Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine redirect to random ads


  • This topic is locked This topic is locked
19 replies to this topic

#1 marc_e

marc_e

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 04 December 2009 - 01:15 AM

For the last few days I have been getting redirected to random ad sites every time I google something. It all started when I downloaded Regrun the other day to get rid of a program that was causing pop ups when explorer was closed down. I would wake up in the morning and about 10 windows would be opened with weird ads. Regrun got rid of that for me but immediately something more annoying occurred and that was that searching became virtually impossible. Clicking on a Google result about Dick Cheney might put me on a site for live nude cams. Certainly more interesting than Dick Cheney, but not the result that I was looking for. So up to this post I have downloaded DDS and RootRepeal as explained in a topic post from admin here on removing Malware and viruses. Root repeal is not working for me. It causes my computer to freeze up. I am posting the DDS log though. I also removed RegRun and since then the redirecting has stopped. Still I have this logs so I thought that the prudent thing to do would be to post them. The heading at the top of the second log said not to post it . So I didn't.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 18:55:19.03 on Thu 12/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.38 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Play65\bin\Play65.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\341OQKTP\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www,yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://us8.hpwis.com/
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\simple~2\photos~1\data\xtras\mssysmgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [McRegWiz] c:\progra~1\mcafee.com\agent\mcregwiz.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellObj Class: {f552dde6-2090-4bf4-b924-6141e87789a5} - c:\progra~1\greatis\regrun~1\RRShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ebo8sx53.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-7 144704]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2001-1-3 14336]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-7 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-7 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-7 40552]
R3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-11-29 24416]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program files\mcafee.com\agent\mcdetect.exe [?]
S2 mrtRate;mrtRate; [x]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys --> c:\windows\system32\drivers\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys --> c:\windows\system32\drivers\swlubtl.sys [?]

=============== Created Last 30 ================

2009-12-01 07:03:50 218 ----a-w- c:\documents and settings\owner\.recently-used.xbel
2009-11-30 06:58:45 0 d-----w- c:\windows\RestoreSafeDeleted
2009-11-30 06:47:54 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-11-30 06:47:53 2 --shatr- c:\windows\winstart.bat
2009-11-30 06:46:18 57556 ----a-w- c:\windows\guard.bmp
2009-11-30 06:46:09 0 d-----w- c:\program files\Greatis
2009-11-27 03:54:15 224256 ----a-w- c:\windows\system32\sshnas.dll
2009-11-27 03:51:39 196608 ----a-w- c:\windows\MSA.del
2009-11-15 02:57:27 0 d-----w- c:\docume~1\owner\applic~1\GOL_byHasbro
2009-11-15 02:55:24 0 d-----w- C:\GameHouse Games
2009-11-15 02:54:27 0 d-----w- c:\program files\RealArcade
2009-11-12 15:14:08 0 d-----w- c:\windows\system32\scripting
2009-11-12 15:14:05 0 d-----w- c:\windows\l2schemas
2009-11-12 15:14:04 0 d-----w- c:\windows\system32\en
2009-11-12 08:02:17 1393 ----a-w- c:\windows\imsins.BAK
2009-11-08 05:27:30 0 d-----w- c:\docume~1\owner\applic~1\IObit
2009-11-08 05:27:29 0 d-----w- c:\program files\IObit
2009-11-08 03:18:23 0 d-----w- c:\documents and settings\owner\.gnubg
2009-11-08 03:17:59 0 d-----w- c:\program files\gnubg

==================== Find3M ====================

2009-11-09 03:45:59 98698 ----a-r- c:\windows\fonts\Albertus_Extra_Bold.ttf
2009-09-12 04:00:23 274394 ----a-w- c:\windows\DJ Music Mixer Uninstaller.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 18:57:18.68 ===============

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 04 December 2009 - 08:17 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 06 December 2009 - 04:20 PM

Sam,

Thanks so much for your help. I apologize for not responding sooner, but I have been having a heck of a time with gmer. The scan takes hours and then apparently shuts down everything when it is complete. I have notice at least for the first hour that the info that is showing all comes up in the first few minutes. I am giving up for the time being on the full report but I have copied and pasted what comes up in the first few minutes. OTL gets a rather bad rap around the internet, but I trust that you are legit and there will be no problems. Here are my OTL logs followed by what I could get out of GMER. I am not having troubles with my search since I got rid of RegRun, but I still have an ultra slow computer at least when I first open Mozilla or IE 7, so I am hoping that you may have some good suggestions.

OTL logfile created on: 12/6/2009 1:55:33 PM - Run 2
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 106.75 Mb Available Physical Memory | 23.86% Memory free
1.03 Gb Paging File | 0.55 Gb Available in Paging File | 53.18% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 87.88 Gb Free Space | 81.87% Space Free | Partition Type: NTFS
Drive D: | 4.43 Gb Total Space | 0.69 Gb Free Space | 15.56% Space Free | Partition Type: FAT32
Drive E: | 316.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CONFERENCE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/20 13:51:34 | 02,335,880 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/11/07 10:25:38 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/07 22:30:22 | 00,192,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSM\McSmtFwk.exe
PRC - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/01 17:22:04 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 10:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/13 17:47:10 | 00,155,648 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/01/21 17:04:42 | 00,163,840 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe
PRC - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe


========== Modules (SafeList) ==========

MOD - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 17:12:01 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2007/04/19 11:21:40 | 00,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (McDetect.exe)
SRV - File not found -- -- (BackupClientSvc)
SRV - [2009/11/26 20:54:15 | 00,224,256 | ---- | M] () -- C:\WINDOWS\system32\sshnas.dll -- (SSHNAS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2005/09/03 16:21:26 | 00,323,584 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService)
SRV - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/04/03 21:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/03/09 18:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\S-1-5-21-285400561-1825411671-3093264262-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..network.proxy.no_proxies_on: "local.,"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/21 20:24:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/20 14:14:41 | 00,000,000 | ---D | M]

