Trojan Inside?[INACTIVE]

maulej · July 16, 2009

Hello, my computer seems to have trojan inside, which sedns spam to the world. Well in fact its one of the three computers, which can have the trojan inside.

Cloud you please help?

Here is a log from OTL:

OTL logfile created on: 16.7.2009 18:56:11 - Run 2

OTL by OldTimer - Version 3.0.6.5 Folder = D:\Progz\anti trojan

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

1023,49 Mb Total Physical Memory | 143,25 Mb Available Physical Memory | 14,00% Memory free

2,08 Gb Paging File | 1,17 Gb Available in Paging File | 56,51% Paging File free

Paging file location(s): D:\pagefile.sys 1200 1600 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 14,65 Gb Total Space | 3,66 Gb Free Space | 25,02% Space Free | Partition Type: NTFS

Drive D: | 134,39 Gb Total Space | 123,21 Gb Free Space | 91,68% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 3,72 Gb Total Space | 2,11 Gb Free Space | 56,57% Space Free | Partition Type: FAT32

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive Z: | 298,09 Gb Total Space | 118,91 Gb Free Space | 39,89% Space Free | Partition Type: NTFS

Computer Name: ARJUNA

Current User Name: jan.maule

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\Ati2evxx.exe (ATI Technologies Inc.)

PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()

PRC - C:\WINDOWS\System32\Ati2evxx.exe (ATI Technologies Inc.)

PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)

PRC - C:\Program Files\NDAS\System\ndassvc.exe (XIMETA, Inc.)

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

PRC - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()

PRC - C:\Program Files\PicPick\picpick.exe ()

PRC - C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe (Google Inc.)

PRC - C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\1.2.183.7\GoogleCrashHandler.exe (Google Inc.)

PRC - C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

PRC - C:\totalcmd\TOTALCMD.EXE (C. Ghisler & Co.)

PRC - C:\Program Files\Microsoft Office\Office12\WINWORD.EXE (Microsoft Corporation)

PRC - C:\Program Files\MWSnap\MWSnap.exe (Mirek Wojtowicz)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

PRC - D:\Progz\anti trojan\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)

SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\System32\Ati2evxx.exe (ATI Technologies Inc.)

SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\System32\ati2sgag.exe ()

SRV - (cmdAgent [Auto | Running]) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()

SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

SRV - (Lavasoft Ad-Aware Service [On_Demand | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)

SRV - (ndassvc [Auto | Running]) -- C:\Program Files\NDAS\System\ndassvc.exe (XIMETA, Inc.)

SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)

SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)

DRV - (BANTExt [system | Running]) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()

DRV - (cmdGuard [system | Running]) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys (COMODO)

DRV - (cmdHlp [system | Running]) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys (COMODO)

DRV - (cmuda [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\cmuda.sys (C-Media Inc)

DRV - (ctljystk [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys (Creative Technology Ltd.)

DRV - (CTSYN [system | Running]) -- C:\WINDOWS\System32\drivers\CTSYN.SYS (Creative Technology Ltd.)

DRV - (EMU10K1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\EMU10K1.SYS (Creative Technology Ltd.)

DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)

DRV - (Inspect [boot | Running]) -- C:\WINDOWS\System32\DRIVERS\inspect.sys (COMODO)

DRV - (Lbd [boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)

DRV - (lfsfilt [system | Running]) -- C:\WINDOWS\System32\DRIVERS\lfsfilt.sys (XIMETA, Inc.)

DRV - (lpx [boot | Running]) -- C:\WINDOWS\system32\DRIVERS\lpx.sys (XIMETA, Inc.)

DRV - (ndasbus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ndasbus.sys (XIMETA, Inc.)

DRV - (ndasscsi [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ndasscsi.sys (XIMETA, Inc.)

DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)

DRV - (PxHelp20 [boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)

DRV - (rtl8139 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)

DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (SFMAN [system | Running]) -- C:\WINDOWS\System32\drivers\SFMAN.SYS (Creative Technology Ltd.)

DRV - (ss_bus [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ss_bus.sys (MCCI Corporation)

DRV - (ss_mdfl [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys (MCCI Corporation)

DRV - (ss_mdm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ss_mdm.sys (MCCI Corporation)

DRV - (StarOpen [system | Running]) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()

DRV - (MBAMSwissArmy [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.cz

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.cz

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.cz

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "QIP Search"

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525

FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.29

FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5

FF - prefs.js..keyword.URL: "http://search.qip.ru/search?from=FF&query="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.07.09 15:17:20 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009.07.09 15:17:19 | 00,000,000 | ---D | M]

[2008.08.26 13:29:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Extensions

[2008.08.26 13:29:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2008.04.21 09:51:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Firefox\Profiles\vfajqp6q.default\extensions

[2009.07.16 13:58:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Firefox\Profiles\ww4z7m3q.default\extensions

[2009.06.09 08:18:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Firefox\Profiles\ww4z7m3q.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

[2009.06.09 08:18:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Firefox\Profiles\ww4z7m3q.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

[2009.07.02 15:24:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\mozilla\Firefox\Profiles\ww4z7m3q.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

[2009.06.15 11:20:09 | 00,002,061 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\Mozilla\FireFox\Profiles\ww4z7m3q.default\searchplugins\qipsearch.xml

[2008.09.24 15:16:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2009.07.09 15:17:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009.06.24 16:12:15 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll

[2009.06.24 16:12:15 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll

[2009.06.24 16:12:15 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2006.10.26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL

