TechSpot

Search engine redirects in Firefox

By ak74
Jul 30, 2011
  1. I am having problems in Firefox with search engine redirects.( Win xp ) It does it with google, yahoo, bing, and haven't tried more. I am running McAfee anti virus and Spybot S & D. I also have an anti rootkit. I have downloaded and run malwarebytes and it found 7 registery entries that I removed. Problem still exists.

    I just found this site, what should I do next?
     
  2. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. ak74

    ak74 TS Rookie Topic Starter

    Here are the logs

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7326

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    7/30/2011 10:47:06 AM
    mbam-log-2011-07-30 (10-47-06).txt

    Scan type: Quick scan
    Objects scanned: 155438
    Time elapsed: 7 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XMZH42I4GI (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Value: 8DDYX0ZBPZ -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)






    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-07-30 17:20:34
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-f ST3160815AS rev.3.CHF
    Running: s6c1xkrj.exe; Driver: C:\DOCUME~1\me\LOCALS~1\Temp\pxtdypob.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EAF210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EAF224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EAF250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EAF2A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EAF1FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EAF1D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EAF1E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EAF23A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EAF27C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EAF266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EAF2D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EAF2BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EAF290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9EAF294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9EAF2AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9EAF2C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9EAF280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9EAF1D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9EAF1EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9EAF2D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9EAF26A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9EAF23E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9EAF214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9EAF228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9EAF254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9EAF200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 011B0000
    .text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 011B0011
    .text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011B0FDB
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011A0FEF
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011A0F83
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011A0082
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011A0FA8
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011A0065
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011A002F
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011A009D
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011A0F61
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011A0F18
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011A0F29
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011A0EFD
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011A004A
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011A0FD4
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011A0F72
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011A0FC3
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011A000A
    .text C:\WINDOWS\Explorer.EXE[336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011A0F3A
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011F0FC0
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011F0F8A
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011F001B
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011F0000
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011F0047
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011F0FE5
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011F002C
    .text C:\WINDOWS\Explorer.EXE[336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011F0FAF
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011E0F97
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!system 77C293C7 5 Bytes JMP 011E0022
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011E0FCD
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011E0FEF
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011E0FB2
    .text C:\WINDOWS\Explorer.EXE[336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011E0FDE
    .text C:\WINDOWS\Explorer.EXE[336] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 011C0011
    .text C:\WINDOWS\Explorer.EXE[336] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 011C0000
    .text C:\WINDOWS\Explorer.EXE[336] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 011C0038
    .text C:\WINDOWS\Explorer.EXE[336] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 011C0FE5
    .text C:\WINDOWS\Explorer.EXE[336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01720000
    .text C:\WINDOWS\system32\svchost.exe[412] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0FEF
    .text C:\WINDOWS\system32\svchost.exe[412] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB001B
    .text C:\WINDOWS\system32\svchost.exe[412] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB000A
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006A
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F75
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F86
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA1
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F3D
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F5A
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00A7
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0096
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EFD
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FB2
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0025
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0085
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FDE
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FEF
    .text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F22
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0000
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F54
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FAF
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F6F
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F80
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
    .text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0011
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FBC
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0047
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0022
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FD7
    .text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FEF
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FDE
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910014
    .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900027
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F32
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F4D
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F5E
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900F94
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900EFA
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F17
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900EBA
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0090005D
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900E9F
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F79
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900000
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900042
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FAF
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FC0
    .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900ED5
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FD4
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90065
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FE5
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A9001B
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90054
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90FA8
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
    .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FC3
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FC0
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A8004B
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A80FE5
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8003A
    .text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80029
    .text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00930FD4
    .text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00930FB9
    .text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
    .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
    .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050011
    .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FDB
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F68
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F83
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F94
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040FA5
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040047
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400B0
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040093
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400E6
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400CB
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400F7
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FC0
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0004001B
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040078
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004002C
    .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F4D
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FCA
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F6F
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC001B
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC000A
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC002C
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F94
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
    .text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FAF
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070044
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB9
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070018
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070029
    .text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FDE
    .text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B70000
    .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B70FDB
    .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B70011
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FE5
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B6006F
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F70
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60F8D
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60F9E
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60FCA
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60096
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60F4E
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B60F11
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F22
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600BB
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60FAF
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60000
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F5F
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B6002C
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B6001B
    .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60F33
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E4002C
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E4006C
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40011
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40000
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40FAF
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40FC0
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
    .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E4003D
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90FCA
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B9004B
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B9000C
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B9003A
    .text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B9001D
    .text C:\WINDOWS\system32\lsass.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80000
    .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10FB9
    .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDE
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F4E
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00043
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00032
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F75
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FA1
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F1D
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F0006F
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F0008A
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00EFB
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00ED6
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00F90
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00FDE
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F0005E
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FB2
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FCD
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F0C
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FAF
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40F83
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40FC0
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40FE5
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40040
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F40000
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F4002F
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40F9E
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FAD
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30FC8
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30FD9
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F3002E
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30011
    .text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF
    .text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
    .text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FD1
    .text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0011
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0095
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0FAA
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0084
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FC7
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0058
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F5E
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F7B
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F28
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F39
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F17
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0069
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00A6
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0047
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0036
    .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00C1
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FDB
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C3008E
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C3002C
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C3001B
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30073
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30058
    .text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30047
    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F81
    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0F9C
    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC1
    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
     
  4. ak74

    ak74 TS Rookie Topic Starter

    Logs #2

    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE000C
    .text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
    .text C:\WINDOWS\system32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
    .text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 06440FEF
    .text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0644001E
    .text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 06440FDE
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 06430FEF
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 06430F4B
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 06430040
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 06430F72
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 06430F83
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 06430F9E
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 06430F29
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 06430F3A
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0643009D
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0643008C
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 064300B8
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 06430025
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 06430000
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 06430065
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 06430FAF
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 06430FCA
    .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 06430F18
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 06480040
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 06480FAF
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0648002F
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0648000A
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0648006C
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 06480FEF
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 06480FCA
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [68, 8E]
    .text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 06480051
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 06470F92
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 06470FAD
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0647000C
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 06470FEF
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0647001D
    .text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 06470FD2
    .text C:\WINDOWS\System32\svchost.exe[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0645000A
    .text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 06460FE5
    .text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 06460000
    .text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 06460FCA
    .text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 0646001D
    .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0064000A
    .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FE5
    .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0064001B
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0063000A
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0063008C
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630067
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630F8D
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630F9E
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630036
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00630F55
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0063009D
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006300DD
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006300C2
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006300F8
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630FAF
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630FEF
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630F7C
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630025
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630FDE
    .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F3A
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0066001B
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066005F
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660000
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FCA
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066004E
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FE5
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066003D
    .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0066002C
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650F95
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FB0
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650016
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC1
    .text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FD2
    .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009A0FCA
    .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A0000
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F5C
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990F6D
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990051
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990040
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990025
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00990F26
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990F41
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00990EF0
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00990F0B
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0099009A
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990F9E
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0099000A
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0099006C
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00990FB9
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FCA
    .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990089
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0036
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0FAF
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D0FE5
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D001B
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0062
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0000
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009D0FCA
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 88]
    .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0051
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009C0FAD
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 009C002E
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009C0FC8
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009C0FE3
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009C001D
    .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009C0000
    .text C:\WINDOWS\system32\svchost.exe[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0FEF
    .text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E000A
    .text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0FD4
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0000
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F59
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D004E
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D003D
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0F80
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0F9B
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0070
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D005F
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0095
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0EFC
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0EE1
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D002C
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0011
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F34
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FC0
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FD1
    .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F0D
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A10FAF
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A10F5E
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A10FCA
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A10F6F
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A10FEF
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A10F8A
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C1, 88]
    .text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A10011
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A0007A
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FE5
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0003A
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00000
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A0004B
    .text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00029
    .text C:\WINDOWS\system32\svchost.exe[1872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0000