[2009/09/30 18:17:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/06 09:36:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ebo8sx53.default\extensions
[2009/09/30 18:16:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe File not found
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VSOCheckTask] C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..Trusted Domains: 9 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://www.coloacad.org/homeimages/spacer10.gif
O24 - Desktop Components:1 () - http://www.manpb.org/mariap.jpg
O24 - Desktop Components:2 () - http://www.frontierairlines.com/images/hom...contentwell.gif
O24 - Desktop Components:3 () - http://www.chase.com/ccpmweb/generic/image...inum_middle.jpg
O24 - Desktop Components:4 () - http://us.i1.yimg.com/us.yimg.com/i/mntl/s...q2/img_dads.jpg
O24 - Desktop Components:5 () - http://www.melaleuca.com/ps/images_us/splash_main03.jpg
O24 - Desktop Components:6 () - http://www.mackintoshacademy.com/elwebport...es/moutains.jpg
O24 - Desktop Components:7 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {F552DDE6-2090-4bf4-B924-6141E87789A5} - C:\Program Files\Greatis\RegRunSuite\RRShell.dll (Greatis Software, LLC)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/09 22:19:17 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2007/12/14 06:48:00 | 00,000,052 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4bd0b4e2-d66c-11d7-9a1c-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4bd0b4e2-d66c-11d7-9a1c-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4bd0b4e2-d66c-11d7-9a1c-806d6172696f}\Shell\AutoRun\command - "" = E:\PXRoute.exe -- [2007/03/02 09:11:41 | 00,094,208 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2001/01/03 06:53:33 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - C:\WINDOWS\system32\sshnas.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/04 16:59:03 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 09:45:16 | 00,000,000 | ---D | C] -- C:\Program Files\Citrix
[2009/12/03 19:07:22 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/29 23:59:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RegRunInfo
[2009/11/29 23:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted
[2009/11/29 23:47:54 | 00,024,416 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/11/29 23:47:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RegRun2
[2009/11/29 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Greatis
[2009/11/29 10:53:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\confirmation.asp_files
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/06 01:42:16 | 00,000,218 | ---- | M] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/04 20:08:05 | 00,015,483 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/04 20:06:56 | 00,000,416 | ---- | M] () -- C:\WINDOWS\tasks\PCConfidential.job
[2009/12/04 20:06:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/04 20:06:42 | 46,915,9936 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/04 20:06:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/04 17:19:50 | 00,284,153 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 10:52:42 | 00,000,406 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | M] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 20:11:52 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/12/03 20:11:52 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/12/03 20:11:42 | 08,582,612 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/12/03 19:07:34 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/12/03 18:56:20 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/12/02 21:23:21 | 00,055,668 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/12/01 20:48:35 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mary's 2009 wishlist.doc
[2009/12/01 01:00:26 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/01 01:00:21 | 00,001,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Explorer.lnk
[2009/11/29 23:51:48 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/29 23:51:48 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/11/29 23:51:48 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2009/11/29 10:53:11 | 00,016,139 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:38 | 00,463,872 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:29 | 00,106,496 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 21:57:42 | 00,000,648 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/26 21:18:06 | 00,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RPCReminder.job
[2009/11/26 20:58:38 | 00,049,624 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/26 20:54:15 | 00,224,256 | ---- | M] () -- C:\WINDOWS\System32\sshnas.dll
[2009/11/26 20:51:27 | 00,196,608 | ---- | M] () -- C:\WINDOWS\MSA.del
[2009/11/26 09:14:15 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/25 01:02:36 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/06 01:42:16 | 00,000,218 | ---- | C] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/04 17:21:22 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/12/04 17:19:48 | 00,284,153 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 10:52:41 | 00,000,406 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | C] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 18:56:14 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/02 21:23:18 | 00,055,668 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/11/29 23:47:53 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2009/11/29 23:46:52 | 00,054,498 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ShLog.txt
[2009/11/29 23:46:18 | 00,057,556 | ---- | C] () -- C:\WINDOWS\guard.bmp
[2009/11/29 10:53:05 | 00,016,139 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:37 | 00,463,872 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:23 | 00,106,496 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 20:54:15 | 00,224,256 | ---- | C] () -- C:\WINDOWS\System32\sshnas.dll
[2009/11/26 20:51:39 | 00,196,608 | ---- | C] () -- C:\WINDOWS\MSA.del
[2009/11/20 14:15:27 | 00,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/08/22 10:22:44 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/06/08 16:14:13 | 00,001,140 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/05/29 08:17:53 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/05/29 08:17:53 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/12/16 14:00:49 | 00,000,036 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/29 07:18:31 | 00,000,076 | ---- | C] () -- C:\WINDOWS\ariel_ss.ini
[2006/01/24 20:04:32 | 00,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/01/13 16:41:57 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2006/01/13 16:41:57 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2005/12/25 11:41:21 | 00,000,639 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/26 13:54:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/07/25 16:50:54 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/07/25 16:50:19 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/07/25 16:50:18 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/01/06 13:31:29 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/07/09 10:17:37 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/06/02 10:09:53 | 00,000,356 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2003/11/08 12:54:57 | 00,000,332 | ---- | C] () -- C:\WINDOWS\ka.ini
[2003/10/09 12:42:26 | 00,000,459 | ---- | C] () -- C:\WINDOWS\import.INI
[2003/09/11 20:11:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/09/03 12:25:00 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\EmbeddedDX.dll
[2003/09/03 12:25:00 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\sbaparam.dll
[2003/09/03 12:25:00 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\sbautils.dll
[2003/09/03 12:24:59 | 00,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
[2003/09/03 12:24:59 | 00,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
[2003/09/03 12:24:59 | 00,002,298 | ---- | C] () -- C:\WINDOWS\WINPOINT.INI
[2003/09/03 12:24:59 | 00,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
[2003/09/03 12:24:59 | 00,000,255 | ---- | C] () -- C:\WINDOWS\GrAdr16.ini
[2003/09/03 12:24:59 | 00,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
[2003/08/24 13:40:16 | 00,000,645 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/10 04:35:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/10 04:34:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/04/10 04:21:36 | 00,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/04/10 01:51:07 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/04/10 01:51:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/04/10 00:06:10 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/04/10 00:03:38 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/04/10 00:03:38 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/09 23:57:15 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/04/09 23:57:04 | 00,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/09 23:16:44 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/09 22:55:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/04/09 22:44:58 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/04/09 22:44:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/04/09 22:44:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/04/09 22:23:21 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/09 22:05:45 | 00,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/03/09 18:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/05/24 08:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2002/05/24 08:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2001/08/14 18:47:08 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll

========== LOP Check ==========

[2005/08/02 06:39:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.0 Setup
[2008/09/14 17:53:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MGS
[2008/09/14 17:48:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microgaming
[2008/08/19 13:35:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2009/06/08 16:53:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/08/22 10:27:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/06/30 07:00:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2005/08/26 13:55:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\The Learning Company
[2007/12/29 13:09:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2005/08/26 13:47:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vivendi Universal Games
[2006/04/07 15:26:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VUG
[2009/04/16 20:09:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
[2003/04/10 04:21:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\interMute
[2003/04/09 23:52:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InterTrust
[2003/04/10 00:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2006/01/24 20:07:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2006/12/16 22:58:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Axaware
[2008/09/15 17:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2005/08/09 12:11:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\eFax Messenger
[2009/04/05 16:01:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\G7PS
[2009/11/14 19:57:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GOL_byHasbro
[2009/12/06 01:40:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2003/04/10 04:21:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2003/04/09 23:52:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2009/11/07 22:27:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IObit
[2005/09/11 05:34:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2009/11/26 18:27:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MailWasherFree
[2005/09/27 15:19:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2009/03/13 08:16:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Owner
[2009/08/22 10:22:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2006/05/14 09:07:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PlayFirst
[2003/04/10 00:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2005/09/08 13:48:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Simple Star
[2009/03/16 10:31:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SPAMfighter
[2009/12/03 00:05:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2008/09/14 14:28:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VTExtra
[2009/08/01 14:59:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WeatherDPA
[2009/11/15 01:24:13 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/12/01 01:00:26 | 00,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2007/05/30 13:52:43 | 00,000,402 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job
[2009/12/04 20:06:56 | 00,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\PCConfidential.job
[2009/11/26 21:18:06 | 00,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\RPCReminder.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/03/09 11:49:12 | 14,315,500 | ---- | M] (Multi-Link Computing ) -- C:\multi link computing databank backup install.exe
[1 C:\*.tmp files -> C:\*.tmp -> ]

