PDA

View Full Version : Malware Defense/BSOD



az-apache
2010-01-09, 16:07
Hello,

I have a situation very similar to the one posted here: http://forums.spybot.info/showthread.php?t=54492

Malware Defense seems is now on my computer. It has disabled all of my anitvirus (McAfee) and spyware protection software (Spybot). My computer now BSOD's inside 60 seconds if I boot in normal mode. Currently I am running in Safe Mode with Networking.

After reading the aforementioned post I attempted to get a Hijack This log to post. When I try to load Hijack This I get the following error "The Windows Installer Service is not available in Safe Mode..."

Where do I start? Please help. And thank you very much.

Got HiJack This installed. Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:47 AM, on 1/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Dale\Desktop\AntiV\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\LaunchuGuru.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [settdebugx.exe] C:\Users\Dale\AppData\Local\Temp\settdebugx.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P3 /q C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\ZUNCAMCB\CS_25_~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\W0G400D5\V_1_~1.SH! C:\Users\Dale\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\Dale\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\Dale\AppData\Local\Temp\History\History.SH! C:\Users\Dale\AppData\Local\Temp\History.SH! C:\Users\Dale\AppData\Local\Temp\Cookies.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\R13BN0MF\1396_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JZ82ON5C\ADSERV~2.SH! C:\Users\Dale\AppData\Local\Temp\Word8.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RG7XTV0X\CS_4_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\W13VFXNX\1457_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\CGYG5M7D\INDEX_~1.SH! C:\Users\Dale\AppData\Local\MICROS~1
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P3 /q C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\ZUNCAMCB\CS_25_~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\W0G400D5\V_1_~1.SH! C:\Users\Dale\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\Dale\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\Dale\AppData\Local\Temp\History\History.SH! C:\Users\Dale\AppData\Local\Temp\History.SH! C:\Users\Dale\AppData\Local\Temp\Cookies.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\R13BN0MF\1396_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JZ82ON5C\ADSERV~2.SH! C:\Users\Dale\AppData\Local\Temp\Word8.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RG7XTV0X\CS_4_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\W13VFXNX\1457_1~1.SH! C:\Users\Dale\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\CGYG5M7D\INDEX_~1.SH! C:\Users\Dale\AppData\Local\MICROS~1
O4 - Global Startup: Iomega StorCenter.lnk = C:\Program Files\Iomega StorCenter\sohoclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - d:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - d:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 11829 bytes

peku006
2010-01-14, 15:15
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop

Link1 (http://www.techsupportforum.com/sectools/sUBs/dds)
Link2 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link3 (http://www.forospyware.com/sUBs/dds)

Please disable any anti-malware program that will block scripts from running before running DDS.


Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:

