Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with server.exe Trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 psychoguy2009

psychoguy2009

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 09 April 2009 - 07:20 PM

I ran Malwarebytes' Anti-Malware and it said that I have a Trojan called "server.exe." I clicked on remove items and it said that it had removed them successfully, but I can run the scan again in a few minutes, and they are back. I tried to use System Restore in Safe mode, but I cannot activate System Restore as the box is checked to disable it. I reboot in normal mode and uncheck the box and clcik Apply, but when I reboot, it has been disabled again. I will insert the logfile from Malwarebytes and DDS, and attach the ATTACH.txt file. Thank you for any help you can give me!

Here is the logfile from Malwarebytes:
Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 5.1.2600 Service Pack 3

4/9/2009 6:00:04 PM
mbam-log-2009-04-09 (17-59-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125372
Time elapsed: 44 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updates (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\updates.w (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\server.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\server.exe",) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\server.exe (Trojan.Agent) -> No action taken.


Here is the logfile from DDS,txt:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 18:50:08.50 on Thu 04/09/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\windows\server.exe",
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updates] c:\windows\server.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
uExplorerRun: [updates.w] c:\windows\server.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} - hxxp://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9zx58d9h.default\
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-09 18:30 <DIR> -cd----- c:\windows\system32\NtmsData
2009-04-09 18:02 107,008 ac------ c:\windows\skasglnbgds.exe
2009-04-04 19:32 <DIR> -cd----- c:\program files\Trend Micro
2009-04-04 18:56 28,544 ac------ c:\windows\system32\drivers\pavboot.sys
2009-04-04 15:59 91,520 ac------ c:\windows\system32\drivers\SysPlant.sys
2009-04-04 15:59 123,952 ac------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-04 15:59 60,800 ac------ c:\windows\system32\S32EVNT1.DLL
2009-04-04 15:59 10,563 ac------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-04 15:59 805 ac------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 13:19 13,216,672 ac-shr-- c:\docume~1\admini~1\applic~1\server.exe
2009-03-27 22:43 13,970 ac------ c:\windows\dslgkndsg.torrent
2009-03-19 21:42 4,507 ac------ c:\windows\imsins.BAK
2009-03-19 21:19 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-04-09 15:24 0 ac------ c:\windows\system32\drivers\lvuvc.hs
2009-04-09 15:24 0 ac------ c:\windows\system32\drivers\logiflt.iad
2009-04-09 13:16 171,012 ac------ c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-06 15:32 38,496 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 ac------ c:\windows\system32\drivers\mbam.sys
2009-03-13 18:01 149,768 ac------ c:\windows\system32\drivers\WpsHelper.sys
2009-02-09 06:13 1,846,784 ac------ c:\windows\system32\win32k.sys
2008-11-23 14:16 1,635 ac------ c:\docume~1\admini~1\applic~1\SAS7_000.DAT
2008-09-16 16:43 60,744 ac------ c:\documents and settings\administrator\g2mdlhlpx.exe
2008-03-21 18:39 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-05-12 19:22 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-12 19:22 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
2008-05-12 19:22 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 18:55:27.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 10 April 2009 - 06:59 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 10 April 2009 - 09:37 PM

Hi Sam, thanks for your help!

I have a question: Should I leave the computer connected to the internet when not in use? I disconnected it after the original post as I was afraid that things may get worse if there was a connection. I have been checking my email for a reply on my laptop.

I ran the OTListIt2 and got two log files, one called Extras.txt and one called OTListIt.tx so I will include both:



Here is OTListiT.txt:
OTListIt logfile created on: 4/10/2009 8:01:29 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.12.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 85.04% Memory free
4.00 Gb Paging File | 3.89 Gb Available in Paging File | 97.27% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 6.33 Gb Free Space | 16.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WXP-F9WCB51
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/04/04 18:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2005/08/08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe
PRC - [2008/04/04 19:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/04/04 18:55:38 | 01,660,288 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/02/01 01:25:38 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/03/16 22:54:52 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/04/04 21:21:26 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\iexplore.exe
PRC - [2008/12/19 00:25:25 | 00,634,024 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/04/10 20:00:36 | 00,500,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/16 22:54:48 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/08/11 20:05:27 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/08/08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/04/04 18:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService [Auto | Running])
SRV - [2008/04/04 02:45:18 | 00,288,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC [On_Demand | Stopped])
SRV - [2008/04/04 19:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2006/11/04 02:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/02/17 23:05:16 | 00,218,112 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid [Boot | Stopped])
DRV - [2004/04/07 17:14:30 | 00,048,140 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\aac.sys -- (aac [Boot | Stopped])
DRV - [2005/05/17 21:12:40 | 00,204,800 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich [Boot | Stopped])
DRV - [2004/02/17 15:38:30 | 00,132,608 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320 [Boot | Stopped])
DRV - [2002/04/01 10:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2004/12/13 17:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
DRV - [2008/07/30 17:42:12 | 00,023,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\COH_Mon.sys -- (COH_Mon [On_Demand | Stopped])
DRV - [2006/04/27 09:26:30 | 00,164,352 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e1000325.sys -- (E1000 [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/03/16 09:58:32 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2003/04/28 11:15:38 | 00,140,544 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k [Boot | Stopped])
DRV - [2008/07/26 15:26:56 | 00,023,832 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys -- (FilterService [On_Demand | Stopped])
DRV - [2003/11/17 13:59:20 | 00,212,224 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2003/11/17 13:56:26 | 01,042,432 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2005/09/20 09:00:54 | 01,302,332 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/04/26 09:23:52 | 00,250,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor [Boot | Stopped])
DRV - [2008/02/29 11:12:28 | 00,035,472 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys -- (LHidFilt [On_Demand | Stopped])
DRV - [2008/02/29 11:12:34 | 00,037,008 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys -- (LMouFilt [On_Demand | Stopped])
DRV - [2008/02/29 11:12:46 | 00,029,072 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\System32\Drivers\LUsbFilt.Sys -- (LUsbFilt [On_Demand | Stopped])
DRV - [2007/10/12 01:59:14 | 01,920,920 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvpopflt.sys -- (lvpopflt [On_Demand | Stopped])
DRV - [2008/07/26 15:25:48 | 00,627,864 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvrs.sys -- (LVRS [On_Demand | Running])
DRV - [2008/07/26 15:26:22 | 00,041,752 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Running])
DRV - [2008/07/26 15:26:44 | 04,658,584 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvuvc.sys -- (LVUVC [On_Demand | Running])
DRV - [2003/04/09 11:48:08 | 00,011,043 | R--- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2006/04/18 12:51:50 | 00,017,664 | ---- | M] (LSI Logic Corporation) -- C:\WINDOWS\system32\drivers\megasas.sys -- (megasas [Boot | Stopped])
DRV - [2001/08/17 15:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090409.004\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090409.004\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/06/19 16:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2004/08/12 08:26:42 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/12/27 09:47:30 | 00,009,006 | ---- | M] (ZD Soft) -- C:\WINDOWS\system32\DRIVERS\scrcap.sys -- (scrcap [On_Demand | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/12/28 11:57:00 | 00,045,184 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\intelsmb.sys -- (smbusp [On_Demand | Running])
DRV - [2003/02/28 06:17:18 | 00,545,024 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/01/17 18:24:44 | 00,420,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2008/03/21 19:14:24 | 00,279,088 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2008/03/21 19:14:24 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2008/03/21 19:14:24 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/04/04 15:59:35 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2006/05/11 15:55:34 | 00,093,568 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi [Boot | Stopped])
DRV - [2008/04/04 19:01:46 | 00,091,520 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant [Boot | Running])
DRV - [2008/03/12 15:19:50 | 00,049,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\teefer2.sys -- (Teefer2 [On_Demand | Running])
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2003/02/24 13:02:58 | 00,011,029 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi [Disabled | Stopped])
DRV - [2003/11/17 13:58:02 | 00,680,704 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2008/04/04 18:59:46 | 00,040,832 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (WPS [System | Running])
DRV - [2009/03/13 18:01:14 | 00,149,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\S-1-5-21-2453123996-834172676-3234573468-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/07/30 05:00:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2008/09/16 22:39:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2008/07/30 05:00:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/02/12 08:13:30 | 00,000,000 | ---D | M]