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 00:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 00:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/02/06 11:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 22:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002/08/29 05:00:00 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys
[2008/04/13 11:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 23:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 11:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >
< End of report >




OTL Extras logfile created on: 12/4/2009 5:01:00 PM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 135.16 Mb Available Physical Memory | 30.21% Memory free
1.03 Gb Paging File | 0.58 Gb Available in Paging File | 56.02% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 87.90 Gb Free Space | 81.89% Space Free | Partition Type: NTFS
Drive D: | 4.43 Gb Total Space | 0.69 Gb Free Space | 15.56% Space Free | Partition Type: FAT32
Drive E: | 316.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CONFERENCE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Computer, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04214FC6-598A-4819-A1BC-7AC88242C437}" = eFax Messenger 4.0
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{2555F283-A782-4F9F-829F-268A9B0F9CC1}" = POINT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E90FA5-2CB4-4039-A8BB-BE1B9DB94E21}" = HP Memories Disc
"{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653}" = QuickTime
"{5A4AFC3E-4973-46A1-92D6-3A1C5E52948A}" = iTunes
"{60E971B7-51A0-48CA-8687-C6B8F094A409}" = Simple Backup for My Pictures
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6DD86DE9-1AE7-41B0-9326-1A90E32BAE88}" = Star Stable 2
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77E6AE74-357C-4B33-8324-FDDC9997B4D1}" = Disney Princess Magical Dress-Up
"{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow
"{85BC5C08-E73D-11D2-964D-444553540000}" = Point
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{913D0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard for Students and Teachers
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C544F99D-39EF-4E6D-95BE-4E41C1D8C4CB}" = Dr Watson for Microsoft Windows OneCare Live v1.0.0971.20
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{D9952F01-1EBB-494B-AD8C-36BCA14B0FC4}" = POINT
"{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}" = Simple Installer - Multilanguage Version
"{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition
"3DGroove" = 3D Groove Playback Engine
"ACT!" = ACT!
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"BackWeb-137903 Uninstaller" = Updates from HP
"Barbie™ Beauty Boutique™ CD-ROM" = Barbie™ Beauty Boutique™ CD-ROM
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DJ Music Mixer" = DJ Music Mixer
"GNU Backgammon_is1" = GNU Backgammon (MAIN branch, 20091102 code)
"HijackThis" = HijackThis 2.0.2
"hp instant support" = hp instant support
"HPTOOLKIT" = toolkit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653}" = QuickTime
"InstallShield_{5A4AFC3E-4973-46A1-92D6-3A1C5E52948A}" = iTunes
"InstallShield_{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition
"MailWasher Free_is1" = MailWasher Free 6.5.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nonosweeper_is1" = Nonosweeper v1.33
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Drivers" = NVIDIA Drivers
"Pdf995" = Pdf995
"PhotoShow Express" = PhotoShow Express
"RealPlayer 6.0" = RealOne Player
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"UnityWebPlayer" = Unity Web Player
"VLC media player" = VLC media player 1.0.1
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Five9 Agent" = Five9 Agent
"Five9 Supervisor" = Five9 Supervisor
"GoToMeeting" = GoToMeeting 4.1.0.366
"Play65" = Play65

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2009 3:09:06 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/30/2009 3:09:06 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/30/2009 3:17:22 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/30/2009 3:18:46 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/30/2009 3:18:46 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/30/2009 3:18:46 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/30/2009 3:18:46 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/30/2009 3:19:42 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/30/2009 3:19:42 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/30/2009 4:00:14 AM | Computer Name = CONFERENCE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

[ System Events ]
Error - 12/4/2009 8:06:43 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:49 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:49 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:49 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:53 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:53 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:53 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:57 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:57 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/4/2009 8:06:57 PM | Computer Name = CONFERENCE | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >




gmer report after 10 minutes-

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 14:20:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfdcraob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEC7AE78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEC7AE821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEC7AE738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEC7AE74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEC7AE835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEC7AE861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEC7AE8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEC7AE8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEC7AE7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEC7AE8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEC7AE80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEC7AE710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEC7AE724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEC7AE79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEC7AE937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEC7AE8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEC7AE88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEC7AE84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEC7AE923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEC7AE90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEC7AE776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEC7AE762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEC7AE877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEC7AE7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEC7AE8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEC7AE7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEC7AE7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP EC7AE7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP EC7AE811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80573037 7 Bytes JMP EC7AE891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057791D 5 Bytes JMP EC7AE825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80578A14 7 Bytes JMP EC7AE93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 7 Bytes JMP EC7AE8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP EC7AE78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP EC7AE766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP EC7AE7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP EC7AE7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP EC7AE714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP EC7AE7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8058228C 7 Bytes JMP EC7AE87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80587693 7 Bytes JMP EC7AE8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP EC7AE750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP EC7AE7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP EC7AE865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP EC7AE839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP EC7AE73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP EC7AE728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805E2197 5 Bytes JMP EC7AE8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635977 5 Bytes JMP EC7AE77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80654DE6 7 Bytes JMP EC7AE8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8065570C 7 Bytes JMP EC7AE8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B88 7 Bytes JMP EC7AE84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8065607D 5 Bytes JMP EC7AE913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806564E8 5 Bytes JMP EC7AE927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF75C0A0C]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CF0FE5
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CF007F
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CF0F8A
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CF0064
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CF003D
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CF0FA5
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CF00BC
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CF00AB
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CF00CD
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CF0F34
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01CF00E8
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01CF002C
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01CF0000
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01CF0090
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01CF0FC0
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01CF0011
.text C:\WINDOWS\Explorer.EXE[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01CF0F4F
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CE0040
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CE006C
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CE0FEF
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CE0025
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CE0FAF
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CE0000
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01CE0FC0
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 89]
.text C:\WINDOWS\Explorer.EXE[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CE0051
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01CD0FB7
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 01CD0FD2
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01CD001D
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01CD0000
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01CD0038
.text C:\WINDOWS\Explorer.EXE[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01CD0FE3
.text C:\WINDOWS\Explorer.EXE[552] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01AF0000
.text C:\WINDOWS\Explorer.EXE[552] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01AF0011
.text C:\WINDOWS\Explorer.EXE[552] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01AF0022
.text C:\WINDOWS\Explorer.EXE[552] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01AF0FC7
.text C:\WINDOWS\Explorer.EXE[552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B00000
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0082
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00B8
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF009D
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F26
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00C9
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F15
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE001B
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0F5E
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0FC0
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0FDB
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0F79
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DE0F8A
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FE, 88]
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0FAF
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FAB
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0036
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FBC
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0FD7
.text C:\WINDOWS\system32\services.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020F5C
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F77
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020051
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020089
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F41
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01020EF0
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F01
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01020EDF
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0102006C
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FCA
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020011
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F26
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01010FDB
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0101006F
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0101002C
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010011
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010FCA
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\lsass.exe[728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F66
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F83
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40FA8
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F3A
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40076
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F15
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400AE
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B400C9
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F55
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B4009D
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B3002C
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30FB9
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B30FCA
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D3, 88]
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30051
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B2002C
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FA1
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FD7
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FBC
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20011
.text C:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F68
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30067
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30040
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F83
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30F9E
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F4B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30093
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300E4
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E300D3
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E30F3A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E30078
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E300AE
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20F8D
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20FA8
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E20040
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E2002F
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10FC1
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E10FD2
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E1001D
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E10038
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00000
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03900000
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03900F91
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03900090
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03900073
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03900FB6
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03900047
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03900F5E
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03900F6F
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03900F32
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039000D5
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 039000E6
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03900062
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03900FE5
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03900F80
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03900036
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0390001B
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03900F4D
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 038F0FC3
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 038F006F
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 038F0FD4
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 038F000A
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 038F0054
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 038F0FEF
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 038F0FB2
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AF, 8B]
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 038F002F
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 038E0033
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 038E0FB2
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 038E0FD4
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 038E000C
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 038E0FC3
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 038E0FEF
.text C:\WINDOWS\System32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 038D0000
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 038B0FEF
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 038B0FD4
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 038B000A
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 038B001B
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F37
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B002C
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F52
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F6F
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0F94
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B007F
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0058
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F01
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F12
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0EE6
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B001B
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0047
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B009A
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FAF
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F79
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0036
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A001B
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0079005F
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790044
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790033
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FDE
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0098
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0FAD
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C007D
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0047
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F7C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00C4
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F57
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00F0
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F3C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C006C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0011
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C00B3
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0036
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00DF
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B002C
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0062
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B001B
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0051
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0FA5
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FC0
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0042
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FC8
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\System32\svchost.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB00B3
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB00A2
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0091
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0080
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB005B
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F7E
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00C4
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0117
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0106
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0132
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F99
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0036
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00EB
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FB9
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093005B
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930014
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FDE
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930040
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093002F
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FA8
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F86
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092001B
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB5
.text C:\WINDOWS\System32\svchost.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
.text C:\WINDOWS\System32\svchost.exe[1744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FE5
.text C:\WINDOWS\System32\svchost.exe[1744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[1744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40056
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40045
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F6B
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FA8
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A4009F
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A4008E
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A400CB
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F32
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400DC
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40F8D
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40071
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A400BA
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F94
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30025
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30000
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A30051
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30040
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20069
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20044
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20029
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\System32\svchost.exe[2052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2000C
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7006E
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F7005D
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F83
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F94
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F7001B
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F26
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F37
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700BF
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700AE
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700DA
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70040
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FDB
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F5E
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FAF
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FC0
.text C:\Program Files\Messenger\msmsgs.exe[2072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70089
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50038
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50FAD
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FD2
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F5001D
.text C:\Program Files\Messenger\msmsgs.exe[2072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FE3
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FC0
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60058
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FD1
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60011
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60F9B
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60047
.text C:\Program Files\Messenger\msmsgs.exe[2072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F6002C
.text C:\Program Files\Messenger\msmsgs.exe[2072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\Program Files\Messenger\msmsgs.exe[2072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E10FEF
.text C:\Program Files\Messenger\msmsgs.exe[2072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E10FCA
.text C:\Program Files\Messenger\msmsgs.exe[2072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E10000
.text C:\Program Files\Messenger\msmsgs.exe[2072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E10FAF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 07 December 2009 - 12:23 AM

OTL gets a rather bad rap around the internet

That's the first time I've heard that. Can you give me a link to where it's getting a bad rap?

Edited by Buckeye_Sam, 07 December 2009 - 12:24 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 07 December 2009 - 12:32 AM

How did you remove Regrun?
I still see quite a bit of it here.



Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - [2009/11/26 20:54:15 | 00,224,256 | ---- | M] () -- C:\WINDOWS\system32\sshnas.dll -- (SSHNAS)
    [2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
    [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
    [1 C:\*.tmp files -> C:\*.tmp -> ]
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 09 December 2009 - 01:49 AM

ok I am doing what you recommended this evening. Here is one kind of negative OTL link-
http://www.prevx.com/filenames/22272406566...X1/OTL.EXE.html

basically I did a google search of OTL.exe and it dominates on the negative side a bit. But it may mostly just be anti-malware ads popping up on the first couple pages as well. so I am doing what you advised and will get the results posted in the A.M.

#7 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 09 December 2009 - 01:50 AM

I notice that RegRun is still around in bits and pieces as well, which concerns me. It is not still visibly running though.

#8 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 09 December 2009 - 02:03 AM

All processes killed
========== OTL ==========
Service SSHNAS stopped successfully!
Service SSHNAS deleted successfully!
C:\WINDOWS\system32\sshnas.dll moved successfully.
C:\WINDOWS\System32\dllcache\advapi32.dll.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\msvcrt.dll.tmp deleted successfully.
C:\WINDOWS\002388_.tmp deleted successfully.
C:\WINDOWS\005804_.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET65D1.tmp deleted successfully.
C:\WINDOWS\System32\SET65D3.tmp deleted successfully.
C:\WINDOWS\System32\SET65DF.tmp deleted successfully.
C:\WINDOWS\System32\SET65E1.tmp deleted successfully.
C:\WINDOWS\System32\SET65E8.tmp deleted successfully.
C:\WINDOWS\System32\SET65E9.tmp deleted successfully.
C:\WINDOWS\System32\SET65EA.tmp deleted successfully.
C:\WINDOWS\System32\SET65ED.tmp deleted successfully.
C:\WINDOWS\System32\setb4.tmp deleted successfully.
C:\Documents and Settings\Owner\My Documents\~WRL2753.tmp deleted successfully.
C:\tmpHtmlPage.tmp deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 22161154 bytes
->Temporary Internet Files folder emptied: 116031275 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 102517943 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 155128 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10949770 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 42706 bytes
RecycleBin emptied: 12956499 bytes

I did not realize this was going to be a quick result. here it is. I did not check scan all users like before, because you did not recommend that I do it.-

Total Files Cleaned = 252.70 mb


OTL by OldTimer - Version 3.1.11.6 log created on 12082009_235329

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\mcmsc_hzKtENnhYG8TlKV not found!
File\Folder C:\WINDOWS\temp\mcmsc_SPn56GLPmWHC2fn not found!