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\mfevtps.exe[1260] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\WINDOWS\system32\mfevtps.exe[1260] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----





    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
    Run by me at 17:21:17 on 2011-07-30
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1355 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\PROGRA~1\WinTV\hcwP1Utl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Java\Java Update\jaucheck.exe
    C:\WINDOWS\system32\wuauclt.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.att.net
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110729231212.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
    uRunOnce: [2Wire DSL Setup Tool] c:\2wire_dsl_setup_tool\2Wire_DSL_Setup_Tool.exe -RuNBFT
    mRun: [hcwPVRReset] c:\progra~1\wintv\hcwP1Utl.exe -Quiet -ResetHardware -NotifyResetFailure -KeepTrying
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
    mRun: [MerlinReportAgent] "c:\program files\att-hsi\McciBrowser.exe" -appkey=att-nap -hidden -url=file:///C:/Program%20Files/ATT-HSI/ReportAgent.html
    uPolicies-explorer: NoSMMyDocs = 1 (0x1)
    uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
    mPolicies-explorer: NoResolveTrack = 1 (0x1)
    IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
    IE: Append to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Create PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{7146BCB3-B48E-49FB-8236-93085CABF85F} : DhcpNameServer = 192.168.1.254
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\siteadvisor\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\me\application data\mozilla\firefox\profiles\x6klftd0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - plugin: c:\documents and settings\me\application data\move networks\plugins\npqmp071706000001.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-21 387480]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-21 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-1-30 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-21 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-21 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-21 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-21 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-21 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-21 141792]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-21 56064]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-7-1 45464]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-21 153280]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-21 52320]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-21 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-21 88736]
    S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-7-13 30946]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-6 136176]
    S3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\jakndis.sys --> c:\windows\system32\drivers\JakNDis.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-30 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-21 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-21 84488]
    S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-14 266240]
    .
    =============== Created Last 30 ================
    .
    2011-07-30 15:12:25 -------- d-----w- c:\documents and settings\me\application data\Malwarebytes
    2011-07-30 15:12:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-30 15:12:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-07-30 15:12:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-30 15:12:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-28 02:43:33 63488 --sha-r- c:\windows\system32\sysocmgrj.dll
    2011-07-01 23:55:23 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2011-07-01 23:55:09 45464 ----a-w- c:\windows\system32\drivers\dc3d.sys
    2011-07-01 23:55:09 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
    2011-07-01 23:54:59 -------- d-----w- c:\program files\Microsoft IntelliPoint
    .
    ==================== Find3M ====================
    .
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    ============= FINISH: 17:22:04.76 ===============
     
  5. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I still need Attach.txt log.
     
  6. ak74

    ak74 TS Rookie Topic Starter

    Attach.txt log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume3
    Install Date: 12/26/2007 4:26:43 PM
    System Uptime: 7/30/2011 10:48:32 AM (7 hours ago)
    .
    Motherboard: ECS | | Livermore8
    Processor: Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz | CPU 1 | 1599/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 95 GiB total, 6.071 GiB free.
    G: is FIXED (NTFS) - 0 GiB total, 0.072 GiB free.
    H: is FIXED (NTFS) - 114 GiB total, 86.252 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8139/810x Family Fast Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_2A57103C&REV_01\4&293AFFCC&0&00E0
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8139/810x Family Fast Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_2A57103C&REV_01\4&293AFFCC&0&00E0
    Service: RTLE8023xp
    .
    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_06E6&PID_C200&MI_00\6&347ACA01&0&0000
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_06E6&PID_C200&MI_00\6&347ACA01&0&0000
    Service: USBSTOR
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMTSSTCORP_CDDVDW_TS-H653N________________0208____\5&947C700&0&0.1.0
    Manufacturer: (Standard CD-ROM drives)
    Name: TSSTcorp CDDVDW TS-H653N
    PNP Device ID: IDE\CDROMTSSTCORP_CDDVDW_TS-H653N________________0208____\5&947C700&0&0.1.0
    Service: cdrom
    .
    ==== System Restore Points ===================
    .
    RP1: 7/27/2011 9:53:28 PM - System Checkpoint
    RP2: 7/27/2011 11:00:28 PM - Removed Jaksta Streaming Media Recorder
    RP3: 7/27/2011 11:02:10 PM - Removed Netflix Movie Viewer
    RP4: 7/27/2011 11:08:20 PM - RegRun Virus Scan
    RP5: 7/29/2011 8:37:35 AM - System Checkpoint
    RP6: 7/29/2011 9:37:51 PM - RegRun Virus Scan
    RP7: 7/30/2011 10:52:31 AM - RegRun Virus Scan
    .
    ==== Installed Programs ======================
    .
    .
    µtorrent 1.8.1 (build 12616) Leecher Pack
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    AnyDVD
    Canon PIXMA iP4000
    CloneCD
    CloneDVD2
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    DivX Setup
    DVD Identifier
    eFax Messenger 4.3
    Foxit Reader
    FreeRIP v3.30
    Google Earth
    Google Earth Plug-in
    H&R Block Deluxe + Efile + State 2010
    H&R Block Mississippi 2010
    Hauppauge WinTV PVR (Model 45xxx)
    High Definition Audio Driver Package - KB888111
    Home and Business Attorney
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    IObit Security 360
    j2 Messenger 4.2
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    jv16 PowerTools 2010
    Logitech Harmony Remote Software 7
    magicJack
    Malwarebytes' Anti-Malware version 1.51.1.1800
    McAfee SecurityCenter
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 8.1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Professional Edition 2003
    Microsoft Office Visio Viewer 2003 (English)
    Microsoft Office Visio Viewer 2007
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Move Media Player
    Mozilla Firefox (3.0b4)
    Mozilla Firefox (3.5.17)
    Mozilla Firefox 5.0 (x86 en-US)
    Pdf995 (installed by TaxCut)
    PdfEdit995 (installed by TaxCut)
    PL-2303 USB-to-Serial
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    REALTEK GbE & FE Ethernet PCI NIC Driver
    Realtek High Definition Audio Driver
    Remote Control USB Driver
    RoboForm 7-3-2 (All Users)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2482017)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2497640)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2530548)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SIM MAX
    Spybot - Search & Destroy
    TaxACT 2010
    TomTom HOME 2.8.1.2218
    TomTom HOME Visual Studio Merge Modules
    TubeHunter Ultra
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wmsiper
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wmsiper
    TurboTax 2009 wrapper
    TurboTax Deluxe 2007
    UnHackMe 4.80 beta
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    USPS FY Calendar 2.0
    VC80CRTRedist - 8.0.50727.4053
    Virtual Earth 3D (Beta)
    WebFldrs XP
    Windows Essentials Media Codec Pack 1.0
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinPcap 4.1.1
    WinRAR archiver
    Xvid 1.2.1 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/27/2011 9:53:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi redbook
    7/27/2011 9:53:26 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    7/27/2011 9:53:26 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    7/27/2011 9:26:53 PM, error: DCOM [10000] - Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}. The error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding
    .
    ==== End Of File ===========================
     