[2008/07/30 05:00:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\9zx58d9h.default\extensions
[2009/04/04 18:59:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/07/30 04:58:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/07/30 04:58:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/07/30 04:58:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\real-networks@partners.mozilla.com
[2008/07/30 04:58:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2006/10/11 03:04:58 | 00,061,036 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2006/10/11 03:04:59 | 00,048,742 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2006/10/11 03:05:03 | 00,029,313 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2006/10/11 03:05:03 | 00,041,082 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2006/10/11 03:04:58 | 00,166,510 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2006/10/11 03:05:04 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2006/10/11 03:05:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2006/10/11 03:05:04 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2006/10/11 03:05:04 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2006/10/11 03:05:04 | 00,002,320 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2006/10/11 03:05:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (305245 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 10581 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [updates] C:\WINDOWS\server.exe (Microsoft)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab (ASPRO Installer Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - ("C:\WINDOWS\server.exe") - C:\WINDOWS\server.exe (Microsoft)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/28 12:13:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{cad3d3f7-51a0-11dd-b74e-000f1f7ca056}\Shell - "" = AutoRun
O33 - MountPoints2\{cad3d3f7-51a0-11dd-b74e-000f1f7ca056}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/04/10 20:00:29 | 00,500,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/09 18:51:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\bleeping
[2009/04/09 18:30:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/04/09 15:19:19 | 24,138,75200 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/04 21:16:18 | 00,093,184 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\iexplore.exe
[2009/04/04 19:32:59 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/04 18:56:11 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/04/04 15:59:51 | 00,091,520 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys
[2009/04/04 15:59:16 | 00,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/04 15:59:16 | 00,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/04 15:59:16 | 00,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/04 15:59:16 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/04/01 00:11:58 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/03/29 13:19:20 | 13,216,672 | RHS- | C] (Microsoft) -- C:\Documents and Settings\Administrator\Application Data\server.exe
[2009/03/27 22:43:35 | 00,013,970 | ---- | C] () -- C:\WINDOWS\dslgkndsg.torrent
[2009/03/27 19:37:08 | 00,121,964 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\www.pearsonhighered.com-educator-ExamCopyTransactionUS-1.tif
[2009/03/27 19:36:17 | 05,292,054 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\picture001.bmp
[2009/03/27 19:35:23 | 00,000,717 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HQScreen.lnk
[2009/03/27 08:15:28 | 00,032,490 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spanish 352 Spanish Composition.mht
[2009/03/27 04:37:35 | 01,651,143 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\libros de español.pdf
[2009/03/27 04:31:30 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Oral_Exam1[1] La Shonta.doc
[2009/03/24 23:46:55 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Areas of Expertise.doc
[2009/03/24 18:38:32 | 01,052,160 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\French_webpage_for_DU_website[1].doc
[2009/03/24 18:36:23 | 01,117,696 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Patino2[1][1].doc
[2009/03/24 18:30:24 | 01,061,888 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\French_Webpage_Peters_blurb[1]09.doc
[2009/03/24 18:26:16 | 01,353,216 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Lozano.doc
[2009/03/24 18:24:22 | 02,030,080 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Spanish at Dillard University.doc
[2009/03/24 08:27:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Delgado
[2009/03/24 08:27:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Proyectos 102-202
[2009/03/24 08:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Quiz Ch. 6
[2009/03/24 08:26:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Aurea y Joanne Roundtable
[2009/03/23 18:33:46 | 01,268,736 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\pics of flags.doc
[2009/03/23 16:49:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Lab training
[2009/03/23 16:31:07 | 00,034,816 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\6march09_lyceum_guidelines_sp09.doc
[2009/03/23 16:12:59 | 00,039,424 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\FERPA_Release_Form[1].doc
[2009/03/23 07:17:58 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_1(1).xls
[2009/03/23 07:17:38 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_2(1).xls
[2009/03/22 12:01:50 | 00,211,696 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA Arts Collective.mht
[2009/03/22 12:00:19 | 00,233,076 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Afro-Cuban Jazz in New Orleans.mht
[2009/03/22 11:48:08 | 00,447,242 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA'S Projects.mht
[2009/03/21 18:06:49 | 00,075,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Course Proposal Form 3 10 09 709PM.doc
[2009/03/19 21:42:14 | 00,004,507 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/03/19 21:19:23 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/03/19 21:10:28 | 00,680,844 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Presentation1.pptx
[2009/03/19 18:20:56 | 00,016,896 | -HS- | C] () -- C:\Documents and Settings\Administrator\My Documents\Thumbs.db
[2009/03/19 17:45:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Web-Page official
[2009/03/19 11:18:08 | 01,724,416 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 10.doc
[2009/03/19 10:13:56 | 01,728,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 1.doc
[2009/03/19 09:44:53 | 00,767,201 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\foto globo 1.JPG
[2009/03/16 22:54:12 | 00,248,841 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Mediterranean diet plan.mht
[2009/03/16 11:43:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\French TA
[2009/03/16 11:04:53 | 03,393,536 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Block(1) game.xls
[2009/03/14 16:07:34 | 00,564,090 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\banderas de latinoamerica 1.JPG
[2009/03/14 16:00:55 | 00,728,544 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Miscelaneas venezuela.JPG
[2009/03/14 15:42:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\march 2009 pics
[2009/03/14 15:42:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Training
[2009/03/14 13:33:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Summer 09
[2009/03/14 13:27:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Fall 09
[2008/11/18 00:43:07 | 03,086,336 | ---- | C] () -- C:\WINDOWS\System32\NCMedia.dll
[2008/11/18 00:43:07 | 03,086,336 | ---- | C] () -- C:\WINDOWS\System32\flvvideo.dll
[2008/10/19 14:20:33 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2008/03/30 23:10:19 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/31 00:01:58 | 00,000,033 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2008/01/12 17:14:16 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2008/01/10 16:06:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/12/06 22:33:26 | 00,000,172 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/10/30 05:43:05 | 00,066,482 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/10/30 02:13:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/30 01:59:19 | 00,000,227 | ---- | C] () -- C:\WINDOWS\QScreenCapt.ini
[2007/10/27 22:08:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/10/27 16:32:12 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/03/05 20:34:28 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/01 01:54:30 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/11/01 01:52:38 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/09/24 17:47:34 | 00,000,798 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/12 08:33:16 | 00,000,642 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 08:30:36 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/04/10 20:00:36 | 00,500,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/09 23:14:32 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/09 23:14:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/09 23:13:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/09 23:13:41 | 24,138,75200 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/09 23:13:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/04/09 23:13:22 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2009/04/09 23:12:34 | 06,444,296 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 22:56:44 | 00,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[2009/04/04 21:21:26 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\iexplore.exe
[2009/04/04 20:51:16 | 00,004,507 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/04 20:51:14 | 00,524,736 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/04 20:51:14 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/04 20:51:14 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/04 15:59:35 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/04 15:59:35 | 00,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/04 15:59:35 | 00,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/04 15:59:35 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/03/29 15:04:48 | 00,305,245 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/29 14:00:22 | 00,302,134 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-150448.backup
[2009/03/27 22:43:35 | 00,013,970 | ---- | M] () -- C:\WINDOWS\dslgkndsg.torrent
[2009/03/27 19:37:43 | 00,000,227 | ---- | M] () -- C:\WINDOWS\QScreenCapt.ini
[2009/03/27 19:37:09 | 00,121,964 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\www.pearsonhighered.com-educator-ExamCopyTransactionUS-1.tif
[2009/03/27 19:36:18 | 05,292,054 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\picture001.bmp
[2009/03/27 19:35:23 | 00,000,717 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HQScreen.lnk
[2009/03/27 08:15:28 | 00,032,490 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spanish 352 Spanish Composition.mht
[2009/03/27 04:37:35 | 01,651,143 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\libros de español.pdf
[2009/03/27 04:31:31 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Oral_Exam1[1] La Shonta.doc
[2009/03/25 07:14:16 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\email distro list.doc
[2009/03/24 23:47:00 | 01,353,216 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Lozano.doc
[2009/03/24 23:46:55 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Areas of Expertise.doc
[2009/03/24 23:46:39 | 01,052,160 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\French_webpage_for_DU_website[1].doc
[2009/03/24 18:38:02 | 01,061,888 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\French_Webpage_Peters_blurb[1]09.doc
[2009/03/24 18:37:50 | 02,030,080 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Spanish at Dillard University.doc
[2009/03/24 18:36:24 | 01,117,696 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Patino2[1][1].doc
[2009/03/23 18:33:47 | 01,268,736 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\pics of flags.doc
[2009/03/23 16:31:07 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\6march09_lyceum_guidelines_sp09.doc
[2009/03/23 16:13:00 | 00,039,424 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\FERPA_Release_Form[1].doc
[2009/03/23 07:17:58 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_1(1).xls
[2009/03/23 07:17:38 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_2(1).xls
[2009/03/22 12:01:51 | 00,211,696 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA Arts Collective.mht
[2009/03/22 12:00:19 | 00,233,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Afro-Cuban Jazz in New Orleans.mht
[2009/03/22 11:48:08 | 00,447,242 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA'S Projects.mht
[2009/03/21 18:06:49 | 00,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Course Proposal Form 3 10 09 709PM.doc
[2009/03/19 22:49:44 | 00,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/19 21:10:30 | 00,680,844 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Presentation1.pptx
[2009/03/19 18:21:04 | 00,016,896 | -HS- | M] () -- C:\Documents and Settings\Administrator\My Documents\Thumbs.db
[2009/03/19 18:10:06 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office PowerPoint 2007.lnk
[2009/03/19 11:18:09 | 01,724,416 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 10.doc
[2009/03/19 10:13:57 | 01,728,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 1.doc
[2009/03/19 09:44:54 | 00,767,201 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\foto globo 1.JPG
[2009/03/18 22:03:06 | 00,048,640 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/16 22:54:13 | 00,248,841 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mediterranean diet plan.mht
[2009/03/16 11:18:54 | 00,564,090 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\banderas de latinoamerica 1.JPG
[2009/03/16 11:04:55 | 03,393,536 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Block(1) game.xls
[2009/03/14 16:00:55 | 00,728,544 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Miscelaneas venezuela.JPG
[2009/03/13 18:01:14 | 00,149,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WpsHelper.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\Administrator\Desktop\http--www.nola.com-katrina-graphics-credits.swf.url:favicon
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Desktop\iexplore.exe:SummaryInformation
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEFF768F
< End of report >



