Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unexpected Shutdowns by NT AUTHORITY and Win32 Services error


  • This topic is locked This topic is locked
15 replies to this topic

#1 dori123

dori123

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 January 2010 - 08:44 PM


Just found where I was supposed to have posted.

Below is my post from the "am I infected?" section (http://www.bleepingcomputer.com/forums/t/288825/unexpected-shutdowns/?p=1591733) but it has been updated with the newest Hijack This log.

Thanks much.

Hi all --

First post for me here.

Trying to fix my brother's computer remotely via LogMeIn. The symptoms are consistently unexpected shutdowns with the following two errors:

Generic Host Process for Win32 Services has encountered a problem and needs to close...
and

This system is shutting down. ... This shutdown was initiated by NT AUTHORITY/SYSTEM
This is followed by a one minute counter. I have disabled the counter with "shutdown -a".

I have run Malwarebytes, SuperAntiSpyWare and his McAfee antivirus subscription service. None have found any issues.

I did find that the malware Total Security had not been completely eradicated, so I manually uninstalled it.

Additionally, he is complaining of websites being redirected to ad sites (though I think I just fixed this...? Stay tuned.).

What follows is his HiJackThis log. Any suggestions or advice would be much appreciated, as this is beyond my skill set.

Oh, and nephew has been banned from his dad's computer. : )

Thanks much.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:56 PM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\LEXPPS.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\windows\system32\hkcmd.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\System32\mshta.exe
C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\COLECO~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SetRefresh] c:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-515967899-1425521274-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-515967899-1425521274-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-515967899-1425521274-839522115-1003\..\Run: [Google Update] "C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-515967899-1425521274-839522115-1003\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250979045357
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PictureTaker - LANovation - C:\windows\system32\PCTKRNT.SYS

--
End of file - 9711 bytes

####

BC AdBot (Login to Remove)

 


#2 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 January 2010 - 10:49 PM

Quick updated:

The redirecting problem remains. I will not try to fix it until I hear from you all.

Thank you again.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 22 January 2010 - 09:34 AM.


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 27 January 2010 - 06:36 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  1. Click on the My Controls link at the top of the page to enter your control panel.
  2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 28 January 2010 - 10:31 AM

DDS log is posted below; attach.txt is attached:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Cole Cormeny at 9:20:23.29 on Thu 01/28/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\cole cormeny\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250979045357
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\coleco~1\applic~1\mozilla\firefox\profiles\nzjawbu8.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\cole cormeny\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-23 15:35:44 0 ----a-w- c:\windows\system32\29358.exe
2010-01-23 13:15:06 18432 ----a-w- c:\windows\system32\emp44.exe
2010-01-23 13:15:03 437 ----a-w- C:\44.js
2010-01-22 02:58:37 0 d--h--w- c:\windows\PIF
2010-01-22 02:54:43 0 d-----w- c:\windows\Internet Logs
2010-01-22 02:16:56 0 d-----w- c:\docume~1\coleco~1\applic~1\CheckPoint
2010-01-22 02:16:02 0 d-----w- c:\program files\CheckPoint
2010-01-22 02:15:58 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-22 01:28:33 0 d--h--w- c:\docume~1\alluse~1\applic~1\IObit
2010-01-22 01:28:29 0 d-----w- c:\program files\IObit
2010-01-22 00:43:32 318067 ----a-w- C:\HijackThis.zip
2010-01-20 23:27:21 0 d-----w- c:\program files\TrendMicro
2010-01-20 21:22:06 0 d-----w- c:\windows\pss
2010-01-20 13:15:03 437 ----a-w- C:\33.js
2010-01-13 11:45:47 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 14:32:24 1 ----a-w- C:\s

==================== Find3M ====================

2010-01-22 03:29:45 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-29 17:46:14 69 ----a-w- c:\documents and settings\cole cormeny\jagex_runescape_preferences2.dat
2009-12-29 17:46:14 39 ----a-w- c:\documents and settings\cole cormeny\jagex_runescape_preferences.dat

============= FINISH: 9:23:08.28 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 28 January 2010 - 08:52 PM

Hello.

