TechSpot

Confikcer virus help on computer touch

By al davis
Nov 16, 2010
  1. I have the initial set of files from a computer on the same network as the one Broni is helping me with (conficker virus)

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.0.2195 Service Pack 4
    Internet Explorer 5.00.3700.1000

    10/17/2010 7:25:37 AM
    mbam-log-2010-10-17 (07-25-37).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 100706
    Time elapsed: 14 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  2. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-17 08:24:28
    Windows 5.0.2195 Service Pack 4
    Running: bco3fvo5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtcipoc.sys


    ---- Services - GMER 1.0.15 ----

    Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] alyfo <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@DisplayName Installer Microsoft
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Description Manages network configuration by registering and updating IP addresses and DNS names.
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo\Parameters@ServiceDll C:\WINNT\system32\dhvml.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@DisplayName Installer Microsoft
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Type 32
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Start 2
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Description Manages network configuration by registering and updating IP addresses and DNS names.
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\alyfo\Parameters@ServiceDll C:\WINNT\system32\dhvml.dll

    ---- EOF - GMER 1.0.15 ----
     
  3. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 2000 Professional
    Boot Device: \Device\Harddisk0\Partition1
    Install Date:
    System Uptime: 10/17/2010 2:08:49 AM (6 hours ago)

    Motherboard: Computer Dynamics | |
    Processor: Intel Pentium III processor | Slot 1 | 846/mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 18 GiB total, 15.215 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {C671678C-82C1-43F3-D700-0049433E9A4B}
    Description: WinDriver
    Device ID: ROOT\JUNGO\0001
    Manufacturer: Jungo
    Name: WinDriver
    PNP Device ID: ROOT\JUNGO\0001
    Service: WinDriver6

    Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
    Description: NT Apm/Legacy Interface Node
    Device ID: ROOT\NTAPM\0000
    Manufacturer: Microsoft
    Name: NT Apm/Legacy Interface Node
    PNP Device ID: ROOT\NTAPM\0000
    Service: NtApm

    Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
    Description: Intel PCIC compatible PCMCIA controller
    Device ID: ROOT\PCMCIA\0000
    Manufacturer: Intel
    Name: Intel PCIC compatible PCMCIA controller
    PNP Device ID: ROOT\PCMCIA\0000
    Service: pcmcia

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    DU Meter
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 2.0
    Universal Pointer Device Driver
    WebFldrs
    Windows Installer 3.0 (KB884016)
    Xilinx ISE 6

    ==== End Of File ===========================
     
  4. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 8:45:34.92 on Sun 10/17/2010
    Internet Explorer: 5.00.3700.1000
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.44 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\UPDD\TBSysTry.exe
    C:\virus_et_al\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.msn.com
    mDefault_Page_URL = hxxp://www.msn.com
    mRun: [Synchronization Manager] mobsync.exe /logon
    mRun: [CHIPSStart] CHPSTART.EXE
    mRun: [CHIPSPtrt] CHPSPTRT.EXE
    mRun: [TBSysTry] c:\program files\updd\TBSysTry.exe
    dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
    TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4

    ============= SERVICES / DRIVERS ===============

    R?2 alyfo;Installer Microsoft;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952]
    R0 TBUPDDMP;TBUPDDMP;\SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [?]
    R1 TBUPDDWD;TBUPDDWD;c:\winnt\system32\drivers\TBUPDDWD.SYS [2003-2-27 261197]
    R3 chips;chips;c:\winnt\system32\drivers\chipsm5.sys [2001-4-16 96811]
    R3 E100E;E100E;c:\winnt\system32\drivers\e100ent.sys [2001-4-16 25360]
    R3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [2004-1-15 7884]
    S3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [2004-1-15 11811]
    S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2001-4-16 9104]

    =============== Created Last 30 ================

    2010-10-17 13:45:37 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_284.dat
    2010-10-17 12:06:25 0 d-----r- C:\virus_et_al
    2010-10-15 19:55:44 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-10-15 19:55:36 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-10-15 19:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-15 19:55:33 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2010-10-15 19:55:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-15 19:54:47 6153352 ----a-w- C:\mbam-setup-1.46.exe

    ==================== Find3M ====================

    2001-04-16 18:02:36 271 ---h--w- c:\program files\desktop.ini
    2001-04-16 18:02:36 21952 ---h--w- c:\program files\folder.htt
    1999-12-07 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

    ============= FINISH: 8:45:48.22 ===============
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You posted same logs again, which I removed.
    Please, read my previous reply.
     