And here is Extras.txt:
OTListIt Extras logfile created on: 4/10/2009 8:01:29 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.12.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 85.04% Memory free
4.00 Gb Paging File | 3.89 Gb Available in Paging File | 97.27% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 6.33 Gb Free Space | 16.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WXP-F9WCB51
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/05/21 04:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2008/02/01 17:22:12 | 21,898,024 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath
File not found -- C:\WINDOWS\system32\xblgen.exe:*:Enabled:xblgen
[2008/04/04 18:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service
[2008/04/04 02:45:18 | 00,288,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service
[2008/02/01 01:25:38 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23C3F5C0-566B-478B-AAB6-197ADAD0C945}" = Uniblue SpeedUpMyPC 2009
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76B2BC31-2D96-4170-9C44-09E13B5555F3}" = Symantec Endpoint Protection
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{C7793EE8-F666-4E6B-9827-76468679480E}" = Tweakui Powertoy for Windows XP
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}" = Dragon NaturallySpeaking 9
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}" = Uniblue RegistryBooster 2009
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"CCleaner" = CCleaner (remove only)
"Clean Disk Security" = Clean Disk Security 7.65
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"DVD Shrink_is1" = DVD Shrink 3.2
"Free FLV to AVI Converter_is1" = Free FLV to AVI Converter V1.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (2.0)" = Mozilla Firefox (2.0)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MS-MPEG4" = Microsoft MPEG-4 VKI Video Codec V1/V2/V3
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Panda ActiveScan Pro" = Panda ActiveScan Pro
"PROPLUSR" = Microsoft Office Professional Plus 2007
"PROSet" = Intel® PRO Network Connections Drivers
"QcDrv" = Logitech® Camera Driver
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"Smart Defrag_is1" = Smart Defrag 1.02
"SpeedUpMyPC_is1" = Uniblue SpeedUpMyPC 3
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"SpyEraser_is1" = Uniblue SpyEraser
"System Tweaker_is1" = Uniblue System Tweaker
"SYSTEMCARE_025B3ECB-F8A1-45ff-BABC-140E08C7D8C5_is1" = Uniblue PowerSuite
"Uniblue DriverScanner 2009" = Uniblue DriverScanner 2009
"Uniblue RegistryBooster 2009" = Uniblue RegistryBooster 2009
"Uniblue SpeedUpMyPC 2009" = Uniblue SpeedUpMyPC 2009
"VHL_Facetas" = Facetas (remove only)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinFF_is1" = WinFF 0.45
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"xvid" = XviD MPEG-4 Video Codec
"ZD Soft Screen Recorder" = ZD Soft Screen Recorder
"ZDSV" = ZD Soft Screen Video Decoder

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/8/2009 2:59:57 AM | Computer Name = WXP-F9WCB51 | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 4/9/2009 3:43:51 AM | Computer Name = WXP-F9WCB51 | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 4/9/2009 2:02:43 PM | Computer Name = WXP-F9WCB51 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Error - 4/9/2009 2:03:14 PM | Computer Name = WXP-F9WCB51 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 4/9/2009 3:06:35 PM | Computer Name = WXP-F9WCB51 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Error - 4/9/2009 3:16:37 PM | Computer Name = WXP-F9WCB51 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x71ab6a55.