Let's run a scan with OTL.

Download and run OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Click the "Scan All Users" checkbox.
  4. Under the textbox, copy and paste the following code below.
    CODE
    %systemroot%\system32\*.sys /lockedfiles
  5. Now push the button.
  6. It will now begin to scan, please be paitent while it scans.
  7. Two reports will open once it's done.
  8. Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Post all 3 logs in your next reply.

Let me know if you have any problems or symptoms of infections left.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 29 January 2010 - 03:36 PM

OLT.txt:
OTL logfile created on: 1/29/2010 2:26:44 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\Cole Cormeny\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 502.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 22.17 Gb Free Space | 59.50% Space Free | Partition Type: NTFS
Drive D: | 82.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORMENY
Current User Name: Cole Cormeny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/29 13:43:35 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cole Cormeny\My Documents\Downloads\OTL.exe
PRC - [2010/01/07 06:26:26 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/12/24 17:02:32 | 01,280,272 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2009/12/24 17:02:30 | 00,311,568 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/03 06:48:59 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/10/03 06:48:46 | 00,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/09/02 21:11:23 | 00,122,368 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009/07/13 13:03:10 | 00,292,128 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/07/13 13:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/07/24 17:46:10 | 00,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/07/24 17:46:10 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/06 11:45:36 | 00,155,648 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/06/06 11:41:34 | 00,118,784 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/03/04 09:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2004/03/04 09:26:20 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2001/08/23 06:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/01/29 13:43:35 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cole Cormeny\My Documents\Downloads\OTL.exe
MOD - [2009/12/24 17:02:28 | 00,237,840 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Viewpoint Manager Service)
SRV - [2009/12/24 17:02:30 | 00,311,568 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/03 06:48:59 | 00,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/09/12 10:13:24 | 00,057,344 | ---- | M] (Lanovation) [Disabled | Stopped] -- C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2009/09/12 10:13:03 | 00,057,344 | ---- | M] (LANovation) [On_Demand | Stopped] -- C:\WINDOWS\system32\PCTKRNT.SYS -- (PictureTaker)
SRV - [2009/09/02 21:11:21 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/07/13 13:02:50 | 00,542,496 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/24 17:46:10 | 00,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/04/13 18:11:55 | 00,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2004/03/04 09:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2001/08/23 06:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)


========== Driver Services (SafeList) ==========

DRV - [2009/11/23 08:43:30 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/03 06:48:47 | 00,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/12/10 12:56:18 | 00,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/07/24 17:46:12 | 00,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/07/24 17:46:10 | 00,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/07/24 17:45:20 | 00,010,144 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lmimirr.sys -- (lmimirr)
DRV - [2008/04/13 10:39:15 | 00,020,480 | R--- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/06/06 12:09:10 | 00,730,653 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2003/05/27 16:05:42 | 00,578,304 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/03/13 17:34:48 | 00,100,224 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\S-1-5-21-515967899-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-515967899-1425521274-839522115-1003\S-1-5-21-515967899-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-515967899-1425521274-839522115-1004\S-1-5-21-515967899-1425521274-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/21 08:47:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/21 19:38:38 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/21 19:38:38 | 00,000,000 | ---D | M]