Registry entries deleted on Reboot...

#9 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 09 December 2009 - 02:24 AM

full scan with scan all users checked-

OTL logfile created on: 12/9/2009 12:05:19 AM - Run 3
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 79.52 Mb Available Physical Memory | 17.77% Memory free
1.03 Gb Paging File | 0.61 Gb Available in Paging File | 58.91% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 88.00 Gb Free Space | 81.98% Space Free | Partition Type: NTFS
Drive D: | 4.43 Gb Total Space | 0.69 Gb Free Space | 15.56% Space Free | Partition Type: FAT32
Drive E: | 316.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 495.83 Mb Total Space | 374.99 Mb Free Space | 75.63% Space Free | Partition Type: FAT

Computer Name: CONFERENCE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/20 13:51:34 | 02,335,880 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/11/10 15:39:26 | 05,244,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/11/07 10:25:38 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/01 17:22:04 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/02/23 06:05:34 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 10:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/13 17:47:10 | 00,155,648 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/01/21 17:04:42 | 00,163,840 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe
PRC - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe


========== Modules (SafeList) ==========

MOD - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 17:12:01 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2007/04/19 11:21:40 | 00,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (McDetect.exe)
SRV - File not found -- -- (BackupClientSvc)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2005/09/03 16:21:26 | 00,323,584 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService)
SRV - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/04/03 21:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/03/09 18:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/04/09 13:23:02 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/04/13 11:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/05/07 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/02/01 22:21:04 | 00,014,408 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/10/22 09:41:46 | 00,413,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/10/22 09:38:28 | 00,053,376 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 22:29:51 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/02/17 05:49:14 | 00,391,424 | ---- | M] (Sensaura Ltd) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/03/14 01:14:28 | 00,112,288 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2003/03/14 01:14:16 | 00,078,496 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2003/03/14 01:13:04 | 00,090,395 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2003/03/09 18:31:02 | 00,021,456 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 18:31:02 | 00,016,080 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 18:31:00 | 00,051,024 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/03/07 22:13:22 | 00,624,369 | ---- | M] (LT) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/03/03 11:44:00 | 01,248,794 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/02/26 19:19:50 | 00,260,736 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/02/22 19:55:26 | 00,141,824 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/01/10 19:28:02 | 00,065,280 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\system32\drivers\TPkd.sys -- (TPkd)
DRV - [2003/01/08 21:12:46 | 00,068,672 | R--- | M] (2Wire, Inc.) -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2002/12/27 11:41:00 | 00,026,880 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/12/24 22:09:48 | 00,030,848 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/10/21 10:21:00 | 00,082,784 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\System32\DRIVERS\drvmcdb.sys -- (drvmcdb)
DRV - [2002/10/01 08:22:32 | 00,009,856 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/23 17:37:00 | 00,080,896 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2002/09/06 18:24:00 | 00,013,568 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/08/29 05:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2002/08/29 05:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/06/04 13:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\S-1-5-21-285400561-1825411671-3093264262-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="
FF - prefs.js..network.proxy.no_proxies_on: "local.,"


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/21 20:24:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/08 23:58:06 | 00,000,000 | ---D | M]

[2009/09/30 18:17:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/08 19:30:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ebo8sx53.default\extensions
[2009/12/07 19:32:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ebo8sx53.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/09/30 18:16:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe File not found
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VSOCheckTask] C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..Trusted Domains: genesiscommunications.biz ([agent] https in Trusted sites)
O15 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..Trusted Domains: 10 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://www.coloacad.org/homeimages/spacer10.gif
O24 - Desktop Components:1 () - http://www.manpb.org/mariap.jpg
O24 - Desktop Components:2 () - http://www.frontierairlines.com/images/hom...contentwell.gif
O24 - Desktop Components:3 () - http://www.chase.com/ccpmweb/generic/image...inum_middle.jpg
O24 - Desktop Components:4 () - http://us.i1.yimg.com/us.yimg.com/i/mntl/s...q2/img_dads.jpg
O24 - Desktop Components:5 () - http://www.melaleuca.com/ps/images_us/splash_main03.jpg
O24 - Desktop Components:6 () - http://www.mackintoshacademy.com/elwebport...es/moutains.jpg
O24 - Desktop Components:7 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {F552DDE6-2090-4bf4-B924-6141E87789A5} - C:\Program Files\Greatis\RegRunSuite\RRShell.dll (Greatis Software, LLC)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/09 22:19:17 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2007/12/14 06:48:00 | 00,000,052 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/08 23:53:29 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/07 19:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Yahoo
[2009/12/07 19:31:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/12/07 16:16:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\great leads info_files
[2009/12/04 16:59:03 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 09:45:16 | 00,000,000 | ---D | C] -- C:\Program Files\Citrix
[2009/12/03 19:07:22 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/29 23:59:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RegRunInfo
[2009/11/29 23:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted
[2009/11/29 23:47:54 | 00,024,416 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/11/29 23:47:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RegRun2
[2009/11/29 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Greatis
[2009/11/29 10:53:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\confirmation.asp_files
[2009/11/14 19:57:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\GOL_byHasbro
[2009/11/14 19:55:24 | 00,000,000 | ---D | C] -- C:\GameHouse Games
[2009/11/14 19:54:27 | 00,000,000 | ---D | C] -- C:\Program Files\RealArcade
[2009/11/12 08:43:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/11/12 08:14:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/11/12 08:14:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/11/12 08:14:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en