Error - 4/9/2009 11:24:51 PM | Computer Name = WXP-F9WCB51 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Logged
Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 588) Time: Thursday, April 09, 2009
10:24:50 PM

Error - 4/9/2009 11:25:13 PM | Computer Name = WXP-F9WCB51 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Logged
Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 588) Time: Thursday, April 09, 2009
10:25:13 PM

Error - 4/9/2009 11:25:33 PM | Computer Name = WXP-F9WCB51 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Logged
Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 588) Time: Thursday, April 09, 2009
10:25:33 PM

Error - 4/10/2009 2:17:30 AM | Computer Name = WXP-F9WCB51 | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

[ OSession Events ]
Error - 8/23/2008 10:54:01 PM | Computer Name = WXP-F9WCB51 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 7424 seconds with 1440 seconds of active time. This session ended with a
crash.

Error - 8/23/2008 11:45:48 PM | Computer Name = WXP-F9WCB51 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 3093 seconds with 2100 seconds of active time. This session ended with a
crash.

Error - 10/19/2008 11:48:01 AM | Computer Name = WXP-F9WCB51 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 2650 seconds with 1920 seconds of active time. This session ended with a
crash.

[ System Events ]
Error - 4/9/2009 4:25:20 PM | Computer Name = WXP-F9WCB51 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.

Error - 4/9/2009 4:25:20 PM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/9/2009 4:25:20 PM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/9/2009 4:25:20 PM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/9/2009 7:27:13 PM | Computer Name = WXP-F9WCB51 | Source = Service Control Manager | ID = 7034
Description = The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/10/2009 12:14:09 AM | Computer Name = WXP-F9WCB51 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
a320raid aac aarich adpu160m adpu320 aic78u2 aic78xx cercsr6 fasttx2k iaStor IntelIde megasas
Symmpi

Error - 4/10/2009 12:14:11 AM | Computer Name = WXP-F9WCB51 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/10/2009 12:14:11 AM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/10/2009 12:14:11 AM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/10/2009 12:14:11 AM | Computer Name = WXP-F9WCB51 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.


< End of report >

#4 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 10 April 2009 - 09:41 PM

Here is Part 1 of the GMER scan results (sorry, but it would not fit into the same reply):
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-10 21:24:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A6215E0 ZwAlertResumeThread
SSDT 8A62EDE0 ZwAlertThread
SSDT 8A72C800 ZwAllocateVirtualMemory
SSDT 89CD5BE0 ZwCreateMutant
SSDT 8A60FC28 ZwCreateThread
SSDT 8A621298 ZwFreeVirtualMemory
SSDT 8A6120E8 ZwImpersonateAnonymousToken
SSDT 8A6140E8 ZwImpersonateThread
SSDT 89CB9910 ZwMapViewOfSection
SSDT 8A657928 ZwOpenEvent
SSDT 89CC2808 ZwOpenProcessToken
SSDT 89CBAE60 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xAAA102F0]
SSDT SysPlant.sys (Symantec CMC Firewall SysPlant/Symantec Corporation) ZwQueryDefaultLocale [0xBAE44830]
SSDT 89CED2C8 ZwResumeThread
SSDT 89CBF490 ZwSetContextThread
SSDT 89CDCDA8 ZwSetInformationProcess
SSDT 89CC2DF8 ZwSetInformationThread
SSDT 8A740950 ZwSuspendProcess
SSDT 89CD7828 ZwSuspendThread
SSDT 89CC1D70 ZwTerminateProcess
SSDT 89CE2828 ZwTerminateThread
SSDT 89CE2490 ZwUnmapViewOfSection
SSDT 8A6EC658 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + B61 804DE7D5 5 Bytes JMP BAE45C30 SysPlant.sys (Symantec CMC Firewall SysPlant/Symantec Corporation)
.text ntoskrnl.exe!_abnormal_termination + 7C 804E26D8 2 Bytes [E0, 15] {LOOPNZ 0x17}
.text ntoskrnl.exe!_abnormal_termination + 7F 804E26DB 5 Bytes [8A, E0, ED, 62, 8A]
.text ntoskrnl.exe!_abnormal_termination + 1B0 804E280C 4 Bytes CALL 10D88931
.text ntoskrnl.exe!_abnormal_termination + 1B8 804E2814 4 Bytes CALL F4D88959
? hadowfmn.sys The system cannot find the file specified. !
.text ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0
.text ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A
.text ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164
.text ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E
.text ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8
.text ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212
.text ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C
.text ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286
.text ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0
.text ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA
.text ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334
.text ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[212] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\System32\svchost.exe[1372] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[1488] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1520] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)


Here is Part 2 of the GMER scan:
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1608] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1620] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1660] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[1928] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1960] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2060] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe[2076] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2112] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3240] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtCreateFile + 5 7C90D095 5 Bytes JMP 6176A0F0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtCreateKey + 5 7C90D0D5 5 Bytes JMP 6176A12A C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtCreateThread + 5 7C90D195 5 Bytes JMP 6176A164 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtDeleteFile + 5 7C90D225 5 Bytes JMP 6176A19E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtDeleteValueKey + 5 7C90D255 5 Bytes JMP 6176A1D8 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtMapViewOfSection + 5 7C90D505 5 Bytes JMP 6176A212 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtOpenFile + 5 7C90D585 5 Bytes JMP 6176A24C C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtOpenKey + 5 7C90D5B5 5 Bytes JMP 6176A286 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtRenameKey + 5 7C90DA45 5 Bytes JMP 6176A2C0 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtSetInformationFile + 5 7C90DC45 5 Bytes JMP 6176A2FA C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtSetValueKey + 5 7C90DDB5 5 Bytes JMP 6176A334 C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)
.text C:\Documents and Settings\Administrator\Desktop\iexplore.exe[3604] ntdll.dll!NtTerminateProcess + 5 7C90DE55 5 Bytes JMP 6176A36E C:\WINDOWS\SYSTEM32\SYSFER.DLL (Symantec CMC Firewall sysfer/Symantec Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion@S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1S\1 1

---- EOF - GMER 1.0.15 ----

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 11 April 2009 - 09:09 AM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [updates] C:\WINDOWS\server.exe (Microsoft)
    O20 - HKLM Winlogon: UserInit - ("C:\WINDOWS\server.exe") - C:\WINDOWS\server.exe (Microsoft)
    
    :Files
    c:\windows\skasglnbgds.exe
    c:\docume~1\admini~1\applic~1\server.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

===================


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 11 April 2009 - 02:18 PM

Things are getting worse. I have inserted the new OTListIt log below. But when I reboot the machine, I now get 2 error messages -- I have attached a Word doc with the images.
I also ran the Malwarebytes scan again and it now shows 13 infected files (was 5 before), and my Symantec has identified threats that I also attached as a Word doc.