[2009/09/12 09:48:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Cole Cormeny\Application Data\Mozilla\Extensions
[2010/01/25 08:16:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Cole Cormeny\Application Data\Mozilla\Firefox\Profiles\nzjawbu8.default\extensions
[2009/11/11 18:57:48 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Cole Cormeny\Application Data\Mozilla\Firefox\Profiles\nzjawbu8.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/01/25 08:16:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/09/02 15:46:46 | 00,000,781 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-515967899-1425521274-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe File not found
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SetRefresh] c:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-515967899-1425521274-839522115-1003..\Run: [Google Update] C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-515967899-1425521274-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-1425521274-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1250979045357 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\windows\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.126.4.212 64.126.4.216
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-515967899-1425521274-839522115-1003 Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\windows\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\windows\System32\LMIinit.dll (LogMeIn, Inc.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/26 23:46:20 | 00,099,912 | R--- | M] (McAfee, Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/12/15 14:32:33 | 00,000,047 | R--- | M] () - D:\AutoRun.inf -- [ CDFS ]
O33 - MountPoints2\{cdaddaf4-92b5-11de-a99f-000bcde15276}\Shell - "" = AutoRun
O33 - MountPoints2\{cdaddaf4-92b5-11de-a99f-000bcde15276}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cdaddaf4-92b5-11de-a99f-000bcde15276}\Shell\AutoRun\command - "" = F:\EasyCopy.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/21 20:58:37 | 00,000,000 | -H-D | C] -- C:\windows\PIF
[2010/01/21 20:54:43 | 00,000,000 | ---D | C] -- C:\windows\Internet Logs
[2010/01/21 20:17:34 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Favorites
[2010/01/21 20:17:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cole Cormeny\My Documents\ForceField Shared Files
[2010/01/21 20:16:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cole Cormeny\Application Data\CheckPoint
[2010/01/21 20:16:02 | 00,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/01/21 19:28:33 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/01/21 19:28:29 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/01/20 17:27:21 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/20 15:25:51 | 00,000,000 | ---D | C] -- C:\windows\CSC
[2010/01/20 15:22:06 | 00,000,000 | ---D | C] -- C:\windows\pss
[2010/01/13 05:45:47 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\aclayers.dll
[2010/01/04 07:16:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\Temp
[2010/01/01 21:42:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\RcIncidents
[2009/12/16 12:08:46 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/12/13 19:03:47 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2009/12/13 19:03:47 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2009/09/12 12:29:07 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/09/12 08:39:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2009/09/02 21:35:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/09/02 16:36:03 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/22 14:17:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/22 14:17:10 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[16 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/29 14:23:36 | 00,017,747 | ---- | M] () -- C:\windows\System32\Config.MPF
[2010/01/29 14:23:16 | 00,002,262 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010/01/29 14:22:30 | 00,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/01/29 14:22:24 | 00,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010/01/29 14:08:09 | 03,932,160 | -H-- | M] () -- C:\Documents and Settings\Cole Cormeny\NTUSER.DAT
[2010/01/29 14:08:09 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Cole Cormeny\ntuser.ini
[2010/01/29 13:50:58 | 06,415,090 | -H-- | M] () -- C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\IconCache.db
[2010/01/29 13:41:07 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At13.job
[2010/01/29 12:21:01 | 00,001,006 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1425521274-839522115-1003UA.job
[2010/01/29 11:54:19 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At9.job
[2010/01/29 11:54:19 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At10.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At20.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At19.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At18.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At17.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At16.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At15.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At14.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At12.job