[2007.05.10 22:52:00 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll

[2009.06.24 14:08:36 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml

[2009.06.24 14:08:36 | 00,000,638 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\jyxo-cz.xml

[2009.06.24 14:08:36 | 00,001,687 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\mall-cz.xml

[2009.06.24 14:08:36 | 00,001,367 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\seznam-cz.xml

[2009.06.24 14:08:36 | 00,000,654 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\slunecnice-cz.xml

[2009.06.24 14:08:36 | 00,001,179 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-cz.xml

O1 HOSTS File: (737 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Podpora odkazu pro Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

O4 - HKLM..\Run: [Cmaudio] File not found

O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()

O4 - HKLM..\Run: [PicPick Start] C:\Program Files\PicPick\picpick.exe ()

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe (Google Inc.)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] File not found

O4 - Startup: C:\Documents and Settings\jan.maule.ATTAVENA\Nabídka Start\Programy\Po spuštění\deník 2008.lnk = Z:\Atta_admin_deniky\1_interni\denik_Maule_Jan.xls ()

O4 - Startup: C:\Documents and Settings\jan.maule.ATTAVENA\Nabídka Start\Programy\Po spuštění\Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\jan.maule.ATTAVENA\Nabídka Start\Programy\Po spuštění\Zástupce - TOTALCMD.lnk = C:\totalcmd\TOTALCMD.EXE (C. Ghisler & Co.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskmgr = 0

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE File not found

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: certicon.cz ([waset] https in Trusted sites)

O15 - HKCU\..Trusted Domains: jcu.cz ([menza] https in Trusted sites)

O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab (Creative Software AutoUpdate)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1201881588638 (WUWebControl Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/softwareupdate/su/...15034/CTPID.cab (Creative Software AutoUpdate Support Package)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.253.240 192.168.253.1 160.217.1.10

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = attavena.local

O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008.02.01 17:07:11 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008.04.14 08:49:20 | 00,030,720 | ---- | M] () - D:\Automatická archivace.doc -- [ NTFS ]

O33 - MountPoints2\{06c46914-d339-11dc-808a-000d616f5eea}\Shell - "" = AutoRun

O33 - MountPoints2\{3953ed82-ded0-11dc-80ae-000d616f5eea}\Shell\AutoRun\command - "" = F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe -- File not found

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

NetSvcs: 6to4 - Service key not found. File not found

NetSvcs: Ias - Service key not found. File not found

NetSvcs: Iprip - Service key not found. File not found

NetSvcs: Irmon - Service key not found. File not found

NetSvcs: NWCWorkstation - Service key not found. File not found

NetSvcs: Nwsapagent - Service key not found. File not found

NetSvcs: WmdmPmSp - Service key not found. File not found

NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe - (Adobe Systems, Inc.)

MsConfig - StartUpFolder: C:^Documents and Settings^jan.maule.ATTAVENA^Nabídka Start^Programy^Po spuštění^hott notes 4.lnk - C:\Program Files\Hotnotes\hottnotes.exe - (by Joel Riley)

MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe (Google Inc.)

MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

MsConfig - StartUpReg: OpwareSE4 - hkey= - key= - C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe File not found

MsConfig - StartUpReg: SSBkgdUpdate - hkey= - key= - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe File not found

MsConfig - State: "system.ini" - 0

MsConfig - State: "win.ini" - 0

MsConfig - State: "bootini" - 0

MsConfig - State: "services" - 0

MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group

SafeBootMin: Boot Bus Extender - Driver Group

SafeBootMin: Boot file system - Driver Group

SafeBootMin: File system - Driver Group

SafeBootMin: Filter - Driver Group

SafeBootMin: HelpSvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

SafeBootMin: PCI Configuration - Driver Group

SafeBootMin: PNP Filter - Driver Group

SafeBootMin: Primary disk - Driver Group

SafeBootMin: SCSI Class - Driver Group

SafeBootMin: sermouse.sys - Driver

SafeBootMin: System Bus Extender - Driver Group

SafeBootMin: vds - Service

SafeBootMin: vga.sys - Driver

SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group

SafeBootNet: Boot Bus Extender - Driver Group

SafeBootNet: Boot file system - Driver Group

SafeBootNet: File system - Driver Group

SafeBootNet: Filter - Driver Group

SafeBootNet: HelpSvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

SafeBootNet: NDIS Wrapper - Driver Group

SafeBootNet: NetBIOSGroup - Driver Group

SafeBootNet: NetDDEGroup - Driver Group

SafeBootNet: Network - Driver Group

SafeBootNet: NetworkProvider - Driver Group

SafeBootNet: PCI Configuration - Driver Group

SafeBootNet: PNP Filter - Driver Group

SafeBootNet: PNP_TDI - Driver Group

SafeBootNet: Primary disk - Driver Group

SafeBootNet: SCSI Class - Driver Group

SafeBootNet: sermouse.sys - Driver

SafeBootNet: Streams Drivers - Driver Group

SafeBootNet: System Bus Extender - Driver Group

SafeBootNet: TDI - Driver Group

SafeBootNet: vga.sys - Driver

SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net

SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient

SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService

SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans

SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vykreslování vektorové grafiky (VML)

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow

ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4

ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation

ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Datové vazby jazyka DHTML pro jazyk Java

ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack

ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe

ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)

ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Vylepšené vytváření obsahu

ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow

ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx

ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help

ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - Třídy DirectAnimation jazyka Java

ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6

ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Aktualizace zabezpečení systému Windows XP (KB923789)

ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW

ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools

ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements

ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player

ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access

ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders

ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

ActiveX: {8D1D0E9A-C799-4D28-9E29-0061D1E66E43} - Microsoft .NET Framework 1.1 Hotfix (KB928366)

ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding

ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts

ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework

ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Plánovač úloh

ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1

ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player

ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help

ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface

ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe

ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP

ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: midi1 - C:\WINDOWS\System32\ctmm32.dll (Creative Technology Ltd.)