DDS.txt
Attach.txt

A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply


Next Reply

Please reply with:
DDS.txt
Attach.txt


Thanks peku006

az-apache
2010-01-14, 20:00
Thank you
-----

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Dale at 10:53:11.27 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.2300 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Users\Dale\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
uRun: [ABIT uGuruIII] c:\program files\u-abit\uguru\LaunchuGuru.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [igndlm.exe] d:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [settdebugx.exe] c:\users\dale\appdata\local\temp\settdebugx.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WinSys2] c:\windows\system32\startup.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [VolPanel] "c:\program files\creative\usb headsets\volume panel\VolPanlu.exe" /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p3 /q c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\zuncamcb\cs_25_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\w0g400d5\v_1_~1.sh! c:\users\dale\appdata\local\temp\tempor~1\content.sh! c:\users\dale\appdata\local\temp\tempor~1.sh! c:\users\dale\appdata\local\temp\history\history.sh! c:\users\dale\appdata\local\temp\history.sh! c:\users\dale\appdata\local\temp\cookies.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\r13bn0mf\1396_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\jz82on5c\adserv~2.sh! c:\users\dale\appdata\local\temp\word8.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\rg7xtv0x\cs_4_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\w13vfxnx\1457_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\cgyg5m7d\index_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\5jq62s2d\1544_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\5ug3l6uh\cs_41_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bytyxake\index_~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\4qfzwbf2\kanood~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ifnfcjjz\0329_0~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bpy6leof\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\b9xqata4\tt0119~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\4qfzwbf2\genera~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ifnfcjjz\aceuac~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\n1voadl5\in552d~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bv7qe3a1\ads_6_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bv7qe3a1\ads_5_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2cwar6yu\ads_4_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bv7qe3a1\dnbcom~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9ts437se\ifr_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bv7qe3a1\ads_3_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2cwar6yu\11_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\yasmbbft\gummi-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bv7qe3a1\fail-b~4.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2cwar6yu\ads_7_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8pn5w4fj\welcom~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6anuv2ez\dg_spe~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qm1zhw1i\fod_ho~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\zu5ck5ug\fod_ho~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qm1zhw1i\contex~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6anuv2ez\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\zu5ck5ug\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\72e2ugij\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qm1zhw1i\deltaf~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\h03s0f1l\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ovncph77\10a260~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9ob6846u\dg_spe~3.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\rwx52e65\radioa~4.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\r5vh35tu\ads_3_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\gs858gry\facts_~1.sh! c:\users\dale\appdata\local\temp\hsperf~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\lhap9ktd\header~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\13-tur~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\alien-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\383ovf1y\10-bes~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8tmm5jql\dg_spe~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\adunit~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8tmm5jql\adunit~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\383ovf1y\1750_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\383ovf1y\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\383ovf1y\afe_sp~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qcdx1xfz\review~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6e5vog0o\dref_h~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\efx0t6vo\cs_38_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\d6uhi00q\index_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9zsv8eka\zoneit~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\77jkieva\contex~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\692ubbo3\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\77jkieva\button~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9zsv8eka\794_13~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9zsv8eka\4125_3~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\eulyw8it\680x18~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bdfawfdz\networ~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\eulyw8it\networ~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\iym3x2y3\index_~3.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\hvuddxmo\1820_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qu41wfej\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\40fkyasv\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\hwidkgaa\dref_h~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8hm75pwk\dref_h~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\jrzmz2rz\ehhowt~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\7vjo2e48\admit-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9tojle8a\dg_spe~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sq1vfoa\ad_728~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\52wjg9iu\adon_7~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\hu1exl7l\prep_c~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i6bo90c7\devblo~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i6bo90c7\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\5aa1o465\grassh~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\puhai8zz\ads_3_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\7m14l33h\iepngf~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ewgya60d\here_4~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\z27lih7r\tedtal~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2qiyix65\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ewgya60d\spot_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8ebbxzzd\ifr_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6e957aiu\2012_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6e957aiu\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8ebbxzzd\ads_8_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2qiyix65\ads_7_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2qiyix65\scar%2~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ewgya60d\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ssbd5b66\ads.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8ebbxzzd\define~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ewgya60d\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6e957aiu\the_di~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ewgya60d\displa~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\jdy0lqjg\lawofn~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\s36ht7uy\1@x70_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ssbd5b66\26w693~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ssbd5b66\rjpp78~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\2qiyix65\ads_8_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\z27lih7r\displa~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\z27lih7r\displa~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bw0hq4o7\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\ads_3_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\p1cwqlj2\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\dating~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\index_~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sidlhui\chi-re~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\p1cwqlj2\frame_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sidlhui\s2c_du~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bw0hq4o7\famous~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sidlhui\ke_bla~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bw0hq4o7\tcode3~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\p1cwqlj2\ads_3_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sidlhui\index_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\p1cwqlj2\adpage~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bw0hq4o7\cs_25_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\i4o79ohk\cs_13_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8sidlhui\cs_9_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\p1cwqlj2\1911_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\bvz5tjx0\cs_25_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qg9vw4rq\1942_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\21tvikog\o_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\tj1mx3tj\ads_5_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\tj1mx3tj\worth-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qzrl7ymg\ads_4_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\21tvikog\ads_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qzrl7ymg\ads_5_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qe3m7a02\081103~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qe3m7a02\3288_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qe3m7a02\std_ad~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\jxfweygd\delpub~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ap6fyuvb\ads_2_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\d81ufyam\img_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\4ibsrbw4\mvpid-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\4ibsrbw4\mvp--_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\j8p81uaz\zxivsk~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\j8p81uaz\yu6ban~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\mmh9jju1\d45irc~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\mmh9jju1\pcpmck~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\c4ka9nvm\banner~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ajbctbzv\grab_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\9yk2w1wt\frame_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\l3jgj8h5\152849~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\l3jgj8h5\a-300x~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\88udz80q\tcode3~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\izvvv1xq\join_l~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ghx8y6ze\ig_081~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\834r3187\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ghx8y6ze\adpage~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\l3dx87r6\tpp_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\tdox1r3l\navbar~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\834r3187\jo_spi~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\ghx8y6ze\giftpa~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\834r3187\navbar~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\lfwtjkcn\search~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\vkpp9nt9\1357_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\6mjywmpf\lightb~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qpxfqnxo\x-578-~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qpxfqnxo\csshov~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qpxfqnxo\setcoo~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\lfwtjkcn\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\qpxfqnxo\downlo~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\mkfmjf0s\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\5s5d152a\iforgo~2.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\kbx8co0t\core_i~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\yvlo1exn\forum_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\7b5pvikl\roster~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8hwub91h\ad_728~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\8hwub91h\8322_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\cf1q3va3\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\3n6816z8\pop_1_~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\y5k8z04c\sync_1~1.sh! c:\users\dale\appdata\local\micros~1\windows\tempor~1\content.ie5\o0175yc0\theate~1.sh! c:\users\dale\appdata\local\temp\plugtmp.SH!
dRun: [CtxfiReg] CTXFIREG.exe /FAIL2
dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega storcenter\sohoclient.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - d:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\dale\appdata\roaming\mozilla\firefox\profiles\hoy92zrr.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\users\dale\appdata\roaming\mozilla\firefox\profiles\hoy92zrr.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\users\dale\appdata\roaming\mozilla\firefox\profiles\hoy92zrr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: d:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-10-13 21048]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-25 93320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-25 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-25 144704]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-9 1153368]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S2 StarWindServiceAE;StarWind AE Service;d:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-7 79360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2009-11-27 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-22 21504]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-25 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-25 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-25 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-25 40552]
S3 skfiltv;skfiltv;c:\windows\system32\drivers\skfiltv.sys [2009-9-7 17408]