  7. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. ak74

    ak74 TS Rookie Topic Starter

    more logs

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-07-30 18:34:09
    -----------------------------
    18:34:09.218 OS Version: Windows 5.1.2600 Service Pack 3
    18:34:09.218 Number of processors: 2 586 0xF0D
    18:34:09.218 ComputerName: MAIN UserName: me
    18:34:09.718 Initialize success
    18:35:26.156 AVAST engine defs: 11073001
    18:35:58.421 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    18:35:58.421 Disk 0 Vendor: Maxtor_4R120L0 RAMB1TU0 Size: 117246MB BusType: 3
    18:35:58.421 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-f
    18:35:58.421 Disk 1 Vendor: ST3160815AS 3.CHF Size: 152627MB BusType: 3
    18:36:00.484 Disk 1 MBR read successfully
    18:36:00.484 Disk 1 MBR scan
    18:36:00.531 Disk 1 unknown MBR code
    18:36:00.531 Disk 1 scanning sectors +312576705
    18:36:00.593 Disk 1 scanning C:\WINDOWS\system32\drivers
    18:36:17.937 Service scanning
    18:36:18.859 Modules scanning
    18:36:26.171 Disk 1 trace - called modules:
    18:36:26.187 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    18:36:26.203 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a677ab8]
    18:36:26.203 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a5dd3a8]
    18:36:26.203 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-f[0x8a680940]
    18:36:26.578 AVAST engine scan C:\WINDOWS
    18:36:38.453 AVAST engine scan C:\WINDOWS\system32
    18:38:47.203 AVAST engine scan C:\WINDOWS\system32\drivers
    18:39:06.750 AVAST engine scan C:\Documents and Settings\me
    18:39:50.546 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\me\Desktop\MBR.dat"
    18:39:50.546 The log file has been saved successfully to "C:\Documents and Settings\me\Desktop\aswMBR.txt"
    19:01:23.203 AVAST engine scan C:\Documents and Settings\All Users
    19:02:01.453 Scan finished successfully
    19:52:42.031 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\me\Desktop\MBR.dat"
    19:52:42.031 The log file has been saved successfully to "C:\Documents and Settings\me\Desktop\aswMBR.txt"
    19:53:28.187 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\me\Desktop\MBR.dat"
    19:53:28.187 The log file has been saved successfully to "C:\Documents and Settings\me\Desktop\aswMBR.txt"









    ComboFix 11-07-31.01 - me 07/30/2011 20:07:12.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1394 [GMT -5:00]
    Running from: c:\documents and settings\me\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\me\Local Settings\Temporary Internet Files\Sys5889.Data Repository.sys
    c:\documents and settings\me\WINDOWS
    c:\windows\system32\ESQULzxspectrum
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\documents and settings\me\Application Data\Malwarebytes
    2011-07-30 15:12 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-30 15:12 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-28 02:43 . 2011-07-28 02:43 63488 --sha-r- c:\windows\system32\sysocmgrj.dll
    2011-07-01 23:55 . 2008-11-07 23:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2011-07-01 23:55 . 2011-04-13 20:02 45464 ----a-w- c:\windows\system32\drivers\dc3d.sys
    2011-07-01 23:55 . 2011-04-13 20:02 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
    2011-07-01 23:54 . 2011-07-01 23:55 -------- d-----w- c:\program files\Microsoft IntelliPoint
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2007-12-26 22:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-06-28 107000]
    "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2007-09-17 228352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hcwPVRReset"="c:\progra~1\WinTV\hcwP1Utl.exe" [2001-06-21 45056]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "MerlinReportAgent"="c:\program files\ATT-HSI\McciBrowser.exe" [2010-05-27 1051136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyDocs"= 1 (0x1)
    "NoFavoritesMenu"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 00:43 69632 ----a-w- c:\windows\Alcmtr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    2009-03-01 05:27 2542528 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
    2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
    2007-03-06 17:21 116224 ----a-w- c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2007-08-24 17:01 159744 ----a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2007-08-24 17:01 135168 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2011-04-13 20:02 1808784 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-02-16 22:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
    2006-07-14 20:03 107008 ----a-w- c:\program files\j2 Messenger 4.2\J2GDllCmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    2011-06-28 12:01 1195408 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
    2007-04-08 16:44 303104 ----a-w- c:\program files\Essentials Codec Pack\update.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2007-08-24 17:00 131072 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
    2011-06-28 23:01 107000 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2007-08-10 21:21 16384000 ----a-w- c:\windows\RTHDCPL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-12 21:30 136600 ----a-w- h:\program files\Java\jre6\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
    2007-09-17 21:37 228352 ----a-w- c:\program files\UnHackMe\hackmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "ose"=3 (0x3)
    "MpfService"=2 (0x2)
    "McSysmon"=3 (0x3)
    "McShield"=2 (0x2)
    "McProxy"=2 (0x2)
    "McODS"=3 (0x3)
    "McNASvc"=2 (0x2)
    "mcmscsvc"=2 (0x2)
    "McciCMService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "IS360service"=2 (0x2)
    "iPod Service"=3 (0x3)
    "IntuitUpdateService"=2 (0x2)
    "CSHelper"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\seba14mods\\µtorrent 1.8.1 (build 12616) Leecher Pack\\utorrent 1.8.1 (12616)_fakeup2x_leecher.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Documents and Settings\\me\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/21/2011 7:59 PM 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/30/2011 11:35 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2011 7:59 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2011 7:59 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/21/2011 7:59 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/21/2011 7:59 PM 141792]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/21/2011 7:59 PM 56064]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [7/1/2011 6:55 PM 45464]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/21/2011 7:59 PM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/21/2011 7:59 PM 88736]
    S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [7/13/2008 10:52 AM 30946]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2010 10:53 PM 136176]
    S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/30/2011 10:12 AM 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/21/2011 7:59 PM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/21/2011 7:59 PM 84488]
    S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/14/2009 2:30 PM 266240]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    *Deregistered* - UnHackMeDrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 03:53]
    .
    2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 03:53]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
    IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\x6klftd0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-IObit Security 360 - c:\program files\IObit\IObit Security 360\IS360tray.exe
    Notify-WgaLogon - (no file)
    MSConfigStartUp-IObit Security 360 - c:\program files\IObit\IObit Security 360\IS360tray.exe
    AddRemove-Hauppauge WinTV PVR (Model 45xxx) - c:\progra~1\WinTV\UNpvr45.EXE
    AddRemove-IObit Security 360_is1 - c:\program files\IObit\IObit Security 360\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-30 20:15
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-07-30 20:17:36
    ComboFix-quarantined-files.txt 2011-07-31 01:17
    .
    Pre-Run: 6,330,892,288 bytes free
    Post-Run: 6,575,153,152 bytes free
    .
    - - End Of File - - 66B7B05E1703DFC213D69D09D27DC03C
     