Drivers32: midi2 - C:\WINDOWS\System32\ctsyn32.dll (Creative Technology Ltd.)

Drivers32: mixer1 - C:\WINDOWS\System32\ctmm32.dll (Creative Technology Ltd.)

Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

Drivers32: wave1 - C:\WINDOWS\System32\ctmm32.dll (Creative Technology Ltd.)

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]

[2009.07.16 18:25:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jan.maule.ATTAVENA\Data aplikací\Malwarebytes

[2009.07.16 18:25:45 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Plocha\Malwarebytes' Anti-Malware.lnk

[2009.07.16 18:25:42 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009.07.16 18:25:39 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009.07.16 18:25:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Data aplikací\Malwarebytes

[2009.07.16 18:25:33 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009.07.15 10:21:29 | 00,001,037 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\Zástupce - Interactive - Word 2003 to Word 2007 command reference.lnk

[2009.07.14 18:01:15 | 00,000,272 | ---- | C] () -- C:\WINDOWS\tasks\LOGINquiry4 Task.job

[2009.07.14 18:01:10 | 00,000,270 | ---- | C] () -- C:\WINDOWS\tasks\LOGINsert4 Task.job

[2009.07.14 17:59:21 | 00,000,000 | ---D | C] -- C:\Program Files\LOGIN

[2009.07.10 14:35:26 | 00,000,000 | ---D | C] -- C:\Rooter$

[2009.07.10 13:22:23 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\HijackThis.lnk

[2009.07.10 13:22:22 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009.07.10 11:37:31 | 00,044,871 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\trojan-recovery.pdf

[2009.07.10 11:15:14 | 00,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI

[2009.07.09 15:17:23 | 00,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Plocha\Mozilla Firefox.lnk

[2009.07.08 18:08:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\COMODO

[2009.07.08 17:44:07 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up

[2009.07.08 17:22:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Data aplikací\Adobe

[2009.07.08 13:19:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\PCHealth

[2009.07.02 16:49:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jan.maule.ATTAVENA\Dokumenty\My Practice Files

[2009.07.02 16:33:33 | 00,000,000 | ---D | C] -- C:\Program Files\Interaktivní ref prirucka

[2009.07.02 09:03:49 | 00,000,474 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{88B2D51F-FCD0-4E11-A9B4-5FBB20441E43}.job

[2009.07.01 14:49:56 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll

[2009.07.01 14:49:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2009.07.01 14:47:58 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll

[2009.07.01 14:47:58 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll

[2009.07.01 14:47:49 | 00,000,873 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf

[2009.07.01 14:44:56 | 00,026,144 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.exe

[2009.07.01 14:43:07 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2009.06.23 16:37:27 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\HW SW nové projekty.xls

[2009.06.17 11:48:35 | 00,000,798 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Nabídka Start\Programy\Po spuštění\Microsoft Office Outlook.lnk

[2009.06.17 11:08:08 | 00,000,134 | ---- | C] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\Poradce při potížích s aplikací Internet Explorer.url

[2009.05.28 09:19:15 | 00,168,208 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll

[2009.01.30 13:53:15 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys

[2008.11.11 11:50:38 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll

[2008.09.01 11:36:09 | 00,000,259 | ---- | C] () -- C:\WINDOWS\posta2.ini

[2008.05.26 22:22:14 | 00,015,552 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2008.05.26 22:22:10 | 00,021,464 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2008.05.26 22:22:04 | 00,014,910 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2008.04.02 16:23:52 | 00,000,283 | ---- | C] () -- C:\WINDOWS\SBWIN.INI

[2008.04.02 16:20:49 | 00,017,408 | ---- | C] () -- C:\WINDOWS\UnInstall.dll

[2008.04.02 16:20:49 | 00,000,028 | ---- | C] () -- C:\WINDOWS\CTDelLau.INI

[2008.02.04 20:38:13 | 00,000,034 | ---- | C] () -- C:\WINDOWS\barcode.ini

[2008.02.04 20:36:29 | 00,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll

[2008.02.04 20:21:00 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini

[2008.02.04 20:09:25 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini

[2008.02.04 20:09:14 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll

[2008.02.04 17:54:10 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys

[2008.02.03 21:39:22 | 00,000,560 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini

[2008.02.01 18:24:02 | 00,006,307 | ---- | C] () -- C:\WINDOWS\wincmd.ini

[2008.02.01 17:50:47 | 00,000,390 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005.10.14 12:56:50 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2005.10.14 12:56:50 | 00,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll

[2005.10.14 12:56:50 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2005.10.14 12:56:50 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll

[2005.10.14 12:56:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll

[2005.10.14 12:56:50 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll

[2005.10.14 12:56:50 | 00,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2005.10.14 12:56:50 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

[2005.10.14 12:56:48 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll

[2004.08.18 14:00:00 | 00,000,624 | ---- | C] () -- C:\WINDOWS\win.ini

[2004.08.18 14:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2003.02.18 19:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll

[1996.04.03 21:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[4 C:\WINDOWS\*.tmp files]

[2009.07.16 19:00:09 | 00,000,474 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{88B2D51F-FCD0-4E11-A9B4-5FBB20441E43}.job