  7. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    I loaded Avast and ran a full scan. It reported 'number of infected files = 0'
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    when I try to run MBRCheck I getting a persistant message
    'not a valid win32 application'. I've tried the download 3 times.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run this instead...

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  11. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    I was not able to capture the text from the window but I saw this logfile on the desktop that appears to have the info that was on the screen in its last 8 lines.

    .\debug.cpp(238) : Debug log started at 20.11.2010 - 15:25:52
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x80400000 0x001a3a00 "\WINNT\System32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x80062000 0x000174e0 "\WINNT\System32\hal.dll"
    .\debug.cpp(256) : 0xf7410000 0x00003000 "\WINNT\System32\BOOTVID.DLL"
    .\debug.cpp(256) : 0xf7000000 0x0000f000 "pci.sys"
    .\debug.cpp(256) : 0xf7010000 0x0000c000 "isapnp.sys"
    .\debug.cpp(256) : 0xf7500000 0x00002000 "intelide.sys"
    .\debug.cpp(256) : 0xf7280000 0x00006000 "\WINNT\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf7288000 0x00008000 "MountMgr.sys"
    .\debug.cpp(256) : 0xbffc8000 0x0001d000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf7502000 0x00002000 "Diskperf.sys"
    .\debug.cpp(256) : 0xf75c8000 0x00001000 "\WINNT\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xf7504000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xbffa6000 0x00022000 "dmio.sys"
    .\debug.cpp(256) : 0xf7414000 0x00003000 "PartMgr.sys"
    .\debug.cpp(256) : 0xbff90000 0x00016000 "atapi.sys"
    .\debug.cpp(256) : 0xf7290000 0x00008000 "disk.sys"
    .\debug.cpp(256) : 0xf7020000 0x00009000 "\WINNT\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xbff7e000 0x00012000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf7030000 0x00010000 "TBUPDDMP.SYS"
    .\debug.cpp(256) : 0xbfefb000 0x00083000 "Ntfs.sys"
    .\debug.cpp(256) : 0xbfed1000 0x0002a000 "NDIS.sys"
    .\debug.cpp(256) : 0xbfebb000 0x00016000 "Mup.sys"
    .\debug.cpp(256) : 0xf7298000 0x00006000 "agp440.sys"
    .\debug.cpp(256) : 0xbfe67000 0x00023000 "\SystemRoot\system32\drivers\windrvr6.sys"
    .\debug.cpp(256) : 0xf75cb000 0x00001000 "\SystemRoot\System32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xf7050000 0x0000d000 "\SystemRoot\System32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xf7470000 0x00003000 "\SystemRoot\System32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xbfe50000 0x00017000 "\SystemRoot\System32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xf7480000 0x00004000 "\SystemRoot\System32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xf7060000 0x0000c000 "\SystemRoot\System32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xf72c0000 0x00005000 "\SystemRoot\System32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xf72d0000 0x00005000 "\SystemRoot\System32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xf7070000 0x0000f000 "\SystemRoot\System32\DRIVERS\parallel.sys"
    .\debug.cpp(256) : 0xf7080000 0x0000d000 "\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xbfe39000 0x00017000 "\SystemRoot\System32\DRIVERS\chipsm5.sys"
    .\debug.cpp(256) : 0xf7310000 0x00005000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xf72f8000 0x00008000 "\SystemRoot\System32\DRIVERS\uhcd.sys"
    .\debug.cpp(256) : 0xf7320000 0x00007000 "\SystemRoot\System32\DRIVERS\e100ent.sys"