[2010/01/29 07:40:57 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At11.job
[2010/01/28 07:21:03 | 00,000,954 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1425521274-839522115-1003Core.job
[2010/01/27 13:26:55 | 00,033,792 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\Cole Cormeny Resume and Cover Letter.doc
[2010/01/27 11:50:13 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At8.job
[2010/01/25 09:23:51 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/25 09:06:09 | 00,000,000 | ---- | M] () -- C:\windows\System32\26962.exe
[2010/01/25 08:46:08 | 00,000,000 | ---- | M] () -- C:\windows\System32\29358.exe
[2010/01/25 08:26:08 | 00,000,000 | ---- | M] () -- C:\windows\System32\11478.exe
[2010/01/25 08:06:07 | 00,000,000 | ---- | M] () -- C:\windows\System32\15724.exe
[2010/01/25 07:46:07 | 00,000,000 | ---- | M] () -- C:\windows\System32\19169.exe
[2010/01/25 07:26:02 | 00,000,000 | ---- | M] () -- C:\windows\System32\26500.exe
[2010/01/25 07:06:02 | 00,000,000 | ---- | M] () -- C:\windows\System32\6334.exe
[2010/01/25 06:46:01 | 00,000,000 | ---- | M] () -- C:\windows\System32\18467.exe
[2010/01/25 06:23:03 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At7.job
[2010/01/23 10:15:44 | 00,000,000 | ---- | M] () -- C:\windows\System32\24464.exe
[2010/01/23 07:15:06 | 00,018,432 | ---- | M] () -- C:\windows\System32\emp44.exe
[2010/01/23 07:15:03 | 00,000,437 | ---- | M] () -- C:\44.js
[2010/01/23 06:36:32 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At1.job
[2010/01/21 23:43:37 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At24.job
[2010/01/21 22:20:04 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At23.job
[2010/01/21 21:50:47 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At22.job
[2010/01/21 21:29:45 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\atapi.sys
[2010/01/21 20:26:17 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At21.job
[2010/01/21 20:15:58 | 00,004,212 | -H-- | M] () -- C:\windows\System32\zllictbl.dat
[2010/01/21 19:28:37 | 00,000,733 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2010/01/21 18:43:35 | 00,318,067 | ---- | M] () -- C:\HijackThis.zip
[2010/01/21 08:52:04 | 00,031,232 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\Theresa Cormeny Resume 2010.doc
[2010/01/20 18:02:12 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\TheresaCormenyOnePageResume.doc
[2010/01/20 17:27:22 | 00,002,833 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\HiJackThis.lnk
[2010/01/20 17:24:54 | 01,401,344 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\HijackThis.msi
[2010/01/20 16:07:36 | 00,000,629 | ---- | M] () -- C:\windows\win.ini
[2010/01/20 16:07:36 | 00,000,227 | ---- | M] () -- C:\windows\system.ini
[2010/01/20 14:06:17 | 00,001,374 | ---- | M] () -- C:\windows\imsins.BAK
[2010/01/20 07:15:03 | 00,000,437 | ---- | M] () -- C:\33.js
[2010/01/15 20:24:42 | 00,000,311 | ---- | M] () -- C:\windows\dellstat.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/01/05 04:00:29 | 00,832,512 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\wininet.dll
[2010/01/05 04:00:28 | 01,168,384 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\urlmon.dll
[2010/01/05 04:00:28 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\mstime.dll
[2010/01/05 04:00:28 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\mstime.dll
[2010/01/05 04:00:28 | 00,233,472 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\webcheck.dll
[2010/01/05 04:00:28 | 00,105,984 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\url.dll
[2010/01/05 04:00:28 | 00,105,984 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\url.dll
[2010/01/05 04:00:28 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\occache.dll
[2010/01/05 04:00:28 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\pngfilt.dll
[2010/01/05 04:00:28 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\pngfilt.dll
[2010/01/05 04:00:27 | 00,477,696 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\mshtmled.dll
[2010/01/05 04:00:27 | 00,193,024 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\msrating.dll
[2010/01/05 04:00:27 | 00,193,024 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\msrating.dll
[2010/01/05 04:00:26 | 03,599,360 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\mshtml.dll
[2010/01/05 04:00:25 | 00,052,224 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\msfeedsbs.dll
[2010/01/05 04:00:25 | 00,052,224 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\msfeedsbs.dll
[2010/01/05 04:00:24 | 01,830,912 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\inetcpl.cpl
[2010/01/05 04:00:24 | 01,830,912 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\inetcpl.cpl
[2010/01/05 04:00:24 | 00,459,264 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2010/01/05 04:00:24 | 00,459,264 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\msfeeds.dll
[2010/01/05 04:00:24 | 00,268,288 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\iertutil.dll
[2010/01/05 04:00:24 | 00,192,512 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\iepeers.dll
[2010/01/05 04:00:24 | 00,192,512 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\iepeers.dll
[2010/01/05 04:00:24 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\iernonce.dll
