 26, 2013

Below is the results after the frst fix. After running OTLPE, I don't see a checkbox for Scan All Users. The other items I see and checked. There are boxes for Services and Drivers but I don't see ALL Users???

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-26 19:06:18 Run:1
Running from D:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dnctf Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ zutro Value not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ dxlat Value not found.
HKEY_USERS\ Gerry\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value not found.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\\DhcpNameServer Value deleted successfully.
C:\Windows\076B13B6015DA8E1.log moved successfully.

==== End of Fixlog ====

kuttus · Jan 26, 2013

Okay... That is fine...

In the Fixlist do you add the following files also????

C:\Documents and Settings\Gerry\Application Data\skype.dat
C:\Documents and Settings\Gerry\Application Data\skype.ini
C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
C:\Documents and Settings\Gerry\Application Data\zutro.dll
C:\Documents and Settings\Gerry\Application Data\dxlat.dll
C:\Documents and Settings\Gerry\Application Data\dnctf.dll
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\assembly\GAC\Desktop.ini

Gerry · Jan 26, 2013

This is what I used...

HKLM\...\Run: [dnctf] rundll32.exe "C:\Documents and Settings\Gerry\Application Data\dnctf.dll",FIsHTMLFile [180224 2013-01-24] (Pmode)
HKLM\...\Run: [zutro] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\zutro.dll",SetError [631296 2013-01-24] (IDT, Inc.)
HKLM\...\Run: [dxlat] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Gerry\Application Data\dxlat.dll",WriteObject [345600 2013-01-24] ()
HKU\Gerry\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Gerry\Application Data\skype.dat [57344 2010-12-09] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 4.2.2.2

C:\Windows\076B13B6015DA8E1.log
C:\Documents and Settings\Gerry\Application Data\skype.ini
C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
C:\Documents and Settings\Gerry\Application Data\zutro.dll
C:\Documents and Settings\Gerry\Application Data\dxlat.dll
C:\Documents and Settings\Gerry\Application Data\dnctf.dll
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U
C:\Windows\assembly\GAC\Desktop.ini

Gerry · Jan 26, 2013

I used TextPad instead of Notepad though. Don't know if that matters.

kuttus · Jan 26, 2013

Gerry said:
I used TextPad instead of Notepad though. Don't know if that matters.

Okay. Now are you able to start the computer back to normally with out a pop up?

Gerry · Jan 26, 2013

I didn't go any further. I didn't run OTLPE yet. I was waiting to hear back.

kuttus · Jan 26, 2013

Okay. Please proceed......

Gerry · Jan 26, 2013

I ran OTLPE and got only one file, OTL.txt. It is below. Do I try to reboot or do you have something else?