[2009.07.16 18:57:15 | 01,474,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat

[2009.07.16 18:25:45 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Plocha\Malwarebytes' Anti-Malware.lnk

[2009.07.16 15:10:17 | 00,006,307 | ---- | M] () -- C:\WINDOWS\wincmd.ini

[2009.07.16 08:27:54 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009.07.16 08:27:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009.07.16 08:27:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009.07.15 18:12:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2009.07.15 10:21:29 | 00,001,037 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\Zástupce - Interactive - Word 2003 to Word 2007 command reference.lnk

[2009.07.14 18:01:15 | 00,000,272 | ---- | M] () -- C:\WINDOWS\tasks\LOGINquiry4 Task.job

[2009.07.14 18:01:10 | 00,000,270 | ---- | M] () -- C:\WINDOWS\tasks\LOGINsert4 Task.job

[2009.07.14 12:42:00 | 00,000,560 | ---- | M] () -- C:\WINDOWS\wcx_ftp.ini

[2009.07.13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009.07.13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009.07.13 09:53:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2009.07.10 13:22:28 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\HijackThis.lnk

[2009.07.10 11:37:31 | 00,044,871 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\trojan-recovery.pdf

[2009.07.10 11:15:14 | 00,000,130 | ---- | M] () -- C:\WINDOWS\cfplogvw.INI

[2009.07.09 15:17:23 | 00,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Plocha\Mozilla Firefox.lnk

[2009.07.09 12:20:14 | 00,086,512 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT

[2009.07.09 08:55:34 | 00,387,424 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009.07.08 17:51:00 | 00,000,624 | ---- | M] () -- C:\WINDOWS\win.ini

[2009.07.07 17:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

[2009.07.01 14:47:49 | 00,000,873 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf

[2009.07.01 12:03:14 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2009.07.01 12:03:14 | 00,000,211 | -HS- | M] () -- C:\boot.ini

[2009.06.29 09:10:09 | 00,000,134 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\Poradce při potížích s aplikací Internet Explorer.url

[2009.06.23 16:49:52 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Plocha\HW SW nové projekty.xls

[2009.06.17 11:48:35 | 00,000,798 | ---- | M] () -- C:\Documents and Settings\jan.maule.ATTAVENA\Nabídka Start\Programy\Po spuštění\Microsoft Office Outlook.lnk

========== Custom Scans ==========

< %systemroot%\System32\antiwpa.dll >

< %systemroot%\SYSTEM32\wpa.dll >

< %systemroot%\setup\scripts\biestart.exe >

< %systemroot%\system32\drivers\royal.sys >

< %systemroot%\system32\oobe\AntiWPA_Crypt.dll >

< %TEMP%\antiwpa_crypt.dll >

< %TEMP%\antiwpa.dll /s >

< %PROGRAMFILES%\antiwpa.dll /s >

< %systemroot%\system32\crypt.dll >

< %TEMP%\crypt.dll >

< %SYSTEMDRIVE%\*. >

[2008.02.04 18:09:15 | 00,000,000 | ---D | M] -- C:\ATI

[2009.07.08 16:50:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings

[2008.02.01 17:40:46 | 00,000,000 | RH-D | M] -- C:\MSOCache

[2009.07.16 18:25:33 | 00,000,000 | R--D | M] -- C:\Program Files

[2008.07.30 16:45:29 | 00,000,000 | -HSD | M] -- C:\RECYCLER

[2009.07.10 14:35:26 | 00,000,000 | ---D | M] -- C:\Rooter$

[2008.02.01 17:11:13 | 00,000,000 | -HSD | M] -- C:\System Volume Information

[2008.05.30 12:08:52 | 00,000,000 | ---D | M] -- C:\temp

[2009.01.22 12:13:39 | 00,000,000 | ---D | M] -- C:\totalcmd

[2009.07.16 08:27:52 | 00,000,000 | ---D | M] -- C:\WINDOWS

< %SYSTEMDRIVE%\*.* >

[2008.05.23 11:04:48 | 00,177,079 | ---- | M] () -- C:\4čtv.pdf

[2009.07.16 08:27:19 | 00,018,812 | ---- | M] () -- C:\aaw7boot.log

[2008.02.01 17:07:11 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2009.07.01 12:03:14 | 00,000,211 | -HS- | M] () -- C:\boot.ini

[2004.08.18 14:00:00 | 00,004,952 | RHS- | M] () -- C:\Bootfont.bin

[2008.02.01 17:07:11 | 00,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2008.02.01 17:07:11 | 00,000,000 | RHS- | M] () -- C:\IO.SYS

[2008.02.01 17:07:11 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2004.08.18 14:00:00 | 00,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2008.05.21 19:01:10 | 00,250,576 | RHS- | M] () -- C:\ntldr

< %PROGRAMFILES%\*. >

[2009.07.16 18:25:33 | 00,000,000 | R--D | M] -- C:\Program Files

[2009.03.25 10:48:02 | 00,000,000 | ---D | M] -- C:\Program Files\ABC

[2008.07.02 07:53:58 | 00,000,000 | ---D | M] -- C:\Program Files\Adobe

[2008.02.04 20:03:22 | 00,000,000 | ---D | M] -- C:\Program Files\Alwil Software

[2008.02.26 11:51:25 | 00,000,000 | ---D | M] -- C:\Program Files\Astonsoft

[2008.02.04 18:40:23 | 00,000,000 | ---D | M] -- C:\Program Files\ATI Technologies