[2010/01/05 04:00:24 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\iernonce.dll
[2010/01/05 04:00:24 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2010/01/05 04:00:24 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\jsproxy.dll
[2010/01/05 04:00:23 | 06,067,200 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieframe.dll
[2010/01/05 04:00:21 | 00,385,024 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\iedkcs32.dll
[2010/01/05 04:00:21 | 00,385,024 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\iedkcs32.dll
[2010/01/05 04:00:21 | 00,380,928 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieapfltr.dll
[2010/01/05 04:00:21 | 00,380,928 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieapfltr.dll
[2010/01/05 04:00:21 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieaksie.dll
[2010/01/05 04:00:21 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieaksie.dll
[2010/01/05 04:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dxtrans.dll
[2010/01/05 04:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\dxtrans.dll
[2010/01/05 04:00:21 | 00,153,088 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieakeng.dll
[2010/01/05 04:00:21 | 00,153,088 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieakeng.dll
[2010/01/05 04:00:21 | 00,133,120 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\extmgr.dll
[2010/01/05 04:00:21 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieencode.dll
[2010/01/05 04:00:21 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieencode.dll
[2010/01/05 04:00:21 | 00,063,488 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\icardie.dll
[2010/01/05 04:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dxtmsft.dll
[2010/01/05 04:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\dxtmsft.dll
[2010/01/05 04:00:20 | 00,124,928 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\advpack.dll
[2010/01/05 04:00:20 | 00,124,928 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\advpack.dll
[2010/01/05 04:00:20 | 00,017,408 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\corpol.dll
[2010/01/05 04:00:20 | 00,017,408 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\corpol.dll
[2010/01/04 07:18:39 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Desktop\Google Chrome.lnk
[2010/01/01 08:32:24 | 00,000,001 | ---- | M] () -- C:\s
[2010/01/01 08:10:25 | 00,000,394 | ---- | M] () -- C:\windows\tasks\At2.job
[2010/01/01 01:02:07 | 00,000,332 | ---- | M] () -- C:\windows\tasks\McQcTask.job
[2009/12/31 09:33:27 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\html.iec
[2009/12/31 09:33:06 | 00,070,656 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ie4uinit.exe
[2009/12/31 09:33:06 | 00,070,656 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ie4uinit.exe
[2009/12/31 09:33:06 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieudinit.exe
[2009/12/31 09:33:06 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\ieudinit.exe
[2009/12/30 16:05:03 | 00,003,584 | ---- | M] () -- C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[16 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/23 09:35:44 | 00,000,000 | ---- | C] () -- C:\windows\System32\29358.exe
[2010/01/23 07:15:06 | 00,018,432 | ---- | C] () -- C:\windows\System32\emp44.exe
[2010/01/23 07:15:03 | 00,000,437 | ---- | C] () -- C:\44.js
[2010/01/21 20:15:58 | 00,004,212 | -H-- | C] () -- C:\windows\System32\zllictbl.dat
[2010/01/21 19:28:37 | 00,000,733 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2010/01/21 18:43:32 | 00,318,067 | ---- | C] () -- C:\HijackThis.zip
[2010/01/20 18:02:11 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Desktop\TheresaCormenyOnePageResume.doc
[2010/01/20 17:39:00 | 00,031,232 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Desktop\Theresa Cormeny Resume 2010.doc
[2010/01/20 17:25:27 | 00,002,833 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Desktop\HiJackThis.lnk
[2010/01/20 17:24:45 | 01,401,344 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Desktop\HijackThis.msi
[2010/01/20 07:15:03 | 00,000,437 | ---- | C] () -- C:\33.js
[2010/01/04 07:18:39 | 00,002,337 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Desktop\Google Chrome.lnk
[2010/01/04 07:16:34 | 00,001,006 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1425521274-839522115-1003UA.job
[2010/01/04 07:16:33 | 00,000,954 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1425521274-839522115-1003Core.job
[2010/01/01 08:32:24 | 00,000,001 | ---- | C] () -- C:\s
[2009/12/30 16:05:03 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Cole Cormeny\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/11 21:04:04 | 00,000,127 | ---- | C] () -- C:\windows\System32\MRT.INI
[2009/09/12 12:01:19 | 00,027,648 | ---- | C] () -- C:\windows\vidbios.dll
[2009/09/12 12:01:19 | 00,005,536 | ---- | C] () -- C:\windows\vbios16.dll
[2009/09/12 09:08:27 | 00,000,311 | ---- | C] () -- C:\windows\dellstat.ini
[2009/08/22 21:05:50 | 00,000,376 | ---- | C] () -- C:\windows\ODBC.INI
[2004/02/10 13:08:00 | 00,000,373 | ---- | C] () -- C:\windows\System32\dlbccoin.ini
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI
[2002/11/13 13:40:22 | 00,040,960 | ---- | C] () -- C:\windows\System32\dlbcvs.dll