  9. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\sysocmgrj.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. ak74

    ak74 TS Rookie Topic Starter

    ComboFix 11-07-31.01 - me 07/31/2011 4:49.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1187 [GMT -5:00]
    Running from: c:\documents and settings\me\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    FILE ::
    "c:\windows\system32\sysocmgrj.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\sysocmgrj.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-31 04:06 . 2011-07-31 04:06 -------- d-----w- c:\windows\LastGood
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\documents and settings\me\Application Data\Malwarebytes
    2011-07-30 15:12 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-30 15:12 . 2011-07-30 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-30 15:12 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-01 23:55 . 2008-11-07 23:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2011-07-01 23:55 . 2011-04-13 20:02 45464 ----a-w- c:\windows\system32\drivers\dc3d.sys
    2011-07-01 23:55 . 2011-04-13 20:02 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
    2011-07-01 23:54 . 2011-07-01 23:55 -------- d-----w- c:\program files\Microsoft IntelliPoint
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2007-12-26 22:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-31_01.15.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-12-26 22:27 . 2011-07-31 09:21 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-12-26 22:27 . 2011-07-30 17:40 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-07-31 02:43 . 2011-07-31 09:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-06-28 107000]
    "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2007-09-17 228352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hcwPVRReset"="c:\progra~1\WinTV\hcwP1Utl.exe" [2001-06-21 45056]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "MerlinReportAgent"="c:\program files\ATT-HSI\McciBrowser.exe" [2010-05-27 1051136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyDocs"= 1 (0x1)
    "NoFavoritesMenu"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    2009-03-01 05:27 2542528 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
    2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
    2007-03-06 17:21 116224 ----a-w- c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2007-08-24 17:01 159744 ----a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2007-08-24 17:01 135168 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2011-04-13 20:02 1808784 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-02-16 22:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
    2006-07-14 20:03 107008 ----a-w- c:\program files\j2 Messenger 4.2\J2GDllCmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    2011-06-28 12:01 1195408 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
    2007-04-08 16:44 303104 ----a-w- c:\program files\Essentials Codec Pack\update.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2007-08-24 17:00 131072 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
    2011-06-28 23:01 107000 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2007-08-10 21:21 16384000 ----a-w- c:\windows\RTHDCPL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-12 21:30 136600 ----a-w- h:\program files\Java\jre6\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
    2007-09-17 21:37 228352 ----a-w- c:\program files\UnHackMe\hackmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "ose"=3 (0x3)
    "MpfService"=2 (0x2)
    "McSysmon"=3 (0x3)
    "McShield"=2 (0x2)
    "McProxy"=2 (0x2)
    "McODS"=3 (0x3)
    "McNASvc"=2 (0x2)
    "mcmscsvc"=2 (0x2)
    "McciCMService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "IS360service"=2 (0x2)
    "iPod Service"=3 (0x3)
    "IntuitUpdateService"=2 (0x2)
    "CSHelper"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\seba14mods\\µtorrent 1.8.1 (build 12616) Leecher Pack\\utorrent 1.8.1 (12616)_fakeup2x_leecher.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
    "c:\\Documents and Settings\\me\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/21/2011 7:59 PM 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/30/2011 11:35 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2011 7:59 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2011 7:59 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/21/2011 7:59 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/21/2011 7:59 PM 141792]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/21/2011 7:59 PM 56064]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [7/1/2011 6:55 PM 45464]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/21/2011 7:59 PM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/21/2011 7:59 PM 88736]
    S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [7/13/2008 10:52 AM 30946]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2010 10:53 PM 136176]
    S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/30/2011 10:12 AM 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/21/2011 7:59 PM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/21/2011 7:59 PM 84488]
    S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/14/2009 2:30 PM 266240]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    *Deregistered* - UnHackMeDrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 03:53]
    .
    2011-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 03:53]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
    IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
    IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
    IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\x6klftd0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-31 04:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-07-31 04:56:15
    ComboFix-quarantined-files.txt 2011-07-31 09:56
    ComboFix2.txt 2011-07-31 01:17
    .
    Pre-Run: 6,555,500,544 bytes free
    Post-Run: 6,541,561,856 bytes free
    .
    - - End Of File - - 332D11CC434C59A41BEF5092466034E6
     
  11. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    How is redirection?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. ak74

    ak74 TS Rookie Topic Starter

    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.69% Memory free
    4.83 Gb Paging File | 4.34 Gb Available in Paging File | 89.81% Paging File free
    Paging file location(s): C:\pagefile.sys 3060 4948 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 94.83 Gb Total Space | 6.07 Gb Free Space | 6.40% Space Free | Partition Type: NTFS
    Drive F: | 17.59 Mb Total Space | 17.32 Mb Free Space | 98.44% Space Free | Partition Type: FAT
    Drive G: | 100.00 Mb Total Space | 74.16 Mb Free Space | 74.16% Space Free | Partition Type: NTFS
    Drive H: | 114.40 Gb Total Space | 86.54 Gb Free Space | 75.64% Space Free | Partition Type: NTFS