    .\debug.cpp(256) : 0xbfe1d000 0x0001c000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf75cc000 0x00001000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xbfdf2000 0x0002b000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf7090000 0x0000c000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xf7330000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf7340000 0x00007000 "\SystemRoot\System32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xf70a0000 0x00010000 "\SystemRoot\System32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xf7498000 0x00004000 "\SystemRoot\System32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xf7358000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf7368000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf70b0000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xf7378000 0x00007000 "\SystemRoot\System32\Drivers\EFS.SYS"
    .\debug.cpp(256) : 0xf750c000 0x00002000 "\SystemRoot\system32\drivers\mlnxfltr.sys"
    .\debug.cpp(256) : 0xf70c0000 0x0000a000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf7398000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xf7514000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf75d0000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf75d1000 0x00001000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xbf985000 0x00025000 "\SystemRoot\System32\Drivers\TBUPDDWD.SYS"
    .\debug.cpp(256) : 0xf74d0000 0x00004000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf75d2000 0x00001000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xf73d0000 0x00006000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf70e0000 0x00009000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xf751c000 0x00002000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xbf913000 0x00052000 "\SystemRoot\System32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xf70f0000 0x00009000 "\SystemRoot\System32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xf73e8000 0x00008000 "\SystemRoot\System32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xf7100000 0x00009000 "\SystemRoot\System32\Drivers\aswTdi.SYS"
    .\debug.cpp(256) : 0xbf8e9000 0x0002a000 "\SystemRoot\System32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xf7110000 0x00009000 "\SystemRoot\System32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xbf8be000 0x0002b000 "\SystemRoot\System32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xbf845000 0x00067000 "\SystemRoot\System32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xbf82e000 0x00017000 "\SystemRoot\System32\Drivers\aswSP.SYS"
    .\debug.cpp(256) : 0xf7408000 0x00005000 "\SystemRoot\System32\Drivers\Aavmker4.SYS"
    .\debug.cpp(256) : 0xf75d3000 0x00001000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf7f0000 0x00016000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xa0000000 0x001a4000 "\??\C:\WINNT\system32\win32k.sys"
    .\debug.cpp(256) : 0xbf7be000 0x00032000 "\SystemRoot\System32\chipsd5.dll"
    .\debug.cpp(256) : 0xbedc0000 0x0001e000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xf7556000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xbed5b000 0x00015000 "\SystemRoot\System32\Drivers\aswMon.SYS"
    .\debug.cpp(256) : 0xbf71e000 0x00009000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xbec07000 0x0003c000 "\SystemRoot\System32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xbeda0000 0x00004000 "\SystemRoot\System32\drivers\XPC4DRVR.SYS"
    .\debug.cpp(256) : 0xbeacc000 0x00023000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xbe99c000 0x00010000 "\SystemRoot\System32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xbe924000 0x00004000 "\SystemRoot\System32\Drivers\aswRdr.SYS"
    .\debug.cpp(256) : 0x77f80000 0x0007b000 "\WINNT\system32\NTDLL.DLL"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(459) : NtOpenDirectoryObject() fails; status: 0xc0000034
    .\debug.cpp(460) : LogPrintDeviceObjects(): Error while requesting device objects info
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(373) : ProcessPhysicalDisc(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(1055) : ERROR: No physical disks found
    .\boot_cleaner.cpp(1151) : Done;
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, proceed with Combofix.
     