And here is the log file from OTListIt:
OTListIt logfile created on: 4/11/2009 1:56:24 PM - Run 3
OTListIt2 by OldTimer - Version 2.0.12.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.65 Gb Available Physical Memory | 82.56% Memory free
4.00 Gb Paging File | 3.90 Gb Available in Paging File | 97.47% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 6.56 Gb Free Space | 17.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WXP-F9WCB51
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/04/04 18:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2009/04/11 11:02:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2005/08/08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe
PRC - [2008/04/04 19:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/02/01 01:25:38 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/04/11 11:02:58 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/16 22:54:52 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/04 18:55:38 | 01,660,288 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2004/08/12 08:18:53 | 00,045,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drwtsn32.exe
PRC - [2004/08/12 08:18:53 | 00,045,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drwtsn32.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/04 19:01:26 | 00,181,688 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
PRC - [2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/10 20:00:36 | 00,500,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/02/01 01:25:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/16 22:54:48 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/11 11:02:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/08/11 20:05:27 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/08/08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/04/04 18:55:36 | 02,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService [Auto | Running])
SRV - [2008/04/04 02:45:18 | 00,288,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC [On_Demand | Stopped])
SRV - [2008/04/04 19:01:20 | 02,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2006/11/04 02:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/02/17 23:05:16 | 00,218,112 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid [Boot | Running])
DRV - [2004/04/07 17:14:30 | 00,048,140 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\aac.sys -- (aac [Boot | Running])
DRV - [2005/05/17 21:12:40 | 00,204,800 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich [Boot | Running])
DRV - [2004/02/17 15:38:30 | 00,132,608 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320 [Boot | Running])
DRV - [2002/04/01 10:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2004/12/13 17:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6 [Boot | Running])
DRV - [2008/07/30 17:42:12 | 00,023,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\COH_Mon.sys -- (COH_Mon [On_Demand | Stopped])
DRV - [2006/04/27 09:26:30 | 00,164,352 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e1000325.sys -- (E1000 [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/03/16 09:58:32 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2003/04/28 11:15:38 | 00,140,544 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k [Boot | Running])
DRV - [2008/07/26 15:26:56 | 00,023,832 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys -- (FilterService [On_Demand | Stopped])
DRV - [2003/11/17 13:59:20 | 00,212,224 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2003/11/17 13:56:26 | 01,042,432 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2005/09/20 09:00:54 | 01,302,332 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/04/26 09:23:52 | 00,250,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2008/02/29 11:12:28 | 00,035,472 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys -- (LHidFilt [On_Demand | Stopped])
DRV - [2008/02/29 11:12:34 | 00,037,008 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys -- (LMouFilt [On_Demand | Stopped])
DRV - [2008/02/29 11:12:46 | 00,029,072 | ---- | M] (Logicool, Inc.) -- C:\WINDOWS\System32\Drivers\LUsbFilt.Sys -- (LUsbFilt [On_Demand | Stopped])
DRV - [2007/10/12 01:59:14 | 01,920,920 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvpopflt.sys -- (lvpopflt [On_Demand | Stopped])
DRV - [2008/07/26 15:25:48 | 00,627,864 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvrs.sys -- (LVRS [On_Demand | Running])
DRV - [2008/07/26 15:26:22 | 00,041,752 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Running])
DRV - [2008/07/26 15:26:44 | 04,658,584 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lvuvc.sys -- (LVUVC [On_Demand | Running])
DRV - [2003/04/09 11:48:08 | 00,011,043 | R--- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2006/04/18 12:51:50 | 00,017,664 | ---- | M] (LSI Logic Corporation) -- C:\WINDOWS\system32\drivers\megasas.sys -- (megasas [Boot | Running])
DRV - [2001/08/17 15:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090409.004\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/03/16 09:58:32 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090409.004\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/06/19 16:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2004/08/12 08:26:42 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/12/27 09:47:30 | 00,009,006 | ---- | M] (ZD Soft) -- C:\WINDOWS\system32\DRIVERS\scrcap.sys -- (scrcap [On_Demand | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/12/28 11:57:00 | 00,045,184 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\intelsmb.sys -- (smbusp [On_Demand | Running])
DRV - [2003/02/28 06:17:18 | 00,545,024 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/01/17 18:24:44 | 00,420,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2008/03/21 19:14:24 | 00,279,088 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2008/03/21 19:14:24 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2008/03/21 19:14:24 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/04/04 15:59:35 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2006/05/11 15:55:34 | 00,093,568 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi [Boot | Running])
DRV - [2008/04/04 19:01:46 | 00,091,520 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant [Boot | Running])
DRV - [2008/03/12 15:19:50 | 00,049,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\teefer2.sys -- (Teefer2 [On_Demand | Running])
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2003/02/24 13:02:58 | 00,011,029 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi [Disabled | Stopped])
DRV - [2003/11/17 13:58:02 | 00,680,704 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2008/04/04 18:59:46 | 00,040,832 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (WPS [System | Running])
DRV - [2009/03/13 18:01:14 | 00,149,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2453123996-834172676-3234573468-500\S-1-5-21-2453123996-834172676-3234573468-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/07/30 05:00:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2008/09/16 22:39:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/11 11:02:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2008/07/30 05:00:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/11 11:03:18 | 00,000,000 | ---D | M]