    Computer Name: MAIN | User Name: me | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/07/31 11:37:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\me\Desktop\OTL.exe
    PRC - [2011/06/28 18:01:36 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    PRC - [2011/06/28 07:01:30 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
    PRC - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    PRC - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    PRC - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
    PRC - [2011/03/09 07:30:08 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    PRC - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2009/01/23 11:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2008/04/13 19:12:30 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2001/06/21 13:57:34 | 000,045,056 | ---- | M] () -- C:\Program Files\WinTV\hcwP1Utl.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/07/31 11:37:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\me\Desktop\OTL.exe
    MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2009/01/23 11:46:18 | 000,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
    SRV - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
    SRV - [2011/03/09 07:30:08 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
    SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/10/20 13:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
    SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2009/02/14 14:30:45 | 000,266,240 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\CSHelper.exe -- (CSHelper)
    SRV - [2009/01/23 11:46:14 | 000,203,280 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2011/04/14 14:01:38 | 000,387,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2011/04/14 14:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2011/04/14 14:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2011/04/14 14:01:38 | 000,095,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2011/04/14 14:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2011/04/14 14:01:38 | 000,084,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2011/04/14 14:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2011/04/14 14:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2011/04/13 15:02:36 | 000,045,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dc3d.sys -- (dc3d)
    DRV - [2010/05/26 21:21:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2010/05/26 21:20:34 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2009/10/20 13:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
    DRV - [2009/01/29 18:02:38 | 000,103,488 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
    DRV - [2008/07/13 10:52:27 | 000,030,946 | ---- | M] (Greatis Software) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\Partizan.sys -- (Partizan)
    DRV - [2007/12/26 17:56:07 | 000,090,880 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2007/08/10 14:52:44 | 004,603,904 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/02/15 19:57:04 | 000,034,760 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)
    DRV - [2007/02/15 19:56:49 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
    DRV - [2007/02/06 13:27:04 | 000,185,728 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
    DRV - [2004/12/15 16:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2004/12/15 16:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/12/15 16:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004/06/28 13:08:56 | 000,042,752 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0



    IE - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
    IE - HKU\S-1-5-21-854245398-362288127-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-854245398-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-854245398-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

    ========== FireFox ==========

    FF - prefs.js..browser.search.suggest.enabled: false
    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
    FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:7.2.5
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.8
    FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
    FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
    FF - prefs.js..network.proxy.http: "127.0.0.1"


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=2.5: C:\Program Files\Virtual Earth 3D\ [2009/01/10 04:03:53 | 000,000,000 | ---D | M]
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009/01/10 04:03:53 | 000,000,000 | ---D | M]
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\me\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
    FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\me\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/07/31 02:06:12 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/06/28 18:02:04 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3 Beta 4\components [2011/07/31 04:20:55 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3 Beta 4\plugins [2010/07/17 17:00:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/08 18:57:14 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/27 23:01:12 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox 4.0 Beta 12\components [2011/06/27 21:19:19 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox 4.0 Beta 12\plugins
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\me\Application Data\Move Networks [2010/06/17 22:28:50 | 000,000,000 | ---D | M]