=============== Created Last 30 ================

2010-01-08 10:50:37 0 d-----w- c:\users\dale\appdata\roaming\FFSJ
2010-01-08 10:43:59 794906 ----a-w- c:\windows\unins000.exe
2010-01-08 10:43:59 4025 ----a-w- c:\windows\unins000.dat
2010-01-08 10:43:59 0 d-----w- c:\windows\system32\FFSJ
2009-12-26 18:15:02 320 ----a-w- c:\windows\system32\filerenamerrer.sys
2009-12-26 16:34:37 224 ----a-w- c:\windows\system32\filerenamerred.sys
2009-12-26 16:34:37 150528 ----a-w- c:\windows\system32\TLBINF32.DLL
2009-12-26 16:34:36 224016 ----a-w- c:\windows\system32\TABCTL32.OCX
2009-12-25 20:27:46 138168 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-25 17:03:21 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-25 16:54:31 13506 ----a-w- c:\windows\system32\Config.MPF
2009-12-25 16:50:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-25 16:50:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-25 16:50:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-25 16:50:49 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-25 16:50:30 0 d-----w- c:\program files\common files\McAfee
2009-12-25 16:50:29 0 d-----w- c:\program files\McAfee.com
2009-12-25 16:50:27 0 d-----w- c:\program files\McAfee
2009-12-25 16:47:57 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-25 12:59:16 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-01-05 00:17:09 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-05 00:17:00 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 10:19:17 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 10:19:17 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-17 10:19:16 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 10:19:16 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-17 10:19:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 10:18:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 01:21:38 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-09 01:21:38 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-03-22 23:48:22 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 22:50:31 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-11-28 13:15:08 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2008-11-28 13:24:08 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008112820081129\index.dat

============= FINISH: 10:54:28.06 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 10/12/2007 3:37:10 PM
System Uptime: 1/13/2010 6:29:47 PM (16 hours ago)

Motherboard: http://www.abit.com.tw/ | | IP35 PRO(P35+ICH9R)
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2394/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 140 GiB total, 30.836 GiB free.
D: is FIXED (NTFS) - 1863 GiB total, 1615.34 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 234 GiB total, 28.587 GiB free.
G: is CDROM ()
W: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1062: 12/31/2009 2:50:06 AM - Scheduled Checkpoint
RP1063: 12/31/2009 6:02:32 PM - Windows Update
RP1065: 1/3/2010 1:51:41 PM - Scheduled Checkpoint
RP1066: 1/4/2010 8:59:45 PM - Windows Update
RP1067: 1/6/2010 12:00:03 AM - Scheduled Checkpoint
RP1068: 1/7/2010 12:00:03 AM - Scheduled Checkpoint
RP1069: 1/7/2010 8:07:53 AM - Windows Update
RP1070: 1/8/2010 4:26:11 PM - Scheduled Checkpoint
RP1072: 1/9/2010 5:33:03 AM - Windows Defender Checkpoint