[2008/07/30 05:00:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\9zx58d9h.default\extensions
[2009/04/11 11:03:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/07/30 04:58:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/07/30 04:58:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/11 11:03:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2008/07/30 04:58:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\real-networks@partners.mozilla.com
[2008/07/30 04:58:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2006/10/11 03:04:58 | 00,061,036 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2006/10/11 03:04:59 | 00,048,742 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2006/10/11 03:05:03 | 00,029,313 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2006/10/11 03:05:03 | 00,041,082 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2006/10/11 03:04:58 | 00,166,510 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2006/10/11 03:05:04 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2006/10/11 03:05:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2006/10/11 03:05:04 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2006/10/11 03:05:04 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2006/10/11 03:05:04 | 00,002,320 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2006/10/11 03:05:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (303080 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 10581 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Updatess] xblgen.exe File not found
O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [updates] C:\WINDOWS\server.exe (Microsoft)
O4 - HKLM..\RunServices: [Windows Updatess] xblgen.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-2453123996-834172676-3234573468-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab (ASPRO Installer Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - ("C:\WINDOWS\server.exe") - C:\WINDOWS\server.exe (Microsoft)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/28 12:13:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{cad3d3f7-51a0-11dd-b74e-000f1f7ca056}\Shell - "" = AutoRun
O33 - MountPoints2\{cad3d3f7-51a0-11dd-b74e-000f1f7ca056}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/04/11 13:48:45 | 00,274,432 | ---- | C] () -- C:\asfffbfsaf.exe
[2009/04/11 13:48:18 | 00,274,432 | ---- | C] () -- C:\asfffbsaf.exe
[2009/04/11 13:23:40 | 00,077,824 | ---- | C] () -- C:\asfj]fkjbsmfadf.exe
[2009/04/11 12:48:37 | 00,274,432 | ---- | C] () -- C:\asffbsaf.exe
[2009/04/11 12:48:28 | 00,274,432 | ---- | C] () -- C:\asfffkfjsfkfbsaf.exe
[2009/04/11 12:46:10 | 00,274,432 | ---- | C] () -- C:\asfffkjsfkfbsaf.exe
[2009/04/11 12:42:32 | 00,274,432 | ---- | C] () -- C:\asffkjsfbsaf.exe
[2009/04/11 12:42:13 | 00,077,824 | ---- | C] () -- C:\asfj]fkjbsmfafdf.exe
[2009/04/11 12:21:37 | 00,250,794 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\picture003.bmp
[2009/04/11 12:18:26 | 00,043,008 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\error doc.doc
[2009/04/11 12:17:53 | 00,012,800 | -HS- | C] () -- C:\Documents and Settings\Administrator\Desktop\Thumbs.db
[2009/04/11 12:13:41 | 00,250,794 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\picture002.bmp
[2009/04/11 12:11:59 | 24,138,75200 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/11 11:28:27 | 00,077,824 | ---- | C] () -- C:\asffkjbsmfadf.exe
[2009/04/11 10:48:50 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/04/10 20:09:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2009/04/10 20:00:29 | 00,500,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/09 18:51:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\bleeping
[2009/04/09 18:30:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/04/04 21:16:18 | 00,093,184 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\iexplore.exe
[2009/04/04 19:32:59 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/04 18:56:11 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/04/04 15:59:51 | 00,091,520 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys
[2009/04/04 15:59:16 | 00,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/04 15:59:16 | 00,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/04 15:59:16 | 00,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/04 15:59:16 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/04/01 00:11:58 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/03/27 22:43:35 | 00,013,970 | ---- | C] () -- C:\WINDOWS\dslgkndsg.torrent
[2009/03/27 19:37:08 | 00,121,964 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\www.pearsonhighered.com-educator-ExamCopyTransactionUS-1.tif
[2009/03/27 19:36:17 | 05,292,054 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\picture001.bmp
[2009/03/27 19:35:23 | 00,000,717 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HQScreen.lnk
[2009/03/27 08:15:28 | 00,032,490 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spanish 352 Spanish Composition.mht
[2009/03/27 04:37:35 | 01,651,143 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\libros de español.pdf
[2009/03/27 04:31:30 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Oral_Exam1[1] La Shonta.doc
[2009/03/24 23:46:55 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Areas of Expertise.doc
[2009/03/24 18:38:32 | 01,052,160 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\French_webpage_for_DU_website[1].doc
[2009/03/24 18:36:23 | 01,117,696 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Patino2[1][1].doc
[2009/03/24 18:30:24 | 01,061,888 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\French_Webpage_Peters_blurb[1]09.doc
[2009/03/24 18:26:16 | 01,353,216 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Lozano.doc
[2009/03/24 18:24:22 | 02,030,080 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Spanish at Dillard University.doc
[2009/03/24 08:27:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Delgado
[2009/03/24 08:27:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Proyectos 102-202
[2009/03/24 08:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Quiz Ch. 6
[2009/03/24 08:26:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Aurea y Joanne Roundtable
[2009/03/23 18:33:46 | 01,268,736 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\pics of flags.doc
[2009/03/23 16:49:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Lab training
[2009/03/23 16:31:07 | 00,034,816 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\6march09_lyceum_guidelines_sp09.doc
[2009/03/23 16:12:59 | 00,039,424 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\FERPA_Release_Form[1].doc
[2009/03/23 07:17:58 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_1(1).xls
[2009/03/23 07:17:38 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_2(1).xls
[2009/03/22 12:01:50 | 00,211,696 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA Arts Collective.mht
[2009/03/22 12:00:19 | 00,233,076 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Afro-Cuban Jazz in New Orleans.mht
[2009/03/22 11:48:08 | 00,447,242 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA'S Projects.mht
[2009/03/21 18:06:49 | 00,075,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Course Proposal Form 3 10 09 709PM.doc
[2009/03/19 21:42:14 | 00,001,891 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/03/19 21:19:23 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/03/19 21:10:28 | 00,680,844 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Presentation1.pptx
[2009/03/19 18:20:56 | 00,016,896 | -HS- | C] () -- C:\Documents and Settings\Administrator\My Documents\Thumbs.db
[2009/03/19 17:45:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Web-Page official
[2009/03/19 11:18:08 | 01,724,416 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 10.doc
[2009/03/19 10:13:56 | 01,728,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 1.doc
[2009/03/19 09:44:53 | 00,767,201 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\foto globo 1.JPG
[2009/03/16 22:54:12 | 00,248,841 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Mediterranean diet plan.mht
[2009/03/16 11:43:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\French TA
[2009/03/16 11:04:53 | 03,393,536 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Block(1) game.xls
[2009/03/14 16:07:34 | 00,564,090 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\banderas de latinoamerica 1.JPG
[2009/03/14 16:00:55 | 00,728,544 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Miscelaneas venezuela.JPG
[2009/03/14 15:42:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\march 2009 pics
[2009/03/14 15:42:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Training
[2009/03/14 13:33:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Summer 09
[2009/03/14 13:27:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Fall 09
[2008/11/18 00:43:07 | 03,086,336 | ---- | C] () -- C:\WINDOWS\System32\NCMedia.dll
[2008/11/18 00:43:07 | 03,086,336 | ---- | C] () -- C:\WINDOWS\System32\flvvideo.dll
[2008/10/19 14:20:33 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2008/03/30 23:10:19 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/31 00:01:58 | 00,000,033 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2008/01/12 17:14:16 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2008/01/10 16:06:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/12/06 22:33:26 | 00,000,172 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/10/30 05:43:05 | 00,066,482 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/10/30 02:13:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/30 01:59:19 | 00,000,227 | ---- | C] () -- C:\WINDOWS\QScreenCapt.ini
[2007/10/27 22:08:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/10/27 16:32:12 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/03/05 20:34:28 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/01 01:54:30 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/11/01 01:52:38 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/09/24 17:47:34 | 00,000,798 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/12 08:33:16 | 00,000,642 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 08:30:36 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/04/11 13:56:10 | 00,303,080 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/11 13:48:45 | 00,274,432 | ---- | M] () -- C:\asfffbfsaf.exe
[2009/04/11 13:48:18 | 00,274,432 | ---- | M] () -- C:\asfffbsaf.exe
[2009/04/11 13:23:40 | 00,077,824 | ---- | M] () -- C:\asfj]fkjbsmfadf.exe
[2009/04/11 12:50:16 | 00,077,824 | ---- | M] () -- C:\asfj]fkjbsmfafdf.exe
[2009/04/11 12:48:37 | 00,274,432 | ---- | M] () -- C:\asffbsaf.exe
[2009/04/11 12:48:28 | 00,274,432 | ---- | M] () -- C:\asfffkfjsfkfbsaf.exe
[2009/04/11 12:46:10 | 00,274,432 | ---- | M] () -- C:\asfffkjsfkfbsaf.exe
[2009/04/11 12:44:44 | 00,274,432 | ---- | M] () -- C:\asffkjsfbsaf.exe
[2009/04/11 12:23:36 | 00,000,227 | ---- | M] () -- C:\WINDOWS\QScreenCapt.ini
[2009/04/11 12:23:22 | 00,043,008 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\error doc.doc
[2009/04/11 12:23:00 | 00,012,800 | -HS- | M] () -- C:\Documents and Settings\Administrator\Desktop\Thumbs.db
[2009/04/11 12:21:37 | 00,250,794 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\picture003.bmp
[2009/04/11 12:20:49 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/11 12:20:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/11 12:19:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/11 12:19:37 | 24,138,75200 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/11 12:19:19 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/04/11 12:19:17 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2009/04/11 12:18:38 | 05,026,958 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/04/11 12:13:41 | 00,250,794 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\picture002.bmp
[2009/04/11 11:55:35 | 00,524,736 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/11 11:55:35 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/11 11:55:35 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/11 11:29:28 | 00,077,824 | ---- | M] () -- C:\asffkjbsmfadf.exe
[2009/04/10 20:00:36 | 00,500,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 22:56:44 | 00,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[2009/04/04 21:21:26 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\iexplore.exe
[2009/04/04 20:51:32 | 00,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/04 15:59:35 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/04 15:59:35 | 00,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/04 15:59:35 | 00,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/04 15:59:35 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/03/29 14:00:22 | 00,302,134 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-150448.backup
[2009/03/27 22:43:35 | 00,013,970 | ---- | M] () -- C:\WINDOWS\dslgkndsg.torrent
[2009/03/27 19:37:09 | 00,121,964 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\www.pearsonhighered.com-educator-ExamCopyTransactionUS-1.tif
[2009/03/27 19:36:18 | 05,292,054 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\picture001.bmp
[2009/03/27 19:35:23 | 00,000,717 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HQScreen.lnk
[2009/03/27 08:15:28 | 00,032,490 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spanish 352 Spanish Composition.mht
[2009/03/27 04:37:35 | 01,651,143 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\libros de español.pdf
[2009/03/27 04:31:31 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Oral_Exam1[1] La Shonta.doc
[2009/03/25 07:14:16 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\email distro list.doc
[2009/03/24 23:47:00 | 01,353,216 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Lozano.doc
[2009/03/24 23:46:55 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Areas of Expertise.doc
[2009/03/24 23:46:39 | 01,052,160 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\French_webpage_for_DU_website[1].doc
[2009/03/24 18:38:02 | 01,061,888 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\French_Webpage_Peters_blurb[1]09.doc
[2009/03/24 18:37:50 | 02,030,080 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Spanish at Dillard University.doc
[2009/03/24 18:36:24 | 01,117,696 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WEB_PAGE_Patino2[1][1].doc
[2009/03/23 18:33:47 | 01,268,736 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\pics of flags.doc
[2009/03/23 16:31:07 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\6march09_lyceum_guidelines_sp09.doc
[2009/03/23 16:13:00 | 00,039,424 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\FERPA_Release_Form[1].doc
[2009/03/23 07:17:58 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_1(1).xls
[2009/03/23 07:17:38 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Fall_09_-_part_2(1).xls
[2009/03/22 12:01:51 | 00,211,696 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA Arts Collective.mht
[2009/03/22 12:00:19 | 00,233,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Afro-Cuban Jazz in New Orleans.mht
[2009/03/22 11:48:08 | 00,447,242 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CubaNOLA'S Projects.mht
[2009/03/21 18:06:49 | 00,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Course Proposal Form 3 10 09 709PM.doc
[2009/03/19 22:49:44 | 00,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/19 21:10:30 | 00,680,844 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Presentation1.pptx
[2009/03/19 18:21:04 | 00,016,896 | -HS- | M] () -- C:\Documents and Settings\Administrator\My Documents\Thumbs.db
[2009/03/19 18:10:06 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office PowerPoint 2007.lnk
[2009/03/19 11:18:09 | 01,724,416 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 10.doc
[2009/03/19 10:13:57 | 01,728,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\pic foto globo 1.doc
[2009/03/19 09:44:54 | 00,767,201 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\foto globo 1.JPG
[2009/03/18 22:03:06 | 00,048,640 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/16 22:54:13 | 00,248,841 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mediterranean diet plan.mht
[2009/03/16 11:18:54 | 00,564,090 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\banderas de latinoamerica 1.JPG
[2009/03/16 11:04:55 | 03,393,536 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Block(1) game.xls
[2009/03/14 16:00:55 | 00,728,544 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Miscelaneas venezuela.JPG
[2009/03/13 18:01:14 | 00,149,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WpsHelper.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\Administrator\Desktop\http--www.nola.com-katrina-graphics-credits.swf.url:favicon
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Desktop\iexplore.exe:SummaryInformation
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEFF768F
< End of report >