    [2010/06/26 08:52:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\me\Application Data\Mozilla\Extensions
    [2010/06/26 08:52:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\me\Application Data\Mozilla\Extensions\home2@tomtom.com
    [2011/07/29 06:29:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\x6klftd0.default\extensions
    [2011/01/07 07:35:29 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\x6klftd0.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    [2011/03/08 18:23:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2010/05/17 21:51:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2011/02/17 03:56:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    File not found (No name found) --
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\X6KLFTD0.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\X6KLFTD0.DEFAULT\EXTENSIONS\{DD3D7613-0246-469D-BC65-2A3CC1668ADC}.XPI
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\X6KLFTD0.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
    [2008/12/02 21:50:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/04/07 06:30:25 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX 4.0 BETA 12\EXTENSIONS\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    [2011/06/28 18:02:04 | 000,000,000 | ---D | M] (Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
    [2010/01/29 17:40:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
    [2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2011/07/31 04:54:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - File not found
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110731042055.dll (McAfee, Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O3 - HKU\S-1-5-21-854245398-362288127-725345543-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O4 - HKLM..\Run: [hcwPVRReset] C:\Program Files\WinTV\hcwP1Utl.exe ()
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [MerlinReportAgent] C:\Program Files\ATT-HSI\McciBrowser.exe (Alcatel-Lucent)
    O4 - HKU\S-1-5-21-854245398-362288127-725345543-1003..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
    O4 - HKU\S-1-5-21-854245398-362288127-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - HKU\S-1-5-21-854245398-362288127-725345543-1003..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
    O4 - HKU\S-1-5-21-854245398-362288127-725345543-1003..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe (Greatis Software)
    O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
    O4 - HKLM..\RunOnceEx: [Title] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 1
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
    O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O15 - HKU\S-1-5-21-854245398-362288127-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O15 - HKU\S-1-5-21-854245398-362288127-725345543-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/12/26 17:24:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2009/08/01 16:17:00 | 000,000,270 | ---- | M] () - F:\autorun.inf -- [ FAT ]
    O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - H:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (Partizan) - C:\WINDOWS\System32\Partizan.exe (Greatis Software)
    O34 - HKLM BootExecute: (ootExecute settings...) - File not found
    O34 - HKLM BootExecute: (on\E) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/07/31 11:37:00 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\me\Desktop\OTL.exe
    [2011/07/30 23:06:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011/07/30 20:01:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/07/30 19:55:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/07/30 19:54:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/07/30 19:54:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/07/30 19:54:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/07/30 19:54:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/07/30 19:54:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/07/30 19:54:00 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/07/30 18:33:34 | 004,158,851 | R--- | C] (Swearware) -- C:\Documents and Settings\me\Desktop\ComboFix.exe
    [2011/07/30 18:32:54 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\me\Desktop\aswMBR.exe
    [2011/07/30 11:24:55 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\me\Desktop\dds.scr
    [2011/07/30 10:12:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\me\Application Data\Malwarebytes
    [2011/07/30 10:12:20 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/07/30 10:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/07/30 10:12:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/07/30 10:12:16 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/07/30 10:12:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/07/30 10:11:42 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\me\Desktop\mbam-setup.exe
    [2011/07/27 23:00:28 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2011/07/01 18:55:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Mouse
    [2011/07/01 18:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliPoint
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/07/31 11:38:45 | 000,000,087 | ---- | M] () -- C:\WINDOWS\Calendar.INI
    [2011/07/31 11:37:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\me\Desktop\OTL.exe
    [2011/07/31 11:03:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/07/31 10:20:03 | 000,044,440 | ---- | M] () -- C:\WINDOWS\NOTES.FSC
    [2011/07/31 09:22:40 | 000,009,998 | ---- | M] () -- C:\Documents and Settings\me\Desktop\3pf3o13l95O65T45Z4b7u869ffd180e501dec.jpg
    [2011/07/31 04:54:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/07/31 02:03:00 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/07/30 19:59:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/07/30 19:55:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/07/30 19:53:28 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\me\Desktop\MBR.dat
    [2011/07/30 18:33:57 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\me\Desktop\aswMBR.exe
    [2011/07/30 18:33:42 | 004,158,851 | R--- | M] (Swearware) -- C:\Documents and Settings\me\Desktop\ComboFix.exe
    [2011/07/30 11:24:55 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\me\Desktop\dds.scr
    [2011/07/30 11:24:41 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\me\Desktop\s6c1xkrj.exe
    [2011/07/30 10:12:20 | 000,000,834 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/07/30 10:11:51 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\me\Desktop\mbam-setup.exe
    [2011/07/30 09:45:46 | 000,000,662 | ---- | M] () -- C:\Documents and Settings\me\Desktop\UnHackMe.lnk
    [2011/07/29 22:43:21 | 000,000,118 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2011/07/27 21:52:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/07/27 21:25:24 | 000,141,290 | ---- | M] () -- C:\Documents and Settings\me\Desktop\EMVC_OON_Form.pdf
    [2011/07/25 21:02:22 | 000,197,750 | ---- | M] () -- C:\Documents and Settings\me\Desktop\Goggles4u Eyeglasses.pdf
    [2011/07/21 22:06:18 | 002,859,745 | ---- | M] () -- C:\Documents and Settings\me\Desktop\30535.pdf
    [2011/07/17 13:12:53 | 000,027,704 | ---- | M] () -- C:\Documents and Settings\me\Desktop\oshabullridr.gif
    [2011/07/17 13:12:47 | 000,037,068 | ---- | M] () -- C:\Documents and Settings\me\Desktop\cowboyosha.gif
    [2011/07/14 21:35:27 | 000,156,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/07/14 19:33:22 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/07/01 18:55:45 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_point32_01009.Wdf
    [2011/07/01 18:55:36 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01009.Wdf
    [2011/07/01 18:55:30 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/07/01 18:55:29 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/07/31 05:39:55 | 000,009,998 | ---- | C] () -- C:\Documents and Settings\me\Desktop\3pf3o13l95O65T45Z4b7u869ffd180e501dec.jpg
    [2011/07/30 19:55:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/07/30 19:55:33 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/07/30 19:54:13 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/07/30 19:54:13 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/07/30 19:54:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/07/30 19:54:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/07/30 19:54:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/07/30 18:39:50 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\me\Desktop\MBR.dat
    [2011/07/30 11:24:40 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\me\Desktop\s6c1xkrj.exe
    [2011/07/30 10:12:20 | 000,000,834 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/07/30 09:45:46 | 000,000,662 | ---- | C] () -- C:\Documents and Settings\me\Desktop\UnHackMe.lnk
    [2011/07/29 22:43:21 | 000,000,118 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2011/07/27 21:25:24 | 000,141,290 | ---- | C] () -- C:\Documents and Settings\me\Desktop\EMVC_OON_Form.pdf
    [2011/07/25 21:02:19 | 000,197,750 | ---- | C] () -- C:\Documents and Settings\me\Desktop\Goggles4u Eyeglasses.pdf
    [2011/07/21 22:06:18 | 002,859,745 | ---- | C] () -- C:\Documents and Settings\me\Desktop\30535.pdf
    [2011/07/17 13:12:52 | 000,027,704 | ---- | C] () -- C:\Documents and Settings\me\Desktop\oshabullridr.gif
    [2011/07/17 13:12:47 | 000,037,068 | ---- | C] () -- C:\Documents and Settings\me\Desktop\cowboyosha.gif
    [2011/07/01 18:55:45 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_point32_01009.Wdf
    [2011/07/01 18:55:36 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01009.Wdf
    [2011/07/01 18:55:30 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/07/01 18:55:29 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    [2011/02/12 08:46:54 | 000,000,022 | -HS- | C] () -- C:\Documents and Settings\me\Application Data\Sys6925.Config Collection.sys
    [2011/02/12 08:46:54 | 000,000,022 | -HS- | C] () -- C:\WINDOWS\Sys3390 SettingsCollection.bin
    [2010/12/20 18:52:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT10.ini
    [2010/07/10 07:01:49 | 000,089,944 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/05/15 22:35:20 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\me\Application Data\PnkBstrK.sys
    [2010/04/25 19:32:47 | 000,000,343 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2010/04/25 19:21:11 | 000,001,074 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
    [2010/02/15 21:48:47 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2010/02/04 22:11:11 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS64.DLL
    [2010/02/04 21:58:27 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6d.DLL
    [2009/10/20 13:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2009/05/09 21:46:07 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009/05/09 21:46:07 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009/03/10 22:18:20 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
    [2009/03/10 22:18:14 | 000,414,208 | ---- | C] () -- C:\WINDOWS\System32\WgaTray.exe
    [2009/03/10 22:18:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
    [2009/03/01 00:28:51 | 000,000,086 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
    [2009/03/01 00:28:51 | 000,000,002 | -HS- | C] () -- C:\Documents and Settings\me\Application Data\.zreglib
    [2009/02/14 14:30:45 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\CSHelper.exe
    [2008/12/28 16:31:11 | 000,000,141 | ---- | C] () -- C:\WINDOWS\System32\09wutili.sys
    [2008/12/26 17:17:06 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
    [2008/12/21 22:08:07 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\MUT.dll
    [2008/12/21 18:11:46 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\me\Application Data\$_hpcst$.hpc
    [2008/09/03 18:41:58 | 000,001,232 | ---- | C] () -- C:\Documents and Settings\me\Local Settings\Application Data\iTunesPrefs
    [2008/09/03 18:35:35 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\me\Local Settings\Application Data\84756-11986-27475-00TC1-94865
    [2008/08/10 18:19:18 | 000,000,306 | ---- | C] () -- C:\WINDOWS\QTW.INI
    [2008/07/14 19:17:26 | 000,000,123 | ---- | C] () -- C:\WINDOWS\rootkitno.ini
    [2008/07/12 13:14:43 | 000,419,840 | ---- | C] () -- C:\WINDOWS\System32\ContextMenuHandle.dll
    [2008/07/12 13:01:14 | 006,294,528 | ---- | C] () -- C:\WINDOWS\System32\MioEncoder1.dll
    [2008/01/12 14:37:00 | 000,027,460 | ---- | C] () -- C:\WINDOWS\System32\loaddrv.exe
    [2008/01/12 14:37:00 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\Dlportio.sys
    [2008/01/02 22:29:53 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
    [2008/01/02 22:29:53 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
    [2008/01/01 22:09:04 | 000,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
    [2007/12/29 14:55:04 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2007/12/26 21:55:17 | 000,000,087 | ---- | C] () -- C:\WINDOWS\Calendar.INI
    [2007/12/26 21:14:56 | 000,001,279 | ---- | C] () -- C:\WINDOWS\mozver.dat
    [2007/12/26 18:47:36 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\me\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/12/26 18:43:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2007/12/26 18:33:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2007/12/26 18:17:30 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
    [2007/12/26 17:26:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2007/12/26 17:22:33 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2007/12/26 11:17:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2007/12/26 11:16:51 | 000,156,360 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/21 15:50:34 | 000,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwXDS.dll
    [2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 07:00:00 | 000,435,590 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 07:00:00 | 000,068,360 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2009/11/07 10:01:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon
    [2008/11/16 13:35:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
    [2010/06/17 21:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\com.comcast.access
    [2008/02/23 13:35:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
    [2008/02/23 13:35:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
    [2010/04/25 19:20:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
    [2009/10/19 19:26:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
    [2008/02/23 13:45:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\j2 Messenger 4.2 Setup
    [2010/08/23 18:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
    [2008/12/06 20:21:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
    [2011/07/25 21:02:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
    [2010/01/16 16:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
    [2008/12/06 20:21:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
    [2007/12/26 22:11:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
    [2011/01/17 15:17:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
    [2008/11/22 20:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/06/26 09:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
    [2011/01/30 23:38:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
    [2008/01/21 16:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\Any DVD Converter Professional
    [2008/09/03 22:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\cmw
    [2010/06/17 22:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
    [2008/12/28 16:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\DMCache
    [2009/12/25 00:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\dvdisaster
    [2008/02/23 13:35:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\eFax Messenger
    [2009/11/26 20:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\FinalBurner Video DVD
    [2009/06/13 22:41:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\HBA
    [2008/02/23 13:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\j2 Messenger
    [2011/01/17 00:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\mjusbsp
    [2009/07/29 19:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\Octoshape
    [2008/12/26 17:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\pdf995
    [2009/12/28 23:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\ROALDevelopment
    [2008/11/06 20:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\ScanSoft
    [2011/01/30 16:47:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\TaxCut
    [2010/06/26 08:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\TomTom
    [2011/06/16 21:24:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\uTorrent
    [2007/12/26 18:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\WinBatch
    [2008/11/06 20:22:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\me\Application Data\Zeon