==== Installed Programs ======================

µTorrent
abti uGuru
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
Age of Chivalry
Altap Salamander 2.51
Altitude - Demo
Amazon MP3 Downloader 1.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Assassin's Creed
Audiosurf
AutoUpdate
BD Advisor 2.0
Bejeweled 2 Deluxe 1.1.3.2523
Beyond Good and Evil
BioShock
Bonjour
Borderlands
Braid
Call of Duty 4: Modern Warfare
Call of Juarez
Cogs
Compatibility Pack for the 2007 Office system
Counter-Strike: Source
Creative Software AutoUpdate
Creative System Information
Creative USB Headsets
Crysis(R)
CuteFTP 8 Home
CuteFTP 8 Professional
D.I.P.R.I.P. Warm Up
Darkest of Days
Dead Space
Defense Grid: The Awakening
DivX Codec
DivX Player
DivX Web Player
Doom 3
Download Manager 2.3.6
Dragon Age: Origins
Dreamfall: The Longest Journey
Droplitz
DVD Flick
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.5.0
DVDFab 6.2.0.5 (11/11/2009)
Elf Bowling: Hawaiian Vacation
Evil Genius
Fallout 3
FarCry 2
File Renamer 6.0
File Splitter and Joiner (FFSJ v3.3)
Fraps
Free Allegiance
FW LiveUpdate
Galactic Bowling
GameSpy Arcade
GameSpy Comrade
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life Deathmatch: Source
Half-Life: Source
HijackThis 2.0.2
Hinterland
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Insurgency
Iomega StorCenter
iTunes
iTunes Library Updater
J2SE Runtime Environment 5.0 Update 12
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
JMB36X Raid Configurer
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Juniper Terminal Services Client
King's Bounty: Armored Princess
Left 4 Dead 2 Demo
LG USB Modem driver
Light of Altair
Magic ISO Maker v5.5 (build 0273)
Mass Effect
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Converter Pack
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Organization Chart 2.0
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nation Red
Natural Selection 3.2
Netflix Movie Viewer
NVIDIA Drivers
NVIDIA PhysX
Oblivion
OGA Notifier 2.0.0048.0
On the Rain-Slick Precipice of Darkness, Episode Two
OpenAL
Opposing Force
Osmos
PeerGuardian 2.0
Peggle Deluxe
Peggle Nights
Penny Arcade Adventures: On the Rain-Slick Precipice of Darkness, Episode One
Penny Arcade Adventures: On the Rain-Slick Precipice of Darkness, Episode Two
Penumbra Overture
Penumbra: Black Plague
Penumbra: Requiem
Plants Vs Zombies Demo
PokerStars.net
Portal
Prototype
Psychonauts
PunkBuster Services
Quake
QuickTime
RealPlayer
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Rhapsody Player Engine
Seagate*DiscWizard
SeaTools for Windows
Serious Sam HD: The First Encounter
Skype™ 3.6
Snagit 9.1.1
SolveigMM AVI Trimmer
Sound Blaster X-Fi
Source SDK Base
Space Giraffe PC
SPORE™ Creature Creator Trial Edition
Spybot - Search & Destroy
STALKER: Clear Sky
Steam
System Requirements Lab
Tales of Monkey Island: Chapter 1 - Launch of the Screaming Narwhal
Tales of Monkey Island: Chapter 2 - The Siege of Spinner Cay
Team Fortress 2
Team Fortress 2 Dedicated Server
TextPad 5
The Longest Journey
The Maw
The Rosetta Stone
The Ship
The Witcher
TI Connect 1.6
Torchlight
Total Video Converter 3.14 080930
Ultimate Extras sounds from Microsoft® Tinker™
Unreal Tournament 3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
V CAST Music with Rhapsody
Vista Codec Package
VLC media player 1.0.0
Wallace and Gromit Ep1: Fright of the Bumblebees
Winamp
WinAVI Video Converter
Windows Sound Schemes
WinRAR archiver
World of Goo
X-COM: UFO Defense
Xfire (remove only)

==== Event Viewer Messages From Past Week ========

1/9/2010 6:48:01 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/9/2010 5:48:46 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC mfehidk MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:46 AM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2010 5:48:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/9/2010 5:48:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/9/2010 5:47:34 AM, Error: EventLog [6008] - The previous system shutdown at 5:45:02 AM on 1/9/2010 was unexpected.
1/9/2010 5:45:02 AM, Error: EventLog [6008] - The previous system shutdown at 5:43:08 AM on 1/9/2010 was unexpected.
1/9/2010 5:06:58 AM, Error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
1/9/2010 5:06:43 AM, Error: EventLog [6008] - The previous system shutdown at 5:05:07 AM on 1/9/2010 was unexpected.
1/8/2010 3:45:03 PM, Error: EventLog [6008] - The previous system shutdown at 3:42:46 PM on 1/8/2010 was unexpected.
1/13/2010 7:01:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
1/13/2010 6:58:31 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
1/13/2010 6:58:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/13/2010 6:58:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
1/13/2010 6:58:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/13/2010 6:58:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/13/2010 6:32:43 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Services service to connect.
1/13/2010 6:32:43 PM, Error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/13/2010 6:31:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfehidk spldr Wanarpv6
1/13/2010 6:31:47 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: One or more arguments are invalid
1/13/2010 6:31:47 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Personal Firewall Service service to connect.
1/13/2010 6:31:47 PM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the wscsvc service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/13/2010 6:31:47 PM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
1/13/2010 6:31:47 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/13/2010 6:31:47 PM, Error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

peku006
2010-01-15, 10:58
Hi az-apache

1 - TFC (Temp File Cleaner)