========== Custom Scans ==========


< %systemroot%\system32\*.sys /lockedfiles >
[16 C:\windows\system32\*.tmp files -> C:\windows\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



Extras.txt:
OTL Extras logfile created on: 1/29/2010 2:26:44 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\Cole Cormeny\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 502.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 22.17 Gb Free Space | 59.50% Space Free | Partition Type: NTFS
Drive D: | 82.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORMENY
Current User Name: Cole Cormeny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"FirstRunDisabled" = 
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7F831576-6246-42C7-B523-55B3F96509CC}" = LogMeIn
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{F5242227-2051-4158-AC42-0F2BAA3CD3D6}" = HP SetRefresh
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Dell Photo Printer 720" = Dell Photo Printer 720
"Gateway Desktop Manager" = Gateway Desktop Manager
"Gateway Drivers and Applications Recovery" = Gateway Drivers and Applications Recovery
"Gateway Power Management" = Gateway Power Management
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PX: {20440EF7-D14E-47E2-9D7F-18336E728FB9}" = Do More 6.0
"SystemRequirementsLab" = System Requirements Lab
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-515967899-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/20/2010 6:34:22 PM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x029cf7a5.

Error - 1/20/2010 7:13:03 PM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0281f7a2.

Error - 1/20/2010 7:13:09 PM | Computer Name = CORMENY | Source = Application Error | ID = 1001
Description = Fault bucket 1668702563.

Error - 1/20/2010 7:35:26 PM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00f2f7a5.

Error - 1/20/2010 7:35:55 PM | Computer Name = CORMENY | Source = Application Error | ID = 1001
Description = Fault bucket 1668688353.

Error - 1/21/2010 9:46:03 AM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x02a8f7a5.

Error - 1/21/2010 9:46:10 AM | Computer Name = CORMENY | Source = Application Error | ID = 1001
Description = Fault bucket 1668685790.

Error - 1/21/2010 10:28:49 AM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x02aff7a5.

Error - 1/21/2010 11:07:18 AM | Computer Name = CORMENY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00f1f7a3.

Error - 1/21/2010 11:07:34 AM | Computer Name = CORMENY | Source = Application Error | ID = 1001
Description = Fault bucket 1668776333.