Attached Files



#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 11 April 2009 - 07:11 PM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - ("C:\WINDOWS\server.exe") - C:\WINDOWS\server.exe (Microsoft)
    O4 - HKU\S-1-5-21-2453123996-834172676-3234573468-500..\Run: [updates] C:\WINDOWS\server.exe (Microsoft)
    O4 - HKLM..\RunServices: [Windows Updatess] xblgen.exe File not found
    O4 - HKLM..\Run: [Windows Updatess] xblgen.exe File not found
    
    :Files
    C:\asf*.exe
    C:\WINDOWS\server.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

===============


Is your Norton antivirus current and up to date?



===============




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 11 April 2009 - 07:52 PM

I did not get the Windows Recovery Console installed. I disabled the Symnatec before running ComboFix, and it would not allow connection to the internet while it is disabled. Should I run ComboFix again to install the WRC?


Here is the log created when I ran the Run Fix on OTListIt2:
========== OTLISTIT ==========
Process explorer.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:"C:\WINDOWS\server.exe" deleted successfully.
C:\WINDOWS\server.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-2453123996-834172676-3234573468-500\Software\Microsoft\Windows\CurrentVersion\Run\\updates deleted successfully.
File C:\WINDOWS\server.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\\Windows Updatess deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Updatess deleted successfully.
========== FILES ==========
C:\asffbsaf.exe moved successfully.
C:\asfffbfsaf.exe moved successfully.
C:\asfffbsaf.exe moved successfully.
C:\asfffkfjsfkfbsaf.exe moved successfully.
C:\asfffkjsfkfbsaf.exe moved successfully.
C:\asffkjbsmfadf.exe moved successfully.
C:\asffkjsfbsaf.exe moved successfully.
C:\asfj]fkjbsmfadf.exe moved successfully.
C:\asfj]fkjbsmfafdf.exe moved successfully.
File/Folder C:\WINDOWS\server.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TY1DTY8P\index[3].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RKSNZ5XU\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_308.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_558.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.12.2 log created on 04112009_193013

Files moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TY1DTY8P\index[3].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RKSNZ5XU\iframe[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_308.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_558.dat not found!