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Rkill

Please download Rkill (http://download.bleepingcomputer.com/grinler/rkill.pif) by Grinler and save it to your desktop.Link 2 (http://download.bleepingcomputer.com/grinler/rkill.scr)
Link 3 (http://download.bleepingcomputer.com/grinler/rkill.com)
Link 4 (http://download.bleepingcomputer.com/grinler/rkill.exe)

Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm).
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.

You will need to run the application again if rebooting the computer occurs along the way.

3 - Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

4 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log

Thanks peku006

az-apache
2010-01-15, 15:32
Malwarebytes' Anti-Malware 1.44
Database version: 3568
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18865

1/15/2010 6:27:47 AM
mbam-log-2010-01-15 (06-27-47).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 460367
Time elapsed: 1 hour(s), 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted

successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settdebugx.exe (Trojan.FakeAlert)

-> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

peku006
2010-01-16, 10:40
Hi az-apache

you should run these tools in normal mode

1 - Download and Run ComboFix

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006

az-apache
2010-01-16, 15:22
I received an immediate BSOD when I rebooted into normal mode. Could not run ComboFix.exe

peku006
2010-01-16, 15:38
Hi az-apache

Please try to run ComboFix in safe mode

Thanks peku006

az-apache
2010-01-16, 15:47
No luck

peku006
2010-01-16, 15:53
Hi az-apache

Download RootRepeal from the following location and save it to your desktop.

Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)

Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT

Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
peku006

az-apache
2010-01-16, 18:35
received error during RootRepeal execution "Attempt to write address 0x00000004" Clicked OK, Received another error "Could not read our index block! OK Box or Details box. Clicked Details: Root Repeal Error Attempt to read from address 0x00000114.


ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x00456d83
Attempt to read from address: 0x00000114

peku006
2010-01-17, 11:02
Hi az-apache

Ok, let´s try this....

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
In Command Prompt, type in net stop gmer. Press Enter.
Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Thanks peku006

az-apache
2010-01-17, 12:26
it does not appear in the Task Manager

az-apache
2010-01-17, 12:47
It loaded, but after a short period of time into the scan it terminated with and unknown error

az-apache
2010-01-17, 12:59
It displays a service in red c:\windows\system32\drivers\H8SRTfweexjrkyh.sys (*** hidden *... [SYSTEM H8SRTd.sys

And It displays a message the GMER has found system modification , which which might have been cause by TOOTKIT Actitiy. Dou you want to fully scan your system?

Then after a few minutes of scaning it gt an unknow failure.

peku006
2010-01-17, 13:58
Hi az-apache

it seems that you have a rootkit which causes all the problems

Download Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator priviledges.

Open the Avenger folder and double click Avenger.exe to launch the programme.
Copy the text in the code box below and Paste it into the Input script here: box.


Drivers to delete:
H8SRTd.sys

Files to delete:
c:\windows\system32\drivers\H8SRTfweexjrkyh.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Ensure the following:

Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.

Press the Execute key.
Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
Post the log back here please. (it can also be found at C:\avenger.txt)


Thanks peku006

az-apache
2010-01-17, 17:45
Had to rename it then run it.

Here is the log.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 08:40:59
Windows 6.0.6002 Service Pack 2
Running: azapache.exe; Driver: C:\Users\Dale\AppData\Local\Temp\kxldapow.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 85DF6F00
INT 0x62 ? 85DF6F00
INT 0x62 ? 85DF6F00
INT 0x72 ? 85DF6F00
INT 0x82 ? 85DF6F00
INT 0x92 ? 85A1DF00
INT 0x92 ? 85A1DF00
INT 0x92 ? 85A1DF00
INT 0x92 ? 85A1DF00
INT 0x92 ? 85DF6F00
INT 0x92 ? 85DF6F00
INT 0x92 ? 85A1DF00
INT 0xA2 ? 85A1CDC8