  13. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    ComboFix 10-11-21.02 - Administrator 11/22/2010 7:24.1.1 - x86
    Running from: c:\virus_et_al\ComboFix.exe
    .
    /wow section - STAGE 10


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\winnt\Web\default.htt

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-01 04:46 . 2010-10-15 19:54 6153352 ----a-w- C:\mbam-setup-1.46.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
    "CHIPSStart"="CHPSTART.EXE" [1999-12-03 40960]
    "CHIPSPtrt"="CHPSPTRT.EXE" [1999-12-03 196608]
    "TBSysTry"="c:\program files\UPDD\TBSysTry.exe" [2000-07-19 295936]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

    2;2 alyfo;Installer Microsoft;c:\winnt\system32\svchost.exe [x]
    R3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [2004-01-15 11811]
    R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
    S0 TBUPDDMP;TBUPDDMP;c:\winnt\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [x]
    S1 aswSP;avast! Self Protection; [x]
    S1 TBUPDDWD;TBUPDDWD;c:\winnt\System32\Drivers\TBUPDDWD.SYS [2000-07-19 261197]
    S2 aswMon;avast! Standard Shield Support; [x]
    S3 chips;chips;c:\winnt\system32\DRIVERS\chipsm5.sys [1999-12-03 96811]
    S3 E100E;E100E;c:\winnt\system32\DRIVERS\e100ent.sys [1999-05-27 25360]
    S3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [2004-01-15 7884]


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    alyfo
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.msn.com
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    LSP: %SystemRoot%\system32\msafd.dll
    TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-22 07:32
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alyfo]
    "ServiceDll"="c:\winnt\system32\dhvml.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(200)
    c:\winnt\system32\wzcdlg.dll
    c:\winnt\system32\WZCSAPI.DLL
    .
    Completion time: 2010-11-22 07:38:38
    ComboFix-quarantined-files.txt 2010-11-22 12:38

    Pre-Run: 15,973,901,824 bytes free
    Post-Run: 15,951,243,264 bytes free

    - - End Of File - - FE47C5B2AFF75288F2ED3C39949902EB
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    My instructions say to run Combofix from the desktop.
    Please, move the file to the correct location.

    ==========================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\winnt\system32\dhvml.dll
    
    Driver::
    alyfo
    
    NetSvc::
    alyfo
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alyfo]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    removed original file that I posted in error
     
  16. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    omboFix 10-11-22.05 - Administrator 11/23/2010 7:33.3.1 - x86
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

    FILE ::
    "c:\winnt\system32\dhvml.dll"
    .
    /wow section - STAGE 10


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ALYFO
    -------\Service_alyfo


    ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-01 04:46 . 2010-10-15 19:54 6153352 ----a-w- C:\mbam-setup-1.46.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
    "CHIPSStart"="CHPSTART.EXE" [1999-12-03 40960]
    "CHIPSPtrt"="CHPSPTRT.EXE" [1999-12-03 196608]
    "TBSysTry"="c:\program files\UPDD\TBSysTry.exe" [2000-07-19 295936]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

    R0 TBUPDDMP;TBUPDDMP;\SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [?]
    R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [10/21/2010 8:11 AM 114768]
    R1 TBUPDDWD;TBUPDDWD;c:\winnt\system32\drivers\TBUPDDWD.SYS [2/27/2003 1:34 PM 261197]
    R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [10/21/2010 8:11 AM 93424]
    R3 chips;chips;c:\winnt\system32\drivers\chipsm5.sys [4/16/2001 2:25 PM 96811]
    R3 E100E;E100E;c:\winnt\system32\drivers\e100ent.sys [4/16/2001 1:45 PM 25360]
    R3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [1/15/2004 10:46 AM 7884]
    S3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [1/15/2004 10:46 AM 11811]
    S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [4/16/2001 7:47 AM 9104]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.msn.com
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    LSP: %SystemRoot%\system32\msafd.dll
    TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-23 07:51
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\winnt\system32\Perflib_Perfdata_204.dat 16384 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(200)
    c:\winnt\system32\wzcdlg.dll
    c:\winnt\system32\WZCSAPI.DLL

    - - - - - - - > 'explorer.exe'(1064)
    c:\winnt\AppPatch\AcLayers.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\winnt\system32\regsvc.exe
    c:\winnt\system32\MSTask.exe
    c:\winnt\System32\WBEM\WinMgmt.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-23 07:54:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-23 12:54
    ComboFix2.txt 2010-11-23 12:18
    ComboFix3.txt 2010-11-22 12:38

    Pre-Run: 15,968,823,296 bytes free
    Post-Run: 15,927,565,312 bytes free

    - - End Of File - - 452D53C79B35345ECFF6AD1C525DEF6D
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Looks good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  18. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    OTL logfile created on: 11/24/2010 6:44:16 AM - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
    Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
    Internet Explorer (Version = 5.00.3700.1000)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    128.00 Mb Total Physical Memory | 3.00 Mb Available Physical Memory | 2.00% Memory free
    495.00 Mb Paging File | 180.00 Mb Available in Paging File | 36.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
    Drive C: | 17.91 Gb Total Space | 14.85 Gb Free Space | 82.93% Space Free | Partition Type: NTFS