OTL logfile created on: 1/26/2013 8:20:43 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): c:\pagefile.sys 8184 16368 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 372.61 Gb Total Space | 304.60 Gb Free Space | 81.75% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (ZSMC301b)
SRV - File not found [Auto] -- -- (usnjsvc)
SRV - File not found [Auto] -- -- (symantecantibotagent)
SRV - File not found [Auto] -- -- (statusagent4)
SRV - File not found [Auto] -- -- (sdcplh)
SRV - File not found [Auto] -- -- (ipassconnectengine)
SRV - File not found [Auto] -- -- (imagesrv)
SRV - File not found [Auto] -- -- (hpconfig)
SRV - File not found [Auto] -- -- (filterservice)
SRV - File not found [Auto] -- -- (dcstor32)
SRV - File not found [Auto] -- -- (dcfssvc)
SRV - File not found [Auto] -- -- (askernel)
SRV - File not found [Auto] -- -- (allegro)
SRV - [2012/01/18 16:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [On_Demand] -- C:\Program Files\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2003/03/08 23:31:02 | 000,065,795 | R--- | M] (HP) [Disabled] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (.mrxsmb)
DRV - [2013/01/25 19:14:45 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/08/26 07:56:17 | 000,121,248 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2012/04/11 16:28:28 | 000,026,400 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hitmanpro36.sys -- (hitmanpro35)
DRV - [2012/04/09 12:37:13 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2009/04/06 12:13:52 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2009/04/06 12:13:52 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2008/07/25 01:18:32 | 000,176,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/06/17 16:49:22 | 004,756,992 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/05/16 15:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV - [2008/05/16 15:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV - [2008/05/16 15:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008/05/16 15:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008/05/16 15:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV - [2008/05/16 15:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008/05/16 15:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV - [2008/01/09 14:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/04/03 16:59:42 | 000,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM)
DRV - [2007/04/03 16:59:42 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex)
DRV - [2007/04/03 16:59:42 | 000,023,176 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616nd5.sys -- (s616nd5) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (NDIS)
DRV - [2007/04/03 16:59:40 | 000,100,360 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt) Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 16:59:38 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616mdm.sys -- (s616mdm)
DRV - [2007/04/03 16:59:36 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616mdfl.sys -- (s616mdfl)
DRV - [2007/04/03 16:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Gerry_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Gerry_ON_C\Software\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\Gerry_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\Gerry_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\Gerry_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Gerry_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Gerry_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\ZEON/PDF,version=2.0: C:\Program Files\Nuance\PDF Reader\bin\nppdf.dll (Zeon Corporation)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Gerry\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{422E658A-B71D-4ECB-B18D-43990CECDF3B}: C:\Documents and Settings\Gerry\Local Settings\Application Data\{422E658A-B71D-4ECB-B18D-43990CECDF3B} [2009/12/28 21:48:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/01/15 19:14:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2012/01/14 06:06:51 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/04/10 11:57:38 | 000,000,826 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKU\Gerry_ON_C\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Gerry_ON_C\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Gerry_ON_C\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [dxlat] C:\Documents and Settings\Gerry\Application Data\dxlat.dll ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [zutro] C:\Documents and Settings\Gerry\Application Data\zutro.dll (IDT, Inc.)
O4 - HKU\Gerry_ON_C..\Run: [AnyDVD] C:\Program Files\DVD\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKU\Gerry_ON_C..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Gerry_ON_C..\Run: [Sony PC Companion] C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe (Sony)
O4 - HKU\Gerry_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Gerry\Start Menu\Programs\Startup\KatMouse.lnk = C:\Program Files\KatMouse\KatMouse.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKU\Gerry_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358643604078 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - HKU\Gerry_ON_C Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\Gerry_ON_C Winlogon: Shell - (C:\Documents and Settings\Gerry\Application Data\skype.dat) - C:\Documents and Settings\Gerry\Application Data\skype.dat ()
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/11 12:11:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (猀瀀爀攀猀琀爀琀) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/01/26 17:34:46 | 000,000,000 | ---D | C] -- C:\FRST
[2013/01/26 15:59:08 | 000,000,000 | ---D | C] -- C:\NBRT
[2013/01/25 19:14:45 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/01/24 17:11:32 | 000,631,296 | ---- | C] (IDT, Inc.) -- C:\Documents and Settings\Gerry\Application Data\zutro.dll
[2013/01/24 17:10:39 | 000,180,224 | ---- | C] (Pmode) -- C:\Documents and Settings\Gerry\Application Data\dnctf.dll
[2013/01/19 19:58:24 | 000,697,864 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Gerry\My Documents\*.tmp files -> C:\Documents and Settings\Gerry\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/26 18:58:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/26 18:58:16 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Gerry\Application Data\skype.ini
[2013/01/26 18:58:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{4AE1076F-09C2-44D0-8AEA-647C5037DFD3}.job
[2013/01/26 18:56:50 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/26 18:56:39 | 000,006,524 | ---- | M] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
[2013/01/26 18:56:36 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/26 15:27:07 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/26 15:10:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/26 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2013/01/26 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2013/01/26 14:56:13 | 000,477,542 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/26 14:56:13 | 000,077,856 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/25 19:15:50 | 000,002,527 | ---- | M] () -- C:\Documents and Settings\Gerry\Desktop\HiJackThis.lnk
[2013/01/25 19:14:45 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/01/24 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2013/01/24 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2013/01/24 17:11:58 | 000,345,600 | ---- | M] () -- C:\Documents and Settings\Gerry\Application Data\dxlat.dll
[2013/01/24 17:11:35 | 000,631,296 | ---- | M] (IDT, Inc.) -- C:\Documents and Settings\Gerry\Application Data\zutro.dll