Code 86B392D8 ZwEnumerateKey
Code 85DFD3B8 ZwFlushInstructionCache
Code 86BD932D IofCallDriver
Code 86B062BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82083912 5 Bytes JMP 86BD9332
.text ntkrnlpa.exe!IofCompleteRequest 8208397F 5 Bytes JMP 86B062C3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821EEEF5 5 Bytes JMP 85DFD3BC
PAGE ntkrnlpa.exe!ZwEnumerateKey 8223C0BA 5 Bytes JMP 86B392DC
? System32\Drivers\spml.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8E83041B 5 Bytes JMP 85DF64E0
? C:\Windows\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wininit.exe[644] kernel32.dll!CreateProcessW 76371BF3 5 Bytes JMP 008D000A
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateProcessW 76371BF3 5 Bytes JMP 0085000A
.text C:\Windows\system32\lsass.exe[740] kernel32.dll!CreateProcessW 76371BF3 5 Bytes JMP 0095000A
.text C:\Windows\system32\lsm.exe[748] kernel32.dll!CreateProcessW 76371BF3 5 Bytes JMP 0099000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[888] kernel32.dll!CreateProcessW 76371BF3 5 Bytes JMP 008D000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826966A4] \SystemRoot\System32\Drivers\spml.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82696046] \SystemRoot\System32\Drivers\spml.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [826967CE] \SystemRoot\System32\Drivers\spml.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826960C4] \SystemRoot\System32\Drivers\spml.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82696142] \SystemRoot\System32\Drivers\spml.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [826A1D7A] \SystemRoot\System32\Drivers\spml.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[416] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[1184] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5804] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [740B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7410A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [740B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [740AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [740AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [740A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7413CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [740A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [740A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5936] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85A231F8
Device \FileSystem\fastfat \FatCdrom 86DDB3E0
Device \Driver\volmgr \Device\VolMgrControl 85A1F1F8
Device \Driver\usbuhci \Device\USBPDO-0 85E46500
Device \Driver\usbuhci \Device\USBPDO-1 85E46500
Device \Driver\usbuhci \Device\USBPDO-2 85E46500
Device \Driver\usbehci \Device\USBPDO-3 85DFC500
Device \Driver\usbuhci \Device\USBPDO-4 85E46500

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 85E46500
Device \Driver\usbuhci \Device\USBPDO-6 85E46500
Device \Driver\volmgr \Device\HarddiskVolume1 85A1F1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\usbehci \Device\USBPDO-7 85DFC500
Device \Driver\volmgr \Device\HarddiskVolume2 85A1F1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume3 85A1F1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85A211F8
Device \Driver\atapi \Device\Ide\IdePort0 85A211F8
Device \Driver\atapi \Device\Ide\IdePort1 85A211F8
Device \Driver\atapi \Device\Ide\IdePort2 85A211F8
Device \Driver\atapi \Device\Ide\IdePort3 85A211F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 85A211F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-1 85A211F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-3 85A211F8
Device \Driver\sptd \Device\1252262398 spml.sys
Device \Driver\USBSTOR \Device\00000076 86DBA1F8
Device \Driver\USBSTOR \Device\00000077 86DBA1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86D631F8
Device \Driver\Smb \Device\NetbiosSmb 86D1B500
Device \Driver\netbt \Device\NetBT_Tcpip_{DF33B804-E748-42CB-B551-9693686AFD16} 86D631F8
Device \Driver\iScsiPrt \Device\RaidPort0 85ED71F8
Device \Driver\netbt \Device\NetBT_Tcpip_{0AE58012-6A8E-4129-9AA2-3706EE3FDFE1} 86D631F8

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\PCI_PNP6148 \Device\0000005e spml.sys
Device \Driver\usbuhci \Device\USBFDO-0 85E46500
Device \Driver\usbuhci \Device\USBFDO-1 85E46500
Device \Driver\usbuhci \Device\USBFDO-2 85E46500
Device \Driver\usbehci \Device\USBFDO-3 85DFC500
Device \Driver\usbuhci \Device\USBFDO-4 85E46500
Device \Driver\usbuhci \Device\USBFDO-5 85E46500
Device \Driver\usbuhci \Device\USBFDO-6 85E46500
Device \Driver\usbehci \Device\USBFDO-7 85DFC500
Device \Driver\a7dsq8od \Device\Scsi\a7dsq8od1 85ED81F8
Device \Driver\JRAID \Device\Scsi\JRAID1 85A221F8
Device \Driver\a7dsq8od \Device\Scsi\a7dsq8od1Port6Path0Target0Lun0 85ED81F8
Device \FileSystem\fastfat \Fat 86DDB3E0