    Computer Name: TOUCHSCNRTM-II | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    PRC - [2010/11/22 07:01:43 | 002,752,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
    PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
    PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    PRC - [2003/06/19 12:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
    PRC - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
    PRC - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
    PRC - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
    PRC - [2000/07/19 02:50:00 | 000,295,936 | ---- | M] () -- C:\Program Files\UPDD\TBSYSTRY.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    MOD - [2003/06/19 12:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
    MOD - [2003/06/19 12:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
    MOD - [1999/12/07 07:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
    SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
    SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
    SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
    SRV - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
    SRV - [2003/06/19 12:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
    SRV - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
    SRV - [2003/06/19 12:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
    SRV - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
    SRV - [2003/06/19 12:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\DMusic.sys -- (DMusic)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2009/11/24 18:51:09 | 000,093,424 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINNT\System32\drivers\aswmon.sys -- (aswMon)
    DRV - [2009/11/24 18:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2009/11/24 18:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2004/01/15 12:46:56 | 000,256,568 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - [2004/01/15 12:46:55 | 000,014,336 | ---- | M] (Xilinx, Inc.) [Kernel | Auto | Running] -- C:\WINNT\System32\drivers\XPC4DRVR.SYS -- (XilinxPC4Driver)
    DRV - [2004/01/15 10:46:20 | 000,011,811 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mltlnx.sys -- (MultiLINX)
    DRV - [2004/01/15 10:46:20 | 000,007,884 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mlnxfltr.sys -- (mlnxfltr)
    DRV - [2003/06/19 12:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
    DRV - [2003/06/19 12:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
    DRV - [2003/06/19 12:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
    DRV - [2003/06/19 12:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
    DRV - [2003/06/19 12:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
    DRV - [2003/06/19 12:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
    DRV - [2003/06/19 12:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
    DRV - [2000/07/19 02:50:00 | 000,261,197 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\System32\Drivers\TBUPDDWD.SYS -- (TBUPDDWD)
    DRV - [2000/07/19 02:50:00 | 000,055,304 | ---- | M] () [Kernel | Boot | Running] -- C:\WINNT\System32\Drivers\TBUPDDMP.SYS -- (TBUPDDMP)
    DRV - [1999/12/07 07:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
    DRV - [1999/12/07 07:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
    DRV - [1999/12/03 01:39:00 | 000,096,811 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chipsm5.sys -- (chips)
    DRV - [1999/09/25 05:36:48 | 000,009,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\NtApm.sys -- (NtApm)
    DRV - [1999/05/27 15:13:40 | 000,025,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e100ent.sys -- (E100E)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    O1 HOSTS File: ([2010/11/23 07:46:56 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
    O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
    O4 - HKLM..\Run: [CHIPSPtrt] C:\WINNT\System32\chpsptrt.exe ()
    O4 - HKLM..\Run: [CHIPSStart] C:\WINNT\System32\chpstart.exe ()
    O4 - HKLM..\Run: [TBSysTry] C:\Program Files\UPDD\TBSYSTRY.EXE ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
    O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.43.10 192.168.10.25 192.168.10.21
    O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
    O18 - Protocol\Filter\application/octet-stream - No CLSID value found
    O18 - Protocol\Filter\application/x-complus - No CLSID value found
    O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
    O18 - Protocol\Filter\Class Install Handler - No CLSID value found
    O18 - Protocol\Filter\deflate - No CLSID value found
    O18 - Protocol\Filter\gzip - No CLSID value found
    O18 - Protocol\Filter\lzdhtml - No CLSID value found
    O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Nwsapagent - File not found