[2013/01/24 17:10:39 | 000,180,224 | ---- | M] (Pmode) -- C:\Documents and Settings\Gerry\Application Data\dnctf.dll
[2013/01/24 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2013/01/24 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2013/01/24 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2013/01/24 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2013/01/24 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2013/01/24 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2013/01/24 13:56:41 | 000,002,477 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2013/01/24 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2013/01/24 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2013/01/24 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2013/01/24 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2013/01/24 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2013/01/24 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2013/01/24 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2013/01/24 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2013/01/24 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2013/01/24 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2013/01/24 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2013/01/24 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2013/01/24 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2013/01/24 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2013/01/24 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2013/01/24 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2013/01/24 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2013/01/24 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013/01/24 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2013/01/24 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/01/24 03:25:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2013/01/24 03:05:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/01/24 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2013/01/24 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2013/01/24 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2013/01/24 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2013/01/24 00:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2013/01/24 00:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2013/01/23 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2013/01/23 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2013/01/23 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2013/01/23 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2013/01/23 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2013/01/23 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2013/01/23 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2013/01/23 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2013/01/23 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2013/01/23 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2013/01/19 20:56:13 | 000,310,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/01/19 20:31:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/19 19:59:22 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2013/01/19 19:59:22 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2013/01/19 19:58:24 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/19 19:58:23 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/12 12:52:58 | 000,002,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ACDSee.lnk
[2013/01/09 14:26:21 | 000,000,908 | ---- | M] () -- C:\WINDOWS\Ulead32.ini
[2013/01/07 23:31:12 | 000,662,829 | ---- | M] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\census.cache
[2013/01/07 23:30:54 | 000,165,307 | ---- | M] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\ars.cache
[2013/01/07 18:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
[2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/12/28 19:31:25 | 000,550,711 | ---- | M] () -- C:\Documents and Settings\Gerry\My Documents\script.jpg
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Gerry\My Documents\*.tmp files -> C:\Documents and Settings\Gerry\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/24 17:15:57 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Gerry\Application Data\skype.ini
[2013/01/24 17:11:57 | 000,345,600 | ---- | C] () -- C:\Documents and Settings\Gerry\Application Data\dxlat.dll
[2013/01/24 17:11:36 | 000,006,524 | ---- | C] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx
[2012/12/28 19:31:25 | 000,550,711 | ---- | C] () -- C:\Documents and Settings\Gerry\My Documents\script.jpg
[2012/04/16 11:45:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/04/13 15:24:34 | 000,662,829 | ---- | C] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\census.cache
[2012/04/13 15:24:32 | 000,165,307 | ---- | C] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\ars.cache
[2012/04/11 16:28:28 | 000,026,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro36.sys
[2012/04/10 21:58:08 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/04/10 20:33:19 | 000,711,240 | ---- | C] () -- C:\WINDOWS\is-U3ASI.exe
[2012/04/05 20:04:59 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2012/03/09 17:36:50 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/14 20:40:58 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/09 19:26:36 | 000,576,054 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3240264975-1964901538-269542980-1007-0.dat
[2012/01/09 19:26:36 | 000,288,166 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/01/09 19:04:59 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2012/01/09 19:04:59 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2012/01/09 19:04:59 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2012/01/09 19:04:59 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2012/01/09 19:04:59 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2012/01/09 19:04:59 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2012/01/09 19:04:59 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2012/01/09 19:04:59 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2012/01/09 19:04:59 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2012/01/09 19:04:59 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2012/01/09 19:04:59 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2012/01/09 19:04:59 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2012/01/09 19:04:59 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2012/01/09 19:04:59 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2012/01/09 19:04:59 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2012/01/09 19:04:59 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2012/01/09 19:04:59 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2012/01/09 19:04:59 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2012/01/09 19:04:59 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/04/15 17:26:17 | 000,000,908 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2010/04/15 17:25:35 | 000,000,016 | ---- | C] () -- C:\WINDOWS\S2600.INI
[2009/12/29 15:40:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\21328.exe
[2009/12/29 15:09:15 | 000,000,544 | ---- | C] () -- C:\WINDOWS\xwininit.ini
[2009/12/29 14:52:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2009/12/29 14:32:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2009/12/29 14:12:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2009/12/29 13:52:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2009/12/29 00:59:33 | 000,000,083 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/12/28 23:54:53 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\housecall.guid.cache