[2008.03.25 12:14:11 | 00,000,000 | ---D | M] -- C:\Program Files\ATnotes

[2008.02.04 20:09:25 | 00,000,000 | ---D | M] -- C:\Program Files\AvRack

[2008.02.04 17:54:10 | 00,000,000 | ---D | M] -- C:\Program Files\Belarc

[2008.06.16 11:38:59 | 00,000,000 | ---D | M] -- C:\Program Files\CamStudio

[2008.02.03 21:18:29 | 00,000,000 | ---D | M] -- C:\Program Files\Canon

[2008.02.03 21:18:02 | 00,000,000 | -H-D | M] -- C:\Program Files\CanonBJ

[2008.02.04 19:15:47 | 00,000,000 | ---D | M] -- C:\Program Files\Codec Pack - All In 1

[2009.07.14 17:59:21 | 00,000,000 | ---D | M] -- C:\Program Files\Common Files

[2009.05.28 09:19:10 | 00,000,000 | ---D | M] -- C:\Program Files\COMODO

[2008.02.01 17:03:38 | 00,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications

[2008.02.04 20:42:25 | 00,000,000 | ---D | M] -- C:\Program Files\Corel

[2008.04.02 16:32:31 | 00,000,000 | ---D | M] -- C:\Program Files\Creative

[2008.07.18 07:22:50 | 00,000,000 | ---D | M] -- C:\Program Files\Drawing for Children

[2008.09.21 18:02:30 | 00,000,000 | ---D | M] -- C:\Program Files\EZ Label Xpress

[2008.12.08 11:53:52 | 00,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0

[2009.03.06 15:40:39 | 00,000,000 | ---D | M] -- C:\Program Files\Google

[2008.12.19 12:28:58 | 00,000,000 | ---D | M] -- C:\Program Files\Hotnotes

[2009.01.30 13:59:45 | 00,000,000 | -H-D | M] -- C:\Program Files\Installshield Installation Information

[2009.07.02 16:33:33 | 00,000,000 | ---D | M] -- C:\Program Files\Interaktivní ref prirucka

[2009.07.02 08:45:54 | 00,000,000 | ---D | M] -- C:\Program Files\Internet Explorer

[2009.03.30 09:51:28 | 00,000,000 | ---D | M] -- C:\Program Files\Lavasoft

[2009.07.14 17:59:21 | 00,000,000 | ---D | M] -- C:\Program Files\LOGIN

[2009.07.08 16:41:13 | 00,000,000 | ---D | M] -- C:\Program Files\Macromedia

[2009.07.16 18:25:47 | 00,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware

[2008.08.14 11:12:21 | 00,000,000 | ---D | M] -- C:\Program Files\Messenger

[2008.03.14 16:40:01 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft

[2008.02.04 20:16:59 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft Bootvis

[2009.06.11 19:03:06 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2

[2008.02.01 17:07:37 | 00,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage

[2009.06.11 10:49:13 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft Office

[2009.06.12 08:19:14 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight

[2008.02.01 17:49:30 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio

[2009.07.02 17:14:49 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft Works

[2009.06.11 10:48:09 | 00,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET

[2008.02.05 11:00:49 | 00,000,000 | ---D | M] -- C:\Program Files\MirandaPack

[2008.05.21 19:04:53 | 00,000,000 | ---D | M] -- C:\Program Files\Movie Maker

[2009.07.16 10:38:02 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox

[2009.06.11 10:49:28 | 00,000,000 | ---D | M] -- C:\Program Files\MSBuild

[2009.07.08 17:42:46 | 00,000,000 | ---D | M] -- C:\Program Files\MSECache

[2008.02.01 17:03:15 | 00,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone

[2008.02.04 17:48:57 | 00,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0

[2008.04.18 11:58:31 | 00,000,000 | ---D | M] -- C:\Program Files\MWSnap

[2008.02.01 18:27:02 | 00,000,000 | ---D | M] -- C:\Program Files\NDAS

[2008.05.21 19:02:53 | 00,000,000 | ---D | M] -- C:\Program Files\NetMeeting

[2008.11.18 11:47:07 | 00,000,000 | ---D | M] -- C:\Program Files\Nvu

[2008.02.01 17:05:29 | 00,000,000 | ---D | M] -- C:\Program Files\Online Services

[2008.05.21 19:02:50 | 00,000,000 | ---D | M] -- C:\Program Files\Outlook Express

[2008.11.11 11:51:11 | 00,000,000 | ---D | M] -- C:\Program Files\PDFCreator

[2009.07.08 13:41:52 | 00,000,000 | ---D | M] -- C:\Program Files\PicPick

[2009.02.15 18:21:37 | 00,000,000 | ---D | M] -- C:\Program Files\Pošta a kancelář 2

[2009.01.20 12:30:16 | 00,000,000 | ---D | M] -- C:\Program Files\PSPad editor

[2009.06.15 11:20:13 | 00,000,000 | ---D | M] -- C:\Program Files\QIP

[2008.02.04 20:09:20 | 00,000,000 | ---D | M] -- C:\Program Files\Realtek AC97

[2008.02.04 20:09:25 | 00,000,000 | ---D | M] -- C:\Program Files\Realtek Sound Manager