========== Files - Modified Within 30 Days ==========

[2009/12/08 23:57:47 | 00,015,669 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/08 23:57:42 | 00,000,416 | ---- | M] () -- C:\WINDOWS\tasks\PCConfidential.job
[2009/12/08 23:56:57 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/08 23:56:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/08 23:56:55 | 46,915,9936 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/08 23:56:45 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/12/08 23:56:29 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/12/08 22:13:15 | 00,000,218 | ---- | M] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/08 17:04:29 | 00,000,188 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Agent Interface for Dialer.url
[2009/12/08 17:04:03 | 00,000,214 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Online Scheduling.url
[2009/12/08 06:56:05 | 00,012,287 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[2009/12/08 00:14:25 | 00,000,229 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\craigslist denver classifieds for jobs, apartments, personals, for sale, services, community, and events.url
[2009/12/07 19:31:10 | 00,000,848 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/07 17:33:13 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MARY PROJECT.doc
[2009/12/07 17:01:40 | 08,583,890 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/12/07 16:21:58 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Below is a list of action items and your log in credentials for our systems.doc
[2009/12/07 16:16:27 | 00,176,756 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\great leads info.htm
[2009/12/06 22:03:59 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/06 18:14:32 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wii game wish list.doc
[2009/12/06 14:58:24 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mary's 2009 wishlist.doc
[2009/12/04 17:19:50 | 00,284,153 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 10:52:42 | 00,000,406 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | M] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 19:07:34 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/12/03 18:56:20 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/12/02 21:23:21 | 00,055,668 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/12/01 01:00:26 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/01 01:00:21 | 00,001,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Explorer.lnk
[2009/11/29 23:51:48 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/29 23:51:48 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/11/29 23:51:48 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2009/11/29 10:53:11 | 00,016,139 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:38 | 00,463,872 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:29 | 00,106,496 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 21:57:42 | 00,000,648 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/26 21:18:06 | 00,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RPCReminder.job
[2009/11/26 20:58:38 | 00,049,624 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/26 20:51:27 | 00,196,608 | ---- | M] () -- C:\WINDOWS\MSA.del
[2009/11/25 01:02:36 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/21 12:17:18 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/11/20 21:55:55 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\The Nuts And Bolts of Things.doc
[2009/11/20 14:15:27 | 00,001,362 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/11/19 19:18:42 | 00,031,744 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tanyau resume.doc
[2009/11/15 01:24:13 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/11/13 20:29:14 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\PaySimple cover letter.doc
[2009/11/12 08:45:55 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/12 08:45:54 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/12 08:45:54 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/12 08:43:15 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/12 08:42:32 | 00,199,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/12 08:05:22 | 00,250,048 | RHS- | M] () -- C:\ntldr

========== Files Created - No Company Name ==========

[2009/12/08 22:13:15 | 00,000,218 | ---- | C] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/08 17:04:29 | 00,000,188 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Agent Interface for Dialer.url
[2009/12/08 17:04:03 | 00,000,214 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Online Scheduling.url
[2009/12/07 19:31:10 | 00,000,848 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/07 17:32:17 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MARY PROJECT.doc
[2009/12/07 16:21:58 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Below is a list of action items and your log in credentials for our systems.doc
[2009/12/07 16:16:20 | 00,176,756 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\great leads info.htm
[2009/12/06 18:14:26 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Wii game wish list.doc
[2009/12/04 17:21:22 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/12/04 17:19:48 | 00,284,153 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 10:52:41 | 00,000,406 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | C] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 18:56:14 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/02 21:23:18 | 00,055,668 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/11/29 23:47:53 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2009/11/29 23:46:52 | 00,083,008 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ShLog.txt
[2009/11/29 23:46:18 | 00,057,556 | ---- | C] () -- C:\WINDOWS\guard.bmp
[2009/11/29 10:53:05 | 00,016,139 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:37 | 00,463,872 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:23 | 00,106,496 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 20:51:39 | 00,196,608 | ---- | C] () -- C:\WINDOWS\MSA.del
[2009/11/20 14:15:27 | 00,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/11/19 22:14:18 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\The Nuts And Bolts of Things.doc
[2009/11/16 11:55:11 | 00,031,744 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tanyau resume.doc
[2009/11/13 20:23:41 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\PaySimple cover letter.doc
[2009/11/12 01:02:17 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/08/22 10:22:44 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/06/08 16:14:13 | 00,001,140 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/05/29 08:17:53 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/05/29 08:17:53 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/12/16 14:00:49 | 00,000,036 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/29 07:18:31 | 00,000,076 | ---- | C] () -- C:\WINDOWS\ariel_ss.ini
[2006/01/24 20:04:32 | 00,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/01/13 16:41:57 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2006/01/13 16:41:57 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2005/12/25 11:41:21 | 00,000,639 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/26 13:54:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/07/25 16:50:54 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/07/25 16:50:19 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/07/25 16:50:18 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/01/06 13:31:29 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/07/09 10:17:37 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/06/02 10:09:53 | 00,000,356 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2003/11/08 12:54:57 | 00,000,332 | ---- | C] () -- C:\WINDOWS\ka.ini
[2003/10/09 12:42:26 | 00,000,459 | ---- | C] () -- C:\WINDOWS\import.INI
[2003/09/11 20:11:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/09/03 12:25:00 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\EmbeddedDX.dll
[2003/09/03 12:25:00 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\sbaparam.dll
[2003/09/03 12:25:00 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\sbautils.dll
[2003/09/03 12:24:59 | 00,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
[2003/09/03 12:24:59 | 00,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
[2003/09/03 12:24:59 | 00,002,298 | ---- | C] () -- C:\WINDOWS\WINPOINT.INI
[2003/09/03 12:24:59 | 00,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
[2003/09/03 12:24:59 | 00,000,255 | ---- | C] () -- C:\WINDOWS\GrAdr16.ini
[2003/09/03 12:24:59 | 00,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
[2003/08/24 13:40:16 | 00,000,645 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/10 04:35:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/10 04:34:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/04/10 04:21:36 | 00,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/04/10 01:51:07 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/04/10 01:51:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/04/10 00:06:10 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/04/10 00:03:38 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/04/10 00:03:38 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/09 23:57:15 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/04/09 23:57:04 | 00,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/09 23:16:44 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/09 22:55:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/04/09 22:44:58 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/04/09 22:44:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/04/09 22:44:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/04/09 22:23:21 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/09 22:05:45 | 00,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/03/09 18:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/05/24 08:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2002/05/24 08:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2001/08/14 18:47:08 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll
< End of report >

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 09 December 2009 - 08:43 AM

ok I am doing what you recommended this evening. Here is one kind of negative OTL link-
http://www.prevx.com/filenames/22272406566...X1/OTL.EXE.html

basically I did a google search of OTL.exe and it dominates on the negative side a bit. But it may mostly just be anti-malware ads popping up on the first couple pages as well. so I am doing what you advised and will get the results posted in the A.M.


Prevx doesn't say it's bad. Just that it's "Currently being reviewed".
You'll find that it says that about many files that are in the prevx database.