[2009/12/28 21:48:44 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wvakamanewohisi.dat
[2009/12/28 21:48:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Nhanulato.bin
[2009/12/28 19:03:06 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Gerry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/28 18:12:30 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2009/12/28 18:12:30 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2009/12/28 18:11:57 | 000,561,152 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2009/08/03 18:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 18:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/03/11 12:32:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/11 12:28:15 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/03/11 12:27:50 | 000,001,996 | ---- | C] () -- C:\WINDOWS\System32\drivers\HDACfg.dat
[2009/03/11 12:22:21 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/03/11 12:14:22 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/11 12:08:54 | 000,022,816 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/11 03:12:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/11 03:11:19 | 000,310,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/08/21 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/08/21 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/08/21 07:00:00 | 000,477,542 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/08/21 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/08/21 07:00:00 | 000,266,332 | ---- | C] () -- C:\WINDOWS\System32\s1an.dll
[2008/08/21 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/08/21 07:00:00 | 000,077,856 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/08/21 07:00:00 | 000,057,344 | -HS- | C] () -- C:\Documents and Settings\Gerry\Application Data\skype.dat
[2008/08/21 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/08/21 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/08/21 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/08/21 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/08/21 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/08/21 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/01/22 06:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/12/28 19:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\ACD Systems
[2010/11/03 18:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Ashampoo
[2012/03/27 18:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\DriverCure
[2011/09/27 18:13:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Free Sound Recorder
[2009/12/28 19:51:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Helios
[2012/04/06 16:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Ikysa
[2010/12/01 17:42:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Nuance
[2012/04/06 20:17:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Owqeow
[2012/03/27 18:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\ParetoLogic
[2012/08/01 10:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Poarf
[2012/08/01 11:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Tiy
[2011/05/11 19:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Unity
[2010/12/01 17:41:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gerry\Application Data\Zeon
[2009/12/28 19:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2010/11/03 18:35:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2010/01/14 15:13:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2012/02/11 14:19:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/12/01 17:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/12/29 18:22:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2012/04/11 12:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2010/12/01 17:41:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2012/01/09 19:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2012/03/27 19:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/12/01 17:41:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/12/29 00:59:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2012/05/04 15:56:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2009/12/29 15:59:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/11/05 12:02:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2013/01/24 03:05:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2013/01/24 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2013/01/24 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2013/01/24 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2013/01/26 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2013/01/24 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2013/01/24 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2013/01/24 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2013/01/23 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2013/01/23 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2013/01/23 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2013/01/24 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2013/01/23 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2013/01/23 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2013/01/24 00:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2013/01/24 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2013/01/24 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2013/01/24 03:25:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2013/01/24 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2013/01/24 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2013/01/24 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2013/01/24 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2013/01/24 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2013/01/24 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2013/01/24 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2013/01/24 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2013/01/24 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2013/01/24 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2013/01/24 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2013/01/24 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2013/01/26 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2013/01/24 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2013/01/24 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2013/01/24 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2013/01/24 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2013/01/23 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2013/01/23 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2013/01/23 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2013/01/23 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2013/01/23 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2013/01/24 00:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2013/01/24 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2013/01/24 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2013/01/24 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2013/01/24 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2013/01/24 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2013/01/24 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2013/01/24 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/03/30 18:16:12 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1262045774.job
[2013/01/26 18:58:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{4AE1076F-09C2-44D0-8AEA-647C5037DFD3}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP

FC5A2B2
< End of report >

kuttus · Jan 26, 2013

Don't restart now...

While in OTLPE, double click the OTLPE icon.

STEP 1: Run the below OTL fix
<ol><li>Start <>OTLPE</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

Code:

:OTL O20 - HKU\Gerry_ON_C Winlogon: Shell - (C:\Documents and Settings\Gerry\Application Data\skype.dat) - C:\Documents and Settings\Gerry\Application Data\skype.dat () :Files C:\Documents and Settings\Gerry\Application Data\skype.ini C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3240264975-1964901538-269542980-1007-0.dat C:\Documents and Settings\Gerry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini C:\Documents and Settings\Gerry\Application Data\zutro.dll C:\Documents and Settings\Gerry\Application Data\dxlat.dll C:\Documents and Settings\Gerry\Application Data\dnctf.dll C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6} C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@ C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@ C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6} C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@ C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U :commands [emptytemp] [reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

Gerry · Jan 26, 2013

Here is the txt from OTLPE. I rebooted to Reatogo cd.

========== OTL ==========
Registry value HKEY_USERS\Gerry_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Gerry\Application Data\skype.dat deleted successfully.
C:\Documents and Settings\Gerry\Application Data\skype.dat moved successfully.
========== FILES ==========
C:\Documents and Settings\Gerry\Application Data\skype.ini moved successfully.
C:\Documents and Settings\Gerry\Local Settings\Application Data\bcd3c458-4812-48d6-8c8b-de77ed5aef13.crx moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3240264975-1964901538-269542980-1007-0.dat moved successfully.
C:\Documents and Settings\Gerry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
C:\Documents and Settings\Gerry\Application Data\zutro.dll moved successfully.
C:\Documents and Settings\Gerry\Application Data\dxlat.dll moved successfully.
C:\Documents and Settings\Gerry\Application Data\dnctf.dll moved successfully.
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U folder moved successfully.
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L folder moved successfully.
C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6} folder moved successfully.
File\Folder C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@ not found.
File\Folder C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L not found.
File\Folder C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U not found.
File\Folder C:\Windows\Installer\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L\00000004.@ not found.
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U folder moved successfully.
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L folder moved successfully.
C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6} folder moved successfully.
File\Folder C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\@ not found.
File\Folder C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\L not found.
File\Folder C:\Documents and Settings\Gerry\Local Settings\Application Data\{50c84355-9397-8cbb-fbeb-fdd8ffde05f6}\U not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Gerry
->Temp folder emptied: 1953181489 bytes
->Temporary Internet Files folder emptied: 260253944 bytes
->Java cache emptied: 68864625 bytes
->Flash cache emptied: 42113 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 539816592 bytes
->Java cache emptied: 38536 bytes
->Flash cache emptied: 66769 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1560954030 bytes
->Java cache emptied: 15282 bytes
->Flash cache emptied: 124270 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 7204878 bytes
%systemroot%\System32 .tmp files removed: 2805777 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 456249194 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 432325204 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 281493 bytes

Total Files Cleaned = 5,038.00 mb

OTLPE by OldTimer - Version 3.1.48.0 log created on 01262013_205627

kuttus · Jan 26, 2013

Okay Great.....

Now you can reboot the computer...

In the Reboot if you are getting only a black screen follow Step1...

Press on Control + Alt + Delete. Now you will get Task Manager.

In Task Manager Click on File --> New Task --> Inside the New Task Window Type EXPLORER.EXE and press on ok... Now you will be able to see your computer desktop...

STEP 1: Repair your Windows Registry from this infection malicious changes.

This infection has changed your Windows registry settings so that when you try to start the computer it will load the infections instead of your Windows Desktop.

Download the WinlogOnFix.reg file to fix the malicious registry changes from This infection.
REGISTRYFIX.REG DOWNLOAD LINK (This link will automatically download the registry fix called WinlogonFix.reg)
Double-click on WinlogonFix.reg file to run it. Click “Yes” for Registry Editor prompt window,then click OK.

<hr />

Please run the following utility so that I can get a log of your system...
STEP 2 : Run a scan with Combofix

Please read and follow very carefully the below instructions

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------

How to run the Combofix scan :

Double click on ComboFix.exe & follow the prompts.

Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>

<hr />

Gerry · Jan 26, 2013

Will I be able to download the regfix and combofix from the infected PC or do I download them on the good one and transfer via a flash drive?

FBI MoneyPak Removal

New Member

Level 2

New Member

Level 2

New Member

Level 1

New Member

Level 2

New Member

Level 2

New Member

New Member

Level 2

New Member

Level 2

New Member

Level 2

New Member

Level 2

New Member

Similar threads