[2009.01.30 13:59:46 | 00,000,000 | ---D | M] -- C:\Program Files\Samsung

[2008.07.18 07:22:18 | 00,000,000 | ---D | M] -- C:\Program Files\SDAKAR STUDIO

[2008.09.24 13:23:12 | 00,000,000 | ---D | M] -- C:\Program Files\SiMoCo

[2008.09.24 16:18:30 | 00,000,000 | ---D | M] -- C:\Program Files\Skype

[2008.12.17 12:40:14 | 00,000,000 | ---D | M] -- C:\Program Files\SpamBayes

[2008.04.21 10:55:51 | 00,000,000 | ---D | M] -- C:\Program Files\SpeedFan

[2009.07.10 13:22:22 | 00,000,000 | ---D | M] -- C:\Program Files\Trend Micro

[2008.02.01 17:38:31 | 00,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information

[2009.06.11 19:01:25 | 00,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search

[2009.07.08 17:44:07 | 00,000,000 | ---D | M] -- C:\Program Files\Windows Installer Clean Up

[2008.02.01 18:36:35 | 00,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2

[2008.05.21 19:02:51 | 00,000,000 | ---D | M] -- C:\Program Files\Windows Media Player

[2008.05.21 19:02:50 | 00,000,000 | ---D | M] -- C:\Program Files\Windows NT

[2008.02.01 17:05:34 | 00,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate

[2009.05.25 13:02:01 | 00,000,000 | ---D | M] -- C:\Program Files\WonderWebWare Template Shaker

[2008.02.01 17:07:37 | 00,000,000 | ---D | M] -- C:\Program Files\xerox

[2008.02.05 12:43:26 | 00,000,000 | ---D | M] -- C:\Program Files\XnView

[2008.09.21 18:01:53 | 00,000,000 | ---D | M] -- C:\Program Files\xpress

[2008.07.18 07:22:07 | 00,000,000 | ---D | M] -- C:\Program Files\Zacek v1.2

[2009.07.08 16:44:01 | 00,000,000 | ---D | M] -- C:\Program Files\Zoner

< End of report >

Rorschach112 · July 16, 2009

have you posted anywhere else

Download RootRepeal.zip or from here and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Processes
- Hidden Services
[*]Click the OK button
[*]In the next dialog, select your main drive, usually C:\
[*]Click OK to start the scan
Note: The scan can take some time.
DO NOT
run any other programs while the scan is running
[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Post that log in your topic

maulej · July 17, 2009

Hello, I followed your instructions, but I couldnt do this (because I couldnt find the dialog):

# In the next dialog, select your main drive, usually C:\

# Click OK to start the scan

All id did was just this:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/17 11:37

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

==EOF==

But I am sending other report which can be usefull I hope:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/17 11:32

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

Processes

-------------------

Path: System

PID: 4 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 288 Status: -

Path: C:\WINDOWS\system32\searchindexer.exe

PID: 296 Status: -

Path: C:\WINDOWS\system32\smss.exe

PID: 592 Status: -

Path: C:\WINDOWS\system32\csrss.exe

PID: 656 Status: -

Path: C:\WINDOWS\system32\winlogon.exe

PID: 688 Status: -

Path: C:\WINDOWS\system32\services.exe

PID: 736 Status: -

Path: C:\WINDOWS\system32\lsass.exe

PID: 748 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe

PID: 928 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 948 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1004 Status: -

Path: C:\WINDOWS\system32\alg.exe

PID: 1048 Status: -

Path: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

PID: 1072 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1128 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe

PID: 1200 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1288 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1360 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe

PID: 1440 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1724 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

PID: 1808 Status: -

Path: C:\Program Files\NDAS\System\ndassvc.exe

PID: 1940 Status: -

Path: C:\WINDOWS\explorer.exe

PID: 2588 Status: -

Path: C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

PID: 3144 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe

PID: 3168 Status: -

Path: C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe

PID: 3192 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe

PID: 3232 Status: -

Path: D:\Progz\PC Tools\RootRepeal\RootRepeal.exe

PID: 3260 Status: -

Path: C:\Documents and Settings\jan.maule.ATTAVENA\Local Settings\Data aplikací\Google\Update\1.2.183.7\GoogleCrashHandler.exe