[ System Events ]
Error - 1/29/2010 3:41:56 PM | Computer Name = CORMENY | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/29/2010 3:49:40 PM | Computer Name = CORMENY | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/29/2010 3:49:40 PM | Computer Name = CORMENY | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/29/2010 3:52:37 PM | Computer Name = CORMENY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/29/2010 3:52:38 PM | Computer Name = CORMENY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/29/2010 3:53:19 PM | Computer Name = CORMENY | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/29/2010 4:22:50 PM | Computer Name = CORMENY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/29/2010 4:22:50 PM | Computer Name = CORMENY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/29/2010 4:30:02 PM | Computer Name = CORMENY | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/29/2010 4:30:02 PM | Computer Name = CORMENY | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).


< End of report >


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 29 January 2010 - 03:44 PM

Please also post the GMER log upon completion. Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 29 January 2010 - 07:44 PM

Sorry it took so long. I'm doing this remotely and am having connectivity problems, or the infected machine is crashing (can't tell which because I'm kicked out first).

I hope this log helps; I have yet to see the scan finish and the log file created. This is what appears in the GMER window when I next open it -- I hope it is auto-saved.

Thanks

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-29 18:31:51
Windows 5.1.2600 Service Pack 3
Running: w1svk78v.exe; Driver: C:\DOCUME~1\COLECO~1\LOCALS~1\Temp\uxldqpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAD77678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAD776821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAD776738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAD77674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAD776835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAD776861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAD7768CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAD7768B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAD7767CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAD7768FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAD77680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAD776710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAD776724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAD77679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAD776937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAD7768A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAD77688D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAD77684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAD776923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAD77690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAD776776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAD776762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAD776877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAD7767F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAD7768E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAD7767E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAD7767B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EEF369

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




#9 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 29 January 2010 - 08:00 PM

I also captured as much of the log as I could before being disconnected. I hope it helps; it is attached as GMER2.txt.

Thanks again.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 29 January 2010 - 11:24 PM

Hello.

Seems like you have one of the TDL3 infection on board. It's a rootkit.

Backdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Let me know if you wish to continue or not.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 30 January 2010 - 12:56 PM

Eeeewwwwwww.

Ok then. This computer has no information on it. It is used solely to surf the web and to search for jobs / send resumes. I just did a clean install of XP a few months ago. I wonder if the virus survived that clean install or infected it later. Can it survive a clean install?

It sounds like even if we do a reformat and reinstall, that it still might not go away. Does that change if I put Windows 7 on it?

Also, can it potentially infect my remote laptop? I have been logging into that computer from my laptop via logmein. I'd hate to think my laptop could be compromised. Please advise.

In the meantime, I'll speak with my brother and see what he wants to do. He does need a computer for job searches so I imagine we'll try the reformat route, but it will take some time for him to send it to me. Would I do anything different / special in this reformat / reinstall? Or would it be a simple vanilla reformat?

Thanks again for your help. This is one nasty bug and it's really unfortunate that it is interfering with someone's search for a job. I can't help but hoping karma comes around for the authors of it...

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 30 January 2010 - 04:20 PM

Hello.

If you do a full format, then the infection can't survive. It won't change if you upgrade to Windows 7 you will need to format the system and it will be removed. Wasn't sure what you meant by "it sounds". The laptop should be fine unless some transfer from the infected computer to your laptop was made. To do the format, you would need your Windows disk and wipe the whole drive if you're not going to backup anything. Format is just a format nothing special needed.

More information/instructions/tutorial on formatting Windows XP: http://howtocleaninstall.com/windows/clean...all-windows-xp/

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 02 February 2010 - 03:49 PM

How's everything coming along? Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 dori123

dori123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 03 February 2010 - 09:14 AM

Yes, thanks -- I'm still here.
Thanks for your help on this. Looks like I'm going to have to do the reformat. I think he can hobble along on it until May, when I'll be at his house. I'll plan on doing the reformat and everything then. Currently he only uses it to post resumes and surf the web, so I don't see any real danger. He doesn't do any banking or finance on this machine.
I appreciate your help a lot -- I was really stumped on this.
Kind Regards,
Dori



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 04 February 2010 - 08:04 PM

You're welcome. Good luck in the future.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users