It's not uncommon for the tools we use here to come up on false positives. They are powerful tools.
But I assure you that as long as you use the links I give you, anything I ask you to download will be 100% safe.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 09 December 2009 - 08:48 AM

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


====================



Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - [2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
    [2009/11/29 23:59:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RegRunInfo
    [2009/11/29 23:47:54 | 00,024,416 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
    [2009/11/29 23:47:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RegRun2
    [2009/11/29 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Greatis
    
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

========================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 December 2009 - 02:07 AM

Malwarebytes Log-

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2009 12:05:09 AM
mbam-log-2009-12-12 (00-05-09).txt

Scan type: Quick Scan
Objects scanned: 113685
Time elapsed: 16 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8bcb5337-ec01-4e38-840c-a964f174255b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL Log-

OTL logfile created on: 12/9/2009 12:05:19 AM - Run 3
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 79.52 Mb Available Physical Memory | 17.77% Memory free
1.03 Gb Paging File | 0.61 Gb Available in Paging File | 58.91% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.34 Gb Total Space | 88.00 Gb Free Space | 81.98% Space Free | Partition Type: NTFS
Drive D: | 4.43 Gb Total Space | 0.69 Gb Free Space | 15.56% Space Free | Partition Type: FAT32
Drive E: | 316.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 495.83 Mb Total Space | 374.99 Mb Free Space | 75.63% Space Free | Partition Type: FAT

Computer Name: CONFERENCE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/20 13:51:34 | 02,335,880 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/11/10 15:39:26 | 05,244,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/11/07 10:25:38 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/01 17:22:04 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/02/23 06:05:34 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 10:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/13 17:47:10 | 00,155,648 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/01/21 17:04:42 | 00,163,840 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe
PRC - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe


========== Modules (SafeList) ==========

MOD - [2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 17:12:01 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2007/04/19 11:21:40 | 00,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (McDetect.exe)
SRV - File not found -- -- (BackupClientSvc)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/03/01 17:22:04 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/24 10:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2005/09/03 16:21:26 | 00,323,584 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService)
SRV - [2005/07/22 14:04:50 | 00,217,088 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/04/03 21:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/03/09 18:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/03/03 11:44:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/04/09 13:23:02 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/04/13 11:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/05/07 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/02/01 22:21:04 | 00,014,408 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/10/22 09:41:46 | 00,413,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/10/22 09:38:28 | 00,053,376 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 22:29:51 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/02/17 05:49:14 | 00,391,424 | ---- | M] (Sensaura Ltd) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/03/14 01:14:28 | 00,112,288 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2003/03/14 01:14:16 | 00,078,496 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2003/03/14 01:13:04 | 00,090,395 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2003/03/09 18:31:02 | 00,021,456 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 18:31:02 | 00,016,080 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 18:31:00 | 00,051,024 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/03/07 22:13:22 | 00,624,369 | ---- | M] (LT) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/03/03 11:44:00 | 01,248,794 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/02/26 19:19:50 | 00,260,736 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/02/22 19:55:26 | 00,141,824 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/01/10 19:28:02 | 00,065,280 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\system32\drivers\TPkd.sys -- (TPkd)
DRV - [2003/01/08 21:12:46 | 00,068,672 | R--- | M] (2Wire, Inc.) -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2002/12/27 11:41:00 | 00,026,880 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/12/24 22:09:48 | 00,030,848 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/10/21 10:21:00 | 00,082,784 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\System32\DRIVERS\drvmcdb.sys -- (drvmcdb)
DRV - [2002/10/01 08:22:32 | 00,009,856 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/23 17:37:00 | 00,080,896 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2002/09/06 18:24:00 | 00,013,568 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/08/29 05:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2002/08/29 05:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/06/04 13:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\S-1-5-21-285400561-1825411671-3093264262-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="
FF - prefs.js..network.proxy.no_proxies_on: "local.,"


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/21 20:24:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/08 23:58:06 | 00,000,000 | ---D | M]

[2009/09/30 18:17:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/08 19:30:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ebo8sx53.default\extensions
[2009/12/07 19:32:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ebo8sx53.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/09/30 18:16:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe File not found
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VSOCheckTask] C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..Trusted Domains: genesiscommunications.biz ([agent] https in Trusted sites)
O15 - HKU\S-1-5-21-285400561-1825411671-3093264262-1003\..Trusted Domains: 10 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://www.coloacad.org/homeimages/spacer10.gif
O24 - Desktop Components:1 () - http://www.manpb.org/mariap.jpg
O24 - Desktop Components:2 () - http://www.frontierairlines.com/images/hom...contentwell.gif
O24 - Desktop Components:3 () - http://www.chase.com/ccpmweb/generic/image...inum_middle.jpg
O24 - Desktop Components:4 () - http://us.i1.yimg.com/us.yimg.com/i/mntl/s...q2/img_dads.jpg
O24 - Desktop Components:5 () - http://www.melaleuca.com/ps/images_us/splash_main03.jpg
O24 - Desktop Components:6 () - http://www.mackintoshacademy.com/elwebport...es/moutains.jpg
O24 - Desktop Components:7 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {F552DDE6-2090-4bf4-B924-6141E87789A5} - C:\Program Files\Greatis\RegRunSuite\RRShell.dll (Greatis Software, LLC)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/09 22:19:17 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2007/12/14 06:48:00 | 00,000,052 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/08 23:53:29 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/07 19:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Yahoo
[2009/12/07 19:31:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/12/07 16:16:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\great leads info_files
[2009/12/04 16:59:03 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 09:45:16 | 00,000,000 | ---D | C] -- C:\Program Files\Citrix
[2009/12/03 19:07:22 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/29 23:59:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RegRunInfo
[2009/11/29 23:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted
[2009/11/29 23:47:54 | 00,024,416 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/11/29 23:47:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RegRun2
[2009/11/29 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Greatis
[2009/11/29 10:53:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\confirmation.asp_files
[2009/11/14 19:57:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\GOL_byHasbro
[2009/11/14 19:55:24 | 00,000,000 | ---D | C] -- C:\GameHouse Games
[2009/11/14 19:54:27 | 00,000,000 | ---D | C] -- C:\Program Files\RealArcade
[2009/11/12 08:43:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/11/12 08:14:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/11/12 08:14:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/11/12 08:14:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en