Registry entries deleted on Reboot...



And here is the ComboFix log:
ComboFix 09-04-04.01 - Administrator 2009-04-11 19:37:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1821 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\csrxx.exe
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\server.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-11 11:03 . 2009-04-11 11:02 410,984 --a--c--- c:\windows\system32\deploytk.dll
2009-04-11 10:48 . 2009-04-11 10:48 <DIR> d----c--- C:\_OTListIt
2009-04-09 18:30 . 2009-04-09 22:34 <DIR> d----c--- c:\windows\system32\NtmsData
2009-04-04 19:32 . 2009-04-04 19:32 <DIR> d----c--- c:\program files\Trend Micro
2009-04-04 18:56 . 2008-06-19 16:24 28,544 --a--c--- c:\windows\system32\drivers\pavboot.sys
2009-04-04 15:59 . 2009-04-04 15:59 123,952 --a--c--- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-04 15:59 . 2008-04-04 19:01 91,520 --a--c--- c:\windows\system32\drivers\SysPlant.sys
2009-04-04 15:59 . 2009-04-04 15:59 60,800 --a--c--- c:\windows\system32\S32EVNT1.DLL
2009-04-04 15:59 . 2009-04-04 15:59 10,563 --a--c--- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-04 15:59 . 2009-04-04 15:59 805 --a--c--- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-01 00:11 . 2009-04-01 00:13 <DIR> d----c--- c:\program files\Windows Live Safety Center
2009-03-27 22:43 . 2009-03-27 22:43 13,970 --a--c--- c:\windows\dslgkndsg.torrent
2009-03-19 21:42 . 2009-04-04 20:51 1,891 --a--c--- c:\windows\imsins.BAK
2009-03-19 21:19 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 00:31 0 -c--a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-12 00:31 0 -c--a-w c:\windows\system32\drivers\logiflt.iad
2009-04-11 16:02 --------- dc----w c:\program files\Java
2009-04-09 18:10 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 00:35 --------- dc----w c:\program files\Uniblue
2009-04-04 23:39 --------- dc----w c:\program files\Clean Disk Security
2009-04-04 22:00 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-04 21:01 --------- dc----w c:\program files\Common Files\Symantec Shared
2009-04-04 20:59 --------- dc----w c:\program files\Symantec
2009-04-04 20:42 --------- dc----w c:\program files\Symantec AntiVirus
2009-04-04 20:30 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 01:41 --------- dc----w c:\program files\InterActual
2009-03-28 00:35 --------- dc----w c:\program files\Howies Quick Screen Capture
2009-03-20 02:50 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-20 02:25 --------- dc----w c:\program files\Spybot - Search & Destroy
2009-03-20 02:19 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 07:30 --------- dc----w c:\documents and settings\Administrator\Application Data\Skype
2009-03-17 03:54 --------- dc----w c:\program files\Google
2009-03-13 23:01 149,768 -c--a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-10 05:00 --------- dc----w c:\documents and settings\Administrator\Application Data\skypePM
2009-02-25 19:48 --------- dc----w c:\documents and settings\Administrator\Application Data\WinFF
2009-02-25 19:44 --------- dc----w c:\program files\WinFF
2009-02-09 11:13 1,846,784 -c--a-w c:\windows\system32\win32k.sys
2008-11-23 19:16 1,635 -c--a-w c:\documents and settings\Administrator\Application Data\SAS7_000.DAT
2008-09-16 21:43 60,744 -c--a-w c:\documents and settings\Administrator\g2mdlhlpx.exe
2008-03-21 23:39 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-11 08:04 61,036 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-13 00:22 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-13 00:22 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051220080513\index.dat
2008-05-13 00:22 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-11 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZDSV"= scrvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2006-09-24 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-09-24 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-09-24 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-09-24 17664]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-04-04 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-04 101936]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-09-24 11029]
.
Contents of the 'Scheduled Tasks' folder

2008-09-17 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe []

2009-04-05 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

2008-07-29 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

2008-07-31 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-08-25 15:44]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9zx58d9h.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 19:39:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2453123996-834172676-3234573468-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-04-11 19:41:33
ComboFix-quarantined-files.txt 2009-04-12 00:41:31

Pre-Run: 7,007,875,072 bytes free
Post-Run: 6,987,173,888 bytes free

164 --- E O F --- 2008-11-23 06:49:52

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 13 April 2009 - 10:37 AM

First I want to apologize for the delayed response. I had a family Easter thing yesterday and it kept me pretty busy.

There's no need to run Combofix again to install the Recovery Console. You can do it without going into Combofix.
Check this link for instructions.

http://support.microsoft.com/kb/216417


How is your computer behaving now? What issues are you still having?



Let's update Malwarebytes and run a new scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform quick scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 13 April 2009 - 09:03 PM

Hi Sam, no problem with the delay, I thought it was probably Easter related. I just got home for the day and saw your reply. I used the down time to reboot the system several times and run Malwarebytes just to see if anything showed up again. So far, I haven't seen anything wrong since you had me run ComboFix.

I ran the updates on Malwarebytes and ran it again. It said there were no malicious items detected, and the log is pasted below. Is there anything else I should do, or do you think everything is okay?


MBAM log:
Malwarebytes' Anti-Malware 1.36
Database version: 1979
Windows 5.1.2600 Service Pack 3

4/13/2009 8:54:57 PM
mbam-log-2009-04-13 (20-54-57).txt

Scan type: Quick Scan
Objects scanned: 73198
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 14 April 2009 - 07:56 AM

Your logs are looking good to me. As long as things seem ok on your end I think we got it licked.
Let's finish up with some final steps.

Follow this process to uninstall Combofix. It will also restore a few settings and remove quarantined items.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

=================


Run OTListIt2 and click on the CleanUp button.
Reboot when it asks you to.


=================


Run an online scan at Secunia Online Software Inspector
  • Click on the red button at the bottom of the screen that says Start Scanner.
  • Follow the prompts to install the scanning software.
  • Do not check the box for Enable thorough system inspection
  • Click the Start button.
  • The program will scan your system and identify insecure versions of software and missing security updates.
  • Using the links provided in the scan, download and install any current and secure versions that are needed.


================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 psychoguy2009

psychoguy2009
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 14 April 2009 - 04:23 PM

Thank you so much for your help. The only problem I seem to be having now is that when I tried to run the Secunia Online Software Inspector, it says that it cannot find Sun Java installed. You had me update the Sun Java in an earlier step, but I re-installed it anyway and it still does not recognize that it is there.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 15 April 2009 - 12:21 PM

No big deal on that. Secunia may not recognize the most recent version of Java. As long as you have the current version and have removed the older versions, you're fine. :thumbup2:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:00 AM

Posted 09 May 2009 - 01:26 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users