    Drivers32: aux - C:\WINNT\System32\mmdrv.dll (Microsoft Corporation)
    Drivers32: aux1 - File not found
    Drivers32: aux2 - File not found
    Drivers32: aux3 - File not found
    Drivers32: aux4 - File not found
    Drivers32: aux5 - File not found
    Drivers32: aux6 - File not found
    Drivers32: aux7 - File not found
    Drivers32: aux8 - File not found
    Drivers32: aux9 - File not found
    Drivers32: midi1 - File not found
    Drivers32: midi2 - File not found
    Drivers32: midi3 - File not found
    Drivers32: midi4 - File not found
    Drivers32: midi5 - File not found
    Drivers32: midi6 - File not found
    Drivers32: midi7 - File not found
    Drivers32: midi8 - File not found
    Drivers32: midi9 - File not found
    Drivers32: mixer1 - File not found
    Drivers32: mixer2 - File not found
    Drivers32: mixer3 - File not found
    Drivers32: mixer4 - File not found
    Drivers32: mixer5 - File not found
    Drivers32: mixer6 - File not found
    Drivers32: mixer7 - File not found
    Drivers32: mixer8 - File not found
    Drivers32: mixer9 - File not found
    Drivers32: msacm.iac2 - C:\WINNT\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.lhacm - C:\WINNT\System32\lhacm.acm (Microsoft Corporation)
    Drivers32: msacm.trspch - C:\WINNT\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINNT\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINNT\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINNT\System32\ir32_32.dll ()
    Drivers32: vidc.iv50 - C:\WINNT\System32\ir50_32.dll (Intel Corporation)
    Drivers32: wave1 - File not found
    Drivers32: wave2 - File not found
    Drivers32: wave3 - File not found
    Drivers32: wave4 - File not found
    Drivers32: wave5 - File not found
    Drivers32: wave6 - File not found
    Drivers32: wave7 - File not found
    Drivers32: wave8 - File not found
    Drivers32: wave9 - File not found
    Drivers32: wdmaud.drv - wdmaud.drv File not found
    SystemRestore not available.

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/24 06:43:09 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/11/23 07:41:34 | 000,000,000 | ---D | C] -- C:\WINNT\temp
    [2010/11/23 07:28:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
    [2010/11/22 07:19:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
    [2010/11/22 07:19:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
    [2010/11/22 07:19:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
    [2010/11/22 07:19:00 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
    [2010/11/22 07:18:43 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/20 10:23:31 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe

    ========== Files - Modified Within 30 Days ==========

    [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/11/23 13:26:23 | 000,742,352 | -H-- | M] () -- C:\WINNT\ShellIconCache
    [2010/11/23 08:53:08 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_200.dat
    [2010/11/23 07:52:59 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
    [2010/11/23 07:46:56 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
    [2010/11/23 07:20:50 | 000,000,405 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
    [2010/11/23 07:02:27 | 003,914,095 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/11/22 07:06:13 | 000,002,626 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
    [2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINNT\MBR.exe

    ========== Files Created - No Company Name ==========

    [2010/11/23 08:53:08 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_200.dat
    [2010/11/23 07:52:59 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
    [2010/11/22 07:19:08 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
    [2010/11/22 07:19:08 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
    [2010/11/22 07:19:08 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
    [2010/11/22 07:19:08 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
    [2010/11/22 07:19:08 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
    [2003/02/27 13:34:42 | 000,000,012 | ---- | C] () -- C:\WINNT\wininit.ini
    [2003/02/27 13:34:40 | 000,261,197 | ---- | C] () -- C:\WINNT\System32\drivers\TBUPDDWD.SYS
    [2003/02/27 13:34:40 | 000,055,304 | ---- | C] () -- C:\WINNT\System32\drivers\TBUPDDMP.SYS
    [2001/04/16 14:24:26 | 000,001,299 | ---- | C] () -- C:\WINNT\System32\Oeminfo.ini
    [2001/04/16 13:02:36 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
    [2001/04/16 07:42:57 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
    [1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
    [1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
    [1979/12/31 19:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
    [1979/12/31 19:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
    [1979/12/31 19:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
    [1979/12/31 19:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
    [1979/12/31 19:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini

    ========== LOP Check ==========

    [2005/06/28 12:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hagel Technologies