PID: 3356 Status: -

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/17 11:33

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

SSDT

-------------------

#: 000 Function Name: NtAcceptConnectPort

Status: Not hooked

#: 001 Function Name: NtAccessCheck

Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm

Status: Not hooked

#: 003 Function Name: NtAccessCheckByType

Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm

Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList

Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm

Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle

Status: Not hooked

#: 008 Function Name: NtAddAtom

Status: Not hooked

#: 009 Function Name: NtAddBootEntry

Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken

Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714f68

#: 012 Function Name: NtAlertResumeThread

Status: Not hooked

#: 013 Function Name: NtAlertThread

Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId

Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages

Status: Not hooked

#: 016 Function Name: NtAllocateUuids

Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory

Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame

Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject

Status: Not hooked

#: 020 Function Name: NtCallbackReturn

Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest

Status: Not hooked

#: 022 Function Name: NtCancelIoFile

Status: Not hooked

#: 023 Function Name: NtCancelTimer

Status: Not hooked

#: 024 Function Name: NtClearEvent

Status: Not hooked

#: 025 Function Name: NtClose

Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm

Status: Not hooked

#: 027 Function Name: NtCompactKeys

Status: Not hooked

#: 028 Function Name: NtCompareTokens

Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort

Status: Not hooked

#: 030 Function Name: NtCompressKey

Status: Not hooked

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714472

#: 032 Function Name: NtContinue

Status: Not hooked

#: 033 Function Name: NtCreateDebugObject

Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject

Status: Not hooked

#: 035 Function Name: NtCreateEvent

Status: Not hooked

#: 036 Function Name: NtCreateEventPair

Status: Not hooked

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714b0c

#: 038 Function Name: NtCreateIoCompletion

Status: Not hooked

#: 039 Function Name: NtCreateJobObject

Status: Not hooked

#: 040 Function Name: NtCreateJobSet

Status: Not hooked

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7154e4

#: 042 Function Name: NtCreateMailslotFile

Status: Not hooked

#: 043 Function Name: NtCreateMutant

Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile

Status: Not hooked

#: 045 Function Name: NtCreatePagingFile

Status: Not hooked

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714150

#: 047 Function Name: NtCreateProcess

Status: Not hooked

#: 048 Function Name: NtCreateProcessEx

Status: Not hooked

#: 049 Function Name: NtCreateProfile

Status: Not hooked

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7161f0

#: 051 Function Name: NtCreateSemaphore

Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7164c8

#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa713d16

#: 054 Function Name: NtCreateTimer

Status: Not hooked

#: 055 Function Name: NtCreateToken

Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort

Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess

Status: Not hooked

#: 058 Function Name: NtDebugContinue

Status: Not hooked

#: 059 Function Name: NtDelayExecution

Status: Not hooked

#: 060 Function Name: NtDeleteAtom

Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry

Status: Not hooked

#: 062 Function Name: NtDeleteFile

Status: Not hooked

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa71514e

#: 064 Function Name: NtDeleteObjectAuditAlarm

Status: Not hooked

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7152fe

#: 066 Function Name: NtDeviceIoControlFile

Status: Not hooked

#: 067 Function Name: NtDisplayString

Status: Not hooked

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa713a78

#: 069 Function Name: NtDuplicateToken

Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries

Status: Not hooked

#: 071 Function Name: NtEnumerateKey

Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx

Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey

Status: Not hooked

#: 074 Function Name: NtExtendSection

Status: Not hooked

#: 075 Function Name: NtFilterToken

Status: Not hooked

#: 076 Function Name: NtFindAtom

Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile

Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache

Status: Not hooked

#: 079 Function Name: NtFlushKey

Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory

Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer

Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages

Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory

Status: Not hooked

#: 084 Function Name: NtFsControlFile

Status: Not hooked

#: 085 Function Name: NtGetContextThread

Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState

Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent

Status: Not hooked

#: 088 Function Name: NtGetWriteWatch

Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort

Status: Not hooked

#: 091 Function Name: NtImpersonateThread

Status: Not hooked

#: 092 Function Name: NtInitializeRegistry

Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction

Status: Not hooked

#: 094 Function Name: NtIsProcessInJob

Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic

Status: Not hooked

#: 096 Function Name: NtListenPort

Status: Not hooked

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa715e72

#: 098 Function Name: NtLoadKey

Status: Not hooked

#: 099 Function Name: NtLoadKey2

Status: Not hooked

#: 100 Function Name: NtLockFile

Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys

Status: Not hooked

#: 102 Function Name: NtLockRegistryKey

Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory

Status: Not hooked

#: 104 Function Name: NtMakePermanentObject

Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7146f6

#: 106 Function Name: NtMapUserPhysicalPages

Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter

Status: Not hooked

#: 108 Function Name: NtMapViewOfSection

Status: Not hooked

#: 109 Function Name: NtModifyBootEntry

Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile

Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey

Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys

Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject

Status: Not hooked

#: 114 Function Name: NtOpenEvent

Status: Not hooked

#: 115 Function Name: NtOpenEventPair

Status: Not hooked

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714d50

#: 117 Function Name: NtOpenIoCompletion

Status: Not hooked

#: 118 Function Name: NtOpenJobObject

Status: Not hooked

#: 119 Function Name: NtOpenKey

Status: Not hooked

#: 120 Function Name: NtOpenMutant

Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm

Status: Not hooked

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7137a8

#: 123 Function Name: NtOpenProcessToken

Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx

Status: Not hooked

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714986

#: 126 Function Name: NtOpenSemaphore

Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject

Status: Not hooked

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa713920

#: 129 Function Name: NtOpenThreadToken

Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx

Status: Not hooked

#: 131 Function Name: NtOpenTimer

Status: Not hooked

#: 132 Function Name: NtPlugPlayControl

Status: Not hooked

#: 133 Function Name: NtPowerInformation

Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck

Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm

Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm

Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory

Status: Not hooked

#: 138 Function Name: NtPulseEvent

Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile

Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder

Status: Not hooked

#: 141 Function Name: NtQueryBootOptions

Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState

Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale

Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage

Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile

Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject

Status: Not hooked

#: 147 Function Name: NtQueryEaFile

Status: Not hooked

#: 148 Function Name: NtQueryEvent

Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile

Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom

Status: Not hooked

#: 151 Function Name: NtQueryInformationFile

Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject

Status: Not hooked

#: 153 Function Name: NtQueryInformationPort

Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess

Status: Not hooked

#: 155 Function Name: NtQueryInformationThread

Status: Not hooked

#: 156 Function Name: NtQueryInformationToken

Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage

Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile

Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion

Status: Not hooked

#: 160 Function Name: NtQueryKey

Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey

Status: Not hooked

#: 162 Function Name: NtQueryMutant

Status: Not hooked

#: 163 Function Name: NtQueryObject

Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys

Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter

Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile

Status: Not hooked

#: 167 Function Name: NtQuerySection

Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject

Status: Not hooked

#: 169 Function Name: NtQuerySemaphore

Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject

Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue

Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx

Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation

Status: Not hooked

#: 174 Function Name: NtQuerySystemTime

Status: Not hooked

#: 175 Function Name: NtQueryTimer

Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution

Status: Not hooked

#: 177 Function Name: NtQueryValueKey

Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory

Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile

Status: Not hooked

#: 180 Function Name: NtQueueApcThread

Status: Not hooked

#: 181 Function Name: NtRaiseException

Status: Not hooked

#: 182 Function Name: NtRaiseHardError

Status: Not hooked

#: 183 Function Name: NtReadFile

Status: Not hooked

#: 184 Function Name: NtReadFileScatter

Status: Not hooked

#: 185 Function Name: NtReadRequestData

Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory

Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort

Status: Not hooked

#: 188 Function Name: NtReleaseMutant

Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore

Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion

Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug

Status: Not hooked

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7158aa

#: 193 Function Name: NtReplaceKey

Status: Not hooked

#: 194 Function Name: NtReplyPort

Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort

Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx

Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort

Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup

Status: Not hooked

#: 199 Function Name: NtRequestPort

Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa71426e

#: 201 Function Name: NtRequestWakeupLatency

Status: Not hooked

#: 202 Function Name: NtResetEvent

Status: Not hooked

#: 203 Function Name: NtResetWriteWatch

Status: Not hooked

#: 204 Function Name: NtRestoreKey

Status: Not hooked

#: 205 Function Name: NtResumeProcess

Status: Not hooked

#: 206 Function Name: NtResumeThread

Status: Not hooked

#: 207 Function Name: NtSaveKey

Status: Not hooked

#: 208 Function Name: NtSaveKeyEx

Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys

Status: Not hooked

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa715c0e

#: 211 Function Name: NtSetBootEntryOrder

Status: Not hooked

#: 212 Function Name: NtSetBootOptions

Status: Not hooked

#: 213 Function Name: NtSetContextThread

Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState

Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort

Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale

Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage

Status: Not hooked

#: 218 Function Name: NtSetEaFile

Status: Not hooked

#: 219 Function Name: NtSetEvent

Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority

Status: Not hooked

#: 221 Function Name: NtSetHighEventPair

Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair

Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject

Status: Not hooked

#: 224 Function Name: NtSetInformationFile

Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject

Status: Not hooked

#: 226 Function Name: NtSetInformationKey

Status: Not hooked

#: 227 Function Name: NtSetInformationObject

Status: Not hooked

#: 228 Function Name: NtSetInformationProcess

Status: Not hooked

#: 229 Function Name: NtSetInformationThread

Status: Not hooked

#: 230 Function Name: NtSetInformationToken

Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile

Status: Not hooked

#: 232 Function Name: NtSetIoCompletion

Status: Not hooked

#: 233 Function Name: NtSetLdtEntries

Status: Not hooked

#: 234 Function Name: NtSetLowEventPair

Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair

Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile

Status: Not hooked

#: 237 Function Name: NtSetSecurityObject

Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue

Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx

Status: Not hooked

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa716020

#: 241 Function Name: NtSetSystemPowerState

Status: Not hooked

#: 242 Function Name: NtSetSystemTime

Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState

Status: Not hooked

#: 244 Function Name: NtSetTimer

Status: Not hooked

#: 245 Function Name: NtSetTimerResolution

Status: Not hooked

#: 246 Function Name: NtSetUuidSeed

Status: Not hooked

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa7156aa

#: 248 Function Name: NtSetVolumeInformationFile

Status: Not hooked

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa714690

#: 250 Function Name: NtSignalAndWaitForSingleObject

Status: Not hooked

#: 251 Function Name: NtStartProfile

Status: Not hooked

#: 252 Function Name: NtStopProfile

Status: Not hooked

#: 253 Function Name: NtSuspendProcess

Status: Not hooked

#: 254 Function Name: NtSuspendThread

Status: Not hooked

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa71487a

#: 256 Function Name: NtTerminateJobObject

Status: Not hooked

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa6ee7df0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa713ee8

#: 259 Function Name: NtTestAlert

Status: Not hooked

#: 260 Function Name: NtTraceEvent

Status: Not hooked

#: 261 Function Name: NtTranslateFilePath

Status: Not hooked

#: 262 Function Name: NtUnloadDriver

Status: Not hooked

#: 263 Function Name: NtUnloadKey

Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx

Status: Not hooked

#: 265 Function Name: NtUnlockFile

Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory

Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection

Status: Not hooked

#: 268 Function Name: NtVdmControl

Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent

Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects

Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject

Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair

Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair

Status: Not hooked

#: 274 Function Name: NtWriteFile

Status: Not hooked

#: 275 Function Name: NtWriteFileGather

Status: Not hooked

#: 276 Function Name: NtWriteRequestData

Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory

Status: Not hooked

#: 278 Function Name: NtYieldExecution

Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent

Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent

Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent

Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent

Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess

Status: Not hooked

maulej · July 17, 2009

Just adding that there were no hidden services in the report...

Rorschach112 · July 20, 2009

hi

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O33 - MountPoints2\{06c46914-d339-11dc-808a-000d616f5eea}\Shell - "" = AutoRun
O33 - MountPoints2\{3953ed82-ded0-11dc-80ae-000d616f5eea}\Shell\AutoRun\command - "" = F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe -- File not found
[2009.07.10 11:15:14 | 00,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Rorschach112 · July 26, 2009

Inactive topic...

If you still need help on this problem, contact me or one of the Moderators to re-open this up.

Topic closed.

Sign In

Trojan Inside?[INACTIVE]

Recommended Posts

maulej

Link to post

Share on other sites

Rorschach112

Link to post

Share on other sites

maulej

Link to post

Share on other sites

maulej

Link to post

Share on other sites

Rorschach112

Link to post

Share on other sites

Rorschach112

Link to post

Share on other sites

Browse

Activity