========== Files - Modified Within 30 Days ==========

[2009/12/08 23:57:47 | 00,015,669 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/08 23:57:42 | 00,000,416 | ---- | M] () -- C:\WINDOWS\tasks\PCConfidential.job
[2009/12/08 23:56:57 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/08 23:56:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/08 23:56:55 | 46,915,9936 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/08 23:56:45 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/12/08 23:56:29 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/12/08 22:13:15 | 00,000,218 | ---- | M] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/08 17:04:29 | 00,000,188 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Agent Interface for Dialer.url
[2009/12/08 17:04:03 | 00,000,214 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Online Scheduling.url
[2009/12/08 06:56:05 | 00,012,287 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[2009/12/08 00:14:25 | 00,000,229 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\craigslist denver classifieds for jobs, apartments, personals, for sale, services, community, and events.url
[2009/12/07 19:31:10 | 00,000,848 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/07 17:33:13 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MARY PROJECT.doc
[2009/12/07 17:01:40 | 08,583,890 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/12/07 16:21:58 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Below is a list of action items and your log in credentials for our systems.doc
[2009/12/07 16:16:27 | 00,176,756 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\great leads info.htm
[2009/12/06 22:03:59 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/06 18:14:32 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wii game wish list.doc
[2009/12/06 14:58:24 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mary's 2009 wishlist.doc
[2009/12/04 17:19:50 | 00,284,153 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 16:59:18 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/04 10:52:42 | 00,000,406 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | M] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 19:07:34 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/12/03 18:56:20 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/03 07:47:17 | 00,024,416 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2009/12/02 21:23:21 | 00,055,668 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/12/01 01:00:26 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/01 01:00:21 | 00,001,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Explorer.lnk
[2009/11/29 23:51:48 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/29 23:51:48 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/11/29 23:51:48 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2009/11/29 10:53:11 | 00,016,139 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:38 | 00,463,872 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:29 | 00,106,496 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 21:57:42 | 00,000,648 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/26 21:18:06 | 00,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RPCReminder.job
[2009/11/26 20:58:38 | 00,049,624 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/26 20:51:27 | 00,196,608 | ---- | M] () -- C:\WINDOWS\MSA.del
[2009/11/25 01:02:36 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/21 12:17:18 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/11/20 21:55:55 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\The Nuts And Bolts of Things.doc
[2009/11/20 14:15:27 | 00,001,362 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/11/19 19:18:42 | 00,031,744 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tanyau resume.doc
[2009/11/15 01:24:13 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/11/13 20:29:14 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\PaySimple cover letter.doc
[2009/11/12 08:45:55 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/12 08:45:54 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/12 08:45:54 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/12 08:43:15 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/12 08:42:32 | 00,199,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/12 08:05:22 | 00,250,048 | RHS- | M] () -- C:\ntldr

========== Files Created - No Company Name ==========

[2009/12/08 22:13:15 | 00,000,218 | ---- | C] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2009/12/08 17:04:29 | 00,000,188 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Agent Interface for Dialer.url
[2009/12/08 17:04:03 | 00,000,214 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Online Scheduling.url
[2009/12/07 19:31:10 | 00,000,848 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/07 17:32:17 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MARY PROJECT.doc
[2009/12/07 16:21:58 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Below is a list of action items and your log in credentials for our systems.doc
[2009/12/07 16:16:20 | 00,176,756 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\great leads info.htm
[2009/12/06 18:14:26 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Wii game wish list.doc
[2009/12/04 17:21:22 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/12/04 17:19:48 | 00,284,153 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/12/04 10:52:41 | 00,000,406 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ChatLog New meeting 2009_12_04 10_52.rtf
[2009/12/04 10:02:52 | 00,002,162 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GoToMeeting Quick Connect.lnk
[2009/12/04 09:45:03 | 00,070,984 | ---- | C] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
[2009/12/03 18:56:14 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/12/02 21:23:18 | 00,055,668 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tiger.jpg
[2009/12/01 21:04:45 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Nintendo game wishlist.doc
[2009/11/29 23:47:53 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2009/11/29 23:46:52 | 00,083,008 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ShLog.txt
[2009/11/29 23:46:18 | 00,057,556 | ---- | C] () -- C:\WINDOWS\guard.bmp
[2009/11/29 10:53:05 | 00,016,139 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\confirmation.asp.htm
[2009/11/29 09:08:37 | 00,463,872 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\INTERNET EXPLORER DISABLED.doc
[2009/11/28 11:28:23 | 00,106,496 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\pop up blocker.doc
[2009/11/26 20:51:39 | 00,196,608 | ---- | C] () -- C:\WINDOWS\MSA.del
[2009/11/20 14:15:27 | 00,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/11/19 22:14:18 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\The Nuts And Bolts of Things.doc
[2009/11/16 11:55:11 | 00,031,744 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tanyau resume.doc
[2009/11/13 20:23:41 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\PaySimple cover letter.doc
[2009/11/12 01:02:17 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/08/22 10:22:44 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/06/08 16:14:13 | 00,001,140 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/05/29 08:17:53 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/05/29 08:17:53 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/12/16 14:00:49 | 00,000,036 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/29 07:18:31 | 00,000,076 | ---- | C] () -- C:\WINDOWS\ariel_ss.ini
[2006/01/24 20:04:32 | 00,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/01/13 16:41:57 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2006/01/13 16:41:57 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2005/12/25 11:41:21 | 00,000,639 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/26 13:54:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/07/25 16:50:54 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/07/25 16:50:19 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/07/25 16:50:18 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/01/06 13:31:29 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/07/09 10:17:37 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/06/02 10:09:53 | 00,000,356 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2003/11/08 12:54:57 | 00,000,332 | ---- | C] () -- C:\WINDOWS\ka.ini
[2003/10/09 12:42:26 | 00,000,459 | ---- | C] () -- C:\WINDOWS\import.INI
[2003/09/11 20:11:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/09/03 12:25:00 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\EmbeddedDX.dll
[2003/09/03 12:25:00 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\sbaparam.dll
[2003/09/03 12:25:00 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\sbautils.dll
[2003/09/03 12:24:59 | 00,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
[2003/09/03 12:24:59 | 00,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
[2003/09/03 12:24:59 | 00,002,298 | ---- | C] () -- C:\WINDOWS\WINPOINT.INI
[2003/09/03 12:24:59 | 00,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
[2003/09/03 12:24:59 | 00,000,255 | ---- | C] () -- C:\WINDOWS\GrAdr16.ini
[2003/09/03 12:24:59 | 00,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
[2003/08/24 13:40:16 | 00,000,645 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/10 04:35:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/10 04:34:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/04/10 04:21:36 | 00,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/04/10 01:51:07 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/04/10 01:51:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/04/10 00:06:10 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/04/10 00:03:38 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/04/10 00:03:38 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/09 23:57:15 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/04/09 23:57:04 | 00,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/09 23:16:44 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/09 22:55:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/04/09 22:44:58 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/04/09 22:44:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/04/09 22:44:29 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/04/09 22:23:21 | 00,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/09 22:05:45 | 00,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/03/09 18:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/05/24 08:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2002/05/24 08:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2001/08/14 18:47:08 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll
< End of report >

Thank you again,

Marc

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 12 December 2009 - 09:27 AM

It doesn't look like you did the custom fix with OTL.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 marc_e

marc_e
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 December 2009 - 11:46 AM

I ran it but then somehow lost the file. Should I try again? The only file that remains is the darned original OTL log I guess.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:38 AM

Posted 12 December 2009 - 03:39 PM

Yes, you need to run the custom fix again because it did not work correctly.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users