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/02/21 08:29:46 | 000,000,007 | ---- | M] () -- C:\ahs-lab
    [2006/01/10 13:33:21 | 000,737,361 | ---- | M] () -- C:\als.mcs
    [2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
    [2001/04/17 10:24:41 | 000,000,192 | -HS- | M] () -- C:\boot.ini
    [2001/03/26 06:45:28 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
    [2010/11/23 07:55:09 | 000,004,545 | ---- | M] () -- C:\ComboFix.txt
    [2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
    [2006/09/11 13:19:20 | 000,737,361 | ---- | M] () -- C:\download_9_11.mcs
    [2001/04/16 13:04:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/09/30 23:46:40 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.46.exe
    [2001/04/16 13:04:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2007/08/23 12:45:32 | 000,034,724 | RHS- | M] () -- C:\NTDETECT.COM
    [2007/08/23 12:45:32 | 000,214,432 | RHS- | M] () -- C:\ntldr
    [2010/11/24 06:27:24 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
    [2006/08/29 07:57:59 | 000,000,000 | ---- | M] () -- C:\pep.txt
    [2005/08/04 12:00:11 | 000,921,654 | ---- | M] () -- C:\piaggio.bmp
    [2008/01/31 11:06:43 | 000,000,012 | ---- | M] () -- C:\pipename.txt
    [2006/08/23 14:51:27 | 000,000,020 | ---- | M] () -- C:\shut.bat
    [2005/02/02 09:35:07 | 000,737,361 | ---- | M] () -- C:\tac_2_2_934.mcs
    [2005/10/04 10:14:43 | 000,737,361 | ---- | M] () -- C:\TAC_PreScanClock_2005104.mcs
    [2005/07/18 14:13:07 | 000,737,361 | ---- | M] () -- C:\tac_pre_20050712.mcs
    [2006/01/09 09:40:08 | 000,737,361 | ---- | M] () -- C:\tac_pre_sscl3.mcs
    [2005/05/06 02:30:56 | 000,155,701 | ---- | M] () -- C:\WinPowerOff.exe

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2001/04/16 13:03:19 | 000,000,067 | -HS- | M] () -- C:\WINNT\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2003/06/19 12:05:04 | 000,006,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spool\prtprocs\w32x86\sfmpsprt.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2001/04/16 13:02:36 | 000,000,271 | -H-- | M] () -- C:\Program Files\desktop.ini
    [2001/04/16 13:02:36 | 000,021,952 | -H-- | M] () -- C:\Program Files\folder.htt

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2001/04/16 07:39:30 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
    [2001/04/16 07:39:30 | 000,536,576 | ---- | M] () -- C:\WINNT\system32\config\software.sav
    [2001/04/16 07:39:30 | 000,360,448 | ---- | M] () -- C:\WINNT\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2007/08/23 12:53:29 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/11/23 07:02:27 | 003,914,095 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/08/19 12:51:53 | 002,760,756 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Min_scanner.exe
    [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/09/01 15:33:50 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe
    [2004/07/23 13:40:28 | 045,393,408 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WebPACK_62_fcp_i.exe
    [2005/05/06 02:30:56 | 000,155,701 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WinPowerOff.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [1999/12/07 07:00:00 | 000,000,777 | ---- | M] () -- C:\WINNT\addins\faxext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >
    [1999/12/07 07:00:00 | 000,000,654 | ---- | M] () -- C:\WINNT\Config\general.idf
    [1999/12/07 07:00:00 | 000,000,658 | ---- | M] () -- C:\WINNT\Config\hindered.idf
    [1999/12/07 07:00:00 | 000,000,302 | ---- | M] () -- C:\WINNT\Config\msadlib.idf

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2007/08/23 12:53:29 | 000,000,083 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2007/08/23 12:53:47 | 000,002,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/11/24 06:47:44 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2003/06/19 12:05:04 | 000,221,184 | ---- | M] () -- C:\WINNT\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >
     
  19. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- %1
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) v1.0.3705
    "avast!" = avast! Antivirus
    "dumeter3_is1" = DU Meter
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
    "TBUPDD" = Universal Pointer Device Driver
    "Xilinx ISE 6" = Xilinx ISE 6

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2/5/2004 4:33:10 PM | Computer Name = ALENIA-0-2003 | Source = Userenv | ID = 1000
    Description = Windows cannot unload your registry file. If you have a roaming profile,
    your settings are not replicated. Contact your administrator. DETAIL - Access
    is denied. , Build number ((2195)).