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2007/12/26 17:24:54 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2009/10/28 18:05:31 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/07/30 19:55:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/07/31 04:56:16 | 000,013,612 | ---- | M] () -- C:\ComboFix.txt
    [2007/12/26 17:24:54 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2008/09/10 21:25:29 | 003,682,748 | ---- | M] () -- C:\convoy.mp3
    [2008/03/22 07:29:29 | 116,834,272 | ---- | M] () -- C:\CookBooks.exe
    [2009/08/10 21:10:44 | 001,769,472 | ---- | M] () -- C:\dd-wrt.v24_micro_generic.bin
    [2007/12/26 17:24:54 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2007/12/26 17:24:54 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2010/02/17 18:36:01 | 000,000,950 | ---- | M] () -- C:\net_save.dna
    [2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/08/23 21:30:16 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/07/30 19:59:39 | 3208,642,560 | -HS- | M] () -- C:\pagefile.sys
    [2008/12/26 21:44:18 | 006,874,308 | ---- | M] () -- C:\Tube_Hunter_Ultra_2.3.2975_2b.rar
    [2008/11/22 21:28:50 | 007,492,361 | ---- | M] () -- C:\videora-iphone-403-setup.exe

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2007/12/26 17:24:33 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2004/04/23 15:00:00 | 000,017,920 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD64.DLL
    [2004/06/07 00:00:00 | 000,017,920 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD6d.DLL
    [2004/04/23 15:00:00 | 000,054,272 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP64.DLL
    [2004/06/07 00:00:00 | 000,054,272 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP6d.DLL
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >
     
  13. ak74

    ak74 TS Rookie Topic Starter

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2007/12/26 11:16:22 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2007/12/26 11:16:22 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2007/12/26 11:16:22 | 000,888,832 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/08/23 21:34:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2008/08/23 21:58:43 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\me\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2007/12/26 17:28:35 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\me\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/07/30 18:33:57 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\me\Desktop\aswMBR.exe
    [2011/07/30 18:33:42 | 004,158,851 | R--- | M] (Swearware) -- C:\Documents and Settings\me\Desktop\ComboFix.exe
    [2011/07/30 10:11:51 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\me\Desktop\mbam-setup.exe
    [2011/07/31 11:37:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\me\Desktop\OTL.exe
    [2011/07/30 11:24:41 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\me\Desktop\s6c1xkrj.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2009/08/23 06:29:48 | 001,296,288 | ---- | M] (McAfee, Inc.) -- C:\Documents and Settings\me\My Documents\DMSetup-Serial.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/08/23 21:58:43 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\me\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2008/11/06 20:32:56 | 000,000,358 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/07/31 10:20:13 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\me\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 23:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 19:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 02:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 02:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 12:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 13:07:23 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 13:07:23 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 13:07:24 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 02:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 02:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >











    OTL Extras logfile created on: 7/31/2011 11:38:47 AM - Run 1
    OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\me\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.69% Memory free
    4.83 Gb Paging File | 4.34 Gb Available in Paging File | 89.81% Paging File free
    Paging file location(s): C:\pagefile.sys 3060 4948 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 94.83 Gb Total Space | 6.07 Gb Free Space | 6.40% Space Free | Partition Type: NTFS
    Drive F: | 17.59 Mb Total Space | 17.32 Mb Free Space | 98.44% Space Free | Partition Type: FAT
    Drive G: | 100.00 Mb Total Space | 74.16 Mb Free Space | 74.16% Space Free | Partition Type: NTFS
    Drive H: | 114.40 Gb Total Space | 86.54 Gb Free Space | 75.64% Space Free | Partition Type: NTFS