    Error - 8/23/2007 9:07:27 AM | Computer Name = ALENIA-0-2003 | Source = ASP.NET 1.0.3705.0 | ID = 1031
    Description =

    Error - 8/23/2007 9:08:54 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 62
    Description = WMI ADAP was unable to process the .NET CLR Data performance library
    since one of the data blobs reported to have classes but had zero size

    Error - 8/23/2007 9:08:55 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 62
    Description = WMI ADAP was unable to process the .NET CLR Networking performance
    library since one of the data blobs reported to have classes but had zero size

    Error - 8/23/2007 9:10:46 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 37
    Description = WMI ADAP was unable to load the netfxperf.dll performance library
    due to an unknown problem within the library: 0x0

    Error - 8/23/2007 9:10:46 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 37
    Description = WMI ADAP was unable to load the netfxperf.dll performance library
    due to an unknown problem within the library: 0x0

    Error - 8/23/2007 2:25:52 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
    Description = Installing the performance counter strings for .NET CLR Networking
    failed. The Error code is DWORD 0 of the Record Data.

    Error - 8/23/2007 2:25:56 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
    Description = Installing the performance counter strings for .NET CLR Data failed.
    The Error code is DWORD 0 of the Record Data.

    Error - 8/23/2007 2:25:56 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
    Description = Installing the performance counter strings for .NETFramework failed.
    The Error code is DWORD 0 of the Record Data.

    Error - 8/23/2007 4:15:17 PM | Computer Name = ALENIA-0-2003 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
    Description = Faulting application form1.exe, version 0.0.0.0, stamp 46cd7496, faulting
    module kernel32.dll, version 5.0.2195.6688, stamp 3ef274dc, debug? 0, fault address
    0x0000a4e1.

    [ System Events ]
    Error - 6/7/2006 7:11:41 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/8/2006 7:03:32 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/9/2006 7:23:30 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/9/2006 12:08:13 PM | Computer Name = ALENIA-0-2003 | Source = MRxSmb | ID = 8003
    Description = The master browser has received a server announcement from the computer
    DILWORTH that believes that it is the master browser for the domain on transport
    NetBT_Tcpip_{E82024DE-0A46-46EF-. The master browser is stopping or an election
    is being forced.

    Error - 6/12/2006 7:03:51 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/13/2006 7:12:19 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/14/2006 7:42:31 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/15/2006 7:13:25 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/16/2006 7:21:08 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia

    Error - 6/19/2006 7:11:22 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Pcmcia


    < End of report >
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Win 2K could use little bit more RAM. 256MB maybe...

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  21. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    I'm at 'grandmas house' for the holiday. i'll pick this up Tuesday

    Al
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK....................
     
  23. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    I'd like to omit the Java stuff on this computer.

    All processes killed
    ========== OTL ==========
    File Animation Java Classes file://C:\WINNT\Java\classes\dajava.cab not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    File oft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1431991 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Scott
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: shell32.dll unable to determine bytes removed.

    Total Files Cleaned = 1.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: Scott

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.3 log created on 11302010_065944

    Files\Folders moved on Reboot...
    File\Folder C:\WINNT\temp\_avast4_\Webshlock.txt not found!

    Registry entries deleted on Reboot...
     
  24. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    Results of screen317's Security Check version 0.99.5
    Windows 2000 Service Pack 4
    Internet Explorer 5 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    avast! Antivirus
    avast! successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast4 aswUpdSv.exe
    Alwil Software Avast4 ashServ.exe
    Alwil Software Avast4 ashDisp.exe
    Alwil Software Avast4 ashMaiSv.exe
    Alwil Software Avast4 ashWebSv.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    nslookup.exe missing!
    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  25. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    For some reason I am unable to start the scan at ESET. The page opens and I click the 'ESET online scanner' button but the page just re-opens. Is there an alternative way to run that scan ?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...