    Computer Name: MAIN | User Name: me | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe (Mozilla Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
    "C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
    "C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe" = C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
    "C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
    "C:\Program Files\seba14mods\µtorrent 1.8.1 (build 12616) Leecher Pack\utorrent 1.8.1 (12616)_fakeup2x_leecher.exe" = C:\Program Files\seba14mods\µtorrent 1.8.1 (build 12616) Leecher Pack\utorrent 1.8.1 (12616)_fakeup2x_leecher.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
    "C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
    "C:\Program Files\ATT-HSI\McciBrowser.exe" = C:\Program Files\ATT-HSI\McciBrowser.exe:*:Enabled:motivebrowser.exe -- (Alcatel-Lucent)
    "C:\Documents and Settings\me\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\me\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)
    "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
    "{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
    "{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 24
    "{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{3254FD51-9910-48C4-AC9B-AF3691C1544C}" = TubeHunter Ultra
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
    "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
    "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
    "{3A59F6E0-EAA2-012B-AE20-000000000000}" = TurboTax 2009 wmsiper
    "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{3CCB26F5-E2A7-4C91-8340-9149D7B7C2BE}" = Virtual Earth 3D (Beta)
    "{44A7867C-E3F4-4F96-8948-FDE62D23AD29}" = TurboTax 2008 wmsiper
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.30
    "{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{6C08AC4A-81DB-4df9-A1EB-E2027BD4789A}" = j2 Messenger 4.2
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{80F19EAA-44C4-47C2-AE87-1C7628E858D6}" = Logitech Harmony Remote Software 7
    "{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
    "{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90520409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Viewer 2003 (English)
    "{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9C2F9B2C-1585-43AD-9EF9-48AAD60DFC04}" = Microsoft IntelliPoint 8.1
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
    "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
    "{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
    "{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
    "{B3076A28-345A-4d89-90A3-B68866C0DFB8}" = eFax Messenger 4.3
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{DAC0B889-5359-4FDC-893A-2B8EF6B71B6F}" = SIM MAX
    "{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
    "{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FADD4B90-1C96-4307-A698-5BFA61C93239}" = H&R Block Mississippi 2010
    "µtorrent 1.8.1 (build 12616) Leecher Pack by seba14_is1" = µtorrent 1.8.1 (build 12616) Leecher Pack
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "AI RoboForm" = RoboForm 7-3-2 (All Users)
    "AnyDVD" = AnyDVD
    "CANONBJ_Deinstall_CNMCP64.DLL" = Canon PIXMA iP4000
    "CloneCD" = CloneCD
    "CloneDVD2" = CloneDVD2
    "DivX Setup.divx.com" = DivX Setup
    "DVD Identifier_is1" = DVD Identifier
    "Foxit Reader" = Foxit Reader
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "Home and Business Attorney" = Home and Business Attorney
    "jv16 PowerTools 2010" = jv16 PowerTools 2010
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1
    "Mozilla Firefox (3.0b4)" = Mozilla Firefox (3.0b4)
    "Mozilla Firefox (3.5.17)" = Mozilla Firefox (3.5.17)
    "Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
    "MSC" = McAfee SecurityCenter
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "Pdf995" = Pdf995 (installed by TaxCut)
    "PdfEdit995" = PdfEdit995 (installed by TaxCut)
    "TaxACT 2010" = TaxACT 2010
    "TomTom HOME" = TomTom HOME 2.8.1.2218
    "TurboTax 2008" = TurboTax 2008
    "TurboTax 2009" = TurboTax 2009
    "TurboTax Deluxe 2007" = TurboTax Deluxe 2007
    "UnHackMe_is1" = UnHackMe 4.80 beta
    "USPS_FY_Calendar_2.0" = USPS FY Calendar 2.0
    "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    "Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    "WIC" = Windows Imaging Component
    "Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 1.0
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinPcapInst" = WinPcap 4.1.1
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "Xvid_is1" = Xvid 1.2.1 final uninstall

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-854245398-362288127-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "magicJack" = magicJack
    "Move Media Player" = Move Media Player

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 6/26/2011 12:45:07 PM | Computer Name = MAIN | Source = IS360srv.exe | ID = 0
    Description =

    Error - 6/27/2011 12:50:42 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
    Description = Faulting application firefox.exe, version 2.0.1.4120, faulting module
    mozalloc.dll, version 2.0.1.4120, fault address 0x00001a39.

    Error - 7/1/2011 7:59:57 PM | Computer Name = MAIN | Source = IS360srv.exe | ID = 0
    Description =

    Error - 7/12/2011 8:52:42 PM | Computer Name = MAIN | Source = IS360srv.exe | ID = 0
    Description =

    Error - 7/14/2011 10:36:29 PM | Computer Name = MAIN | Source = IS360srv.exe | ID = 0
    Description =

    Error - 7/27/2011 10:53:08 PM | Computer Name = MAIN | Source = IS360srv.exe | ID = 0
    Description =

    Error - 7/30/2011 12:27:15 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

    [ System Events ]
    Error - 7/30/2011 11:50:33 AM | Computer Name = MAIN | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Google Update Service
    (gupdate) service to connect.

    Error - 7/30/2011 11:50:33 AM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
    Description = The Google Update Service (gupdate) service failed to start due to
    the following error: %%1053

    Error - 7/30/2011 11:50:33 AM | Computer Name = MAIN | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Cdrom Imapi redbook

    Error - 7/30/2011 9:01:32 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Google Update Service
    (gupdate) service to connect.

    Error - 7/30/2011 9:01:32 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
    Description = The Google Update Service (gupdate) service failed to start due to
    the following error: %%1053

    Error - 7/30/2011 9:01:32 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7023
    Description = The Automatic Updates service terminated with the following error:
    %%126

    Error - 7/30/2011 9:01:32 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Cdrom Imapi redbook

    Error - 7/30/2011 10:51:39 PM | Computer Name = MAIN | Source = DCOM | ID = 10000
    Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
    The
    error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe"
    /PDFShell -Embedding

    Error - 7/30/2011 10:51:39 PM | Computer Name = MAIN | Source = DCOM | ID = 10000
    Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
    The
    error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe"
    /PDFShell -Embedding

    Error - 7/30/2011 10:51:39 PM | Computer Name = MAIN | Source = DCOM | ID = 10000
    Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
    The
    error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe"
    /PDFShell -Embedding


    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I can't continue because you didn't answer my question:
     
  15. ak74

    ak74 TS Rookie Topic Starter

    I am sorry, I didn't see your question..

    It is going to the search results instead of being redirected. Everything seems to be OK.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I apologize for a huge delay.
    Somehow email notification missed me.

    ================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ==============================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\S-1-5-21-854245398-362288127-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
      FF - prefs.js..network.proxy.http: "127.0.0.1"
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - File not found
      O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
      O4 - HKLM..\RunOnceEx: [Title] File not found
      O15 - HKU\S-1-5-21-854245398-362288127-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      O15 - HKU\S-1-5-21-854245398-362288127-725345543-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O34 - HKLM BootExecute: (ootExecute settings...) - File not found
      O34 - HKLM BootExecute: (on\E) - File not found
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  17. ak74

    ak74 TS Rookie Topic Starter

    more logs

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    McAfee SecurityCenter
    Antivirus up to date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 26
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player 10.1.53.64
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Out of date Adobe Reader installed!
    Mozilla Firefox (x86 en-US..) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````





    ESET LOG

    C:\insignia gps\mio pocket 4.0 R 68\MioPocket 4.0 Release 68.zip a variant of Win32/Kryptik.KRT trojan deleted - quarantined
    C:\insignia gps\mio pocket 4.0 R 68\MioPocket 4.0 Release 68\MioPocket 4.0 Release 68\Extras\Win32\CFF Explorer\CFF Explorer.exe a variant of Win32/Kryptik.KRT trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8BE6B044-D725-4DF3-B2A3-53C21E7D689E}\RP12\A0004874.exe a variant of Win32/Kryptik.KRT trojan cleaned by deleting - quarantined
     
  18. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Uninstall:
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7


    =============================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ===================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  19. ak74

    ak74 TS Rookie Topic Starter

    Last log Hopefully

    Hi,

    Everything is better. There are no search engine redirects. I could not find Java 6 update 7, but deleted update 3 and 5.

    I am amazed that running an AV program and other mal ware programs that they still get through and how hard they are to clean.

    Thanks for all your help. I really needed it.

    Here is hopefully the last OTL log.

    Thanks again

    AK


    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65984 bytes
    ->Temporary Internet Files folder emptied: 421159 bytes

    User: me
    ->Temp folder emptied: 734236 bytes
    ->Temporary Internet Files folder emptied: 326246 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 166864803 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 2630 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 161.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: me
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.26.1 log created on 08072011_182133

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  20. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...