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTfweexjrkyh.sys (*** hidden *** ) 8F1D5000-8F1F2000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\explorer.exe [416] 0x017B0000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\winlogon.exe [672] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [972] 0x00330000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1076] 0x001F0000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1100] 0x00340000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1132] 0x008D0000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1176] 0x008D0000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\explorer.exe [1184] 0x01780000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1192] 0x00C60000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1304] 0x00C60000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1508] 0x00C60000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\explorer.exe [2516] 0x018C0000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\explorer.exe [5804] 0x01760000
Library \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll (*** hidden *** ) @ C:\Windows\explorer.exe [5936] 0x01880000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\H8SRTfweexjrkyh.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfweexjrkyh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfweexjrkyh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTrsprebpeog.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdrcyawnuiv.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTnbboxtqcnv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcymhvjgbic.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTdektpttbti.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x65 0x7C 0x52 0xC7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 d:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD6 0x1D 0x0C 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC1 0x4D 0x98 0xE5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x65 0x7C 0x52 0xC7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 d:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD6 0x1D 0x0C 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC1 0x4D 0x98 0xE5 ...

---- Files - GMER 1.0.15 ----

File C:\Program Files\VideoLAN\VLC\plugins\libtrivial_channel_mixer_plugin.dll (size mismatch) 38419/29203 bytes executable
File C:\Users\Dale\AppData\Local\Temp\H8SRT88d2.tmp 679936 bytes executable
File C:\Users\Dale\AppData\Local\Temp\h8srtmainqt.dll 16644 bytes
File C:\Windows\System32\drivers\H8SRTfweexjrkyh.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\H8SRTcymhvjgbic.dll 40960 bytes executable
File C:\Windows\System32\H8SRTdektpttbti.dll 16896 bytes executable
File C:\Windows\System32\H8SRTdrcyawnuiv.dat 238 bytes
File C:\Windows\System32\h8srtkrl32mainweq.dll 1179 bytes
File C:\Windows\System32\H8SRTnbboxtqcnv.dll 40960 bytes executable
File C:\Windows\System32\H8SRTrsprebpeog.dll 23040 bytes executable
File C:\Windows\System32\h8srtshsyst.dll 1048 bytes

---- EOF - GMER 1.0.15 ----

az-apache
2010-01-17, 18:16
What's next?

peku006
2010-01-17, 19:20
Hi az-apache

Lets run TDSS Killer by Kaspersky.

-Download TDSS Killer (http://support.kaspersky.com/viruses/solutions?qid=208280684) and save to your Desktop. Also print out those instructions on the same page for running the scan.

-Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

-Go to Start ->Run. Type/Copy and Paste the following text into the prompt:


"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

-Click OK.
-If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.

-After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
-A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).

Thanks peku006

az-apache
2010-01-17, 23:03
14:01:01:065 4500 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
14:01:01:065 4500 ================================================================================
14:01:01:065 4500 SystemInfo:

14:01:01:065 4500 OS Version: 6.0.6002 ServicePack: 2.0
14:01:01:066 4500 Product type: Workstation
14:01:01:066 4500 ComputerName: DALE-PC
14:01:01:066 4500 UserName: Dale
14:01:01:066 4500 Windows directory: C:\Windows
14:01:01:066 4500 Processor architecture: Intel x86
14:01:01:066 4500 Number of processors: 4
14:01:01:066 4500 Page size: 0x1000
14:01:01:068 4500 Boot type: Normal boot
14:01:01:068 4500 ================================================================================
14:01:01:074 4500 UnloadDriverW: NtUnloadDriver error 2
14:01:01:074 4500 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:01:01:075 4500 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:01:02:830 4500 UtilityInit: KLMD drop and load success
14:01:02:830 4500 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
14:01:02:831 4500 UtilityInit: KLMD open success
14:01:02:831 4500 UtilityInit: Initialize success
14:01:02:831 4500
14:01:02:831 4500 Scanning Services ...
14:01:02:831 4500 CreateRegParser: Registry parser init started
14:01:02:831 4500 CreateRegParser: DisableWow64Redirection error
14:01:02:831 4500 wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:01:02:831 4500 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
14:01:02:832 4500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:01:02:832 4500 wfopen_ex: Trying to KLMD file open
14:01:02:832 4500 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
14:01:02:832 4500 wfopen_ex: File opened ok (Flags 2)
14:01:02:845 4500 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1B112A0
14:01:02:845 4500 wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:01:02:845 4500 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
14:01:02:845 4500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:01:02:845 4500 wfopen_ex: Trying to KLMD file open
14:01:02:845 4500 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
14:01:02:845 4500 wfopen_ex: File opened ok (Flags 2)
14:01:02:845 4500 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1B112C8
14:01:02:845 4500 CreateRegParser: EnableWow64Redirection error
14:01:02:845 4500 CreateRegParser: RegParser init completed
14:01:03:290 4500 GetAdvancedServicesInfo: Raw services enum returned 463 services
14:01:03:299 4500 fclose_ex: Trying to close file C:\Windows\system32\config\system
14:01:03:300 4500 fclose_ex: Trying to close file C:\Windows\system32\config\software
14:01:03:300 4500
14:01:03:300 4500 Scanning Kernel memory ...
14:01:03:301 4500 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:01:03:301 4500 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85A3CAB0
14:01:03:301 4500 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
14:01:03:301 4500
14:01:03:301 4500 DetectCureTDL3: DEVICE_OBJECT: 87690378
14:01:03:301 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87690378
14:01:03:301 4500 DetectCureTDL3: DEVICE_OBJECT: 862B2A08
14:01:03:301 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 862B2A08
14:01:03:301 4500 KLMD_ReadMem: Trying to ReadMemory 0x862B2A08[0x38]
14:01:03:301 4500 DetectCureTDL3: DRIVER_OBJECT: 86611828
14:01:03:301 4500 KLMD_ReadMem: Trying to ReadMemory 0x86611828[0xA8]
14:01:03:301 4500 KLMD_ReadMem: Trying to ReadMemory 0x88056CB0[0x1E]
14:01:03:301 4500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
14:01:03:301 4500 DetectCureTDL3: IrpHandler (0) addr: 867E71F8
14:01:03:301 4500 DetectCureTDL3: IrpHandler (1) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (2) addr: 867E71F8
14:01:03:301 4500 DetectCureTDL3: IrpHandler (3) addr: 867E71F8
14:01:03:301 4500 DetectCureTDL3: IrpHandler (4) addr: 867E71F8
14:01:03:301 4500 DetectCureTDL3: IrpHandler (5) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (6) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (7) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (8) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (9) addr: 8202B9D2
14:01:03:301 4500 DetectCureTDL3: IrpHandler (10) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (11) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (12) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (13) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (14) addr: 867E71F8
14:01:03:302 4500 DetectCureTDL3: IrpHandler (15) addr: 867E71F8
14:01:03:302 4500 DetectCureTDL3: IrpHandler (16) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (17) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (18) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (19) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (20) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (21) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (22) addr: 867E71F8
14:01:03:302 4500 DetectCureTDL3: IrpHandler (23) addr: 867E71F8
14:01:03:302 4500 DetectCureTDL3: IrpHandler (24) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (25) addr: 8202B9D2
14:01:03:302 4500 DetectCureTDL3: IrpHandler (26) addr: 8202B9D2
14:01:03:302 4500 KLMD_ReadMem: Trying to ReadMemory 0x985C8F26[0x400]
14:01:03:302 4500 TDL3_StartIoHookDetect: CheckParameters: 4, 985CD000, 0
14:01:03:302 4500 TDL3_FileDetect: Processing driver: USBSTOR
14:01:03:302 4500 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:01:03:302 4500 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:01:03:308 4500 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:01:03:308 4500
14:01:03:308 4500 DetectCureTDL3: DEVICE_OBJECT: 85A3E4B8
14:01:03:308 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85A3E4B8
14:01:03:308 4500 DetectCureTDL3: DEVICE_OBJECT: 8583F918
14:01:03:308 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8583F918
14:01:03:308 4500 DetectCureTDL3: DEVICE_OBJECT: 8499B5D8
14:01:03:308 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8499B5D8
14:01:03:308 4500 KLMD_ReadMem: Trying to ReadMemory 0x8499B5D8[0x38]
14:01:03:308 4500 DetectCureTDL3: DRIVER_OBJECT: 85890CC8
14:01:03:308 4500 KLMD_ReadMem: Trying to ReadMemory 0x85890CC8[0xA8]
14:01:03:308 4500 KLMD_ReadMem: Trying to ReadMemory 0x8588E868[0x1A]
14:01:03:308 4500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:01:03:308 4500 DetectCureTDL3: IrpHandler (0) addr: 858101F8
14:01:03:308 4500 DetectCureTDL3: IrpHandler (1) addr: 8202B9D2
14:01:03:308 4500 DetectCureTDL3: IrpHandler (2) addr: 858101F8
14:01:03:308 4500 DetectCureTDL3: IrpHandler (3) addr: 8202B9D2
14:01:03:308 4500 DetectCureTDL3: IrpHandler (4) addr: 8202B9D2
14:01:03:308 4500 DetectCureTDL3: IrpHandler (5) addr: 8202B9D2
14:01:03:308 4500 DetectCureTDL3: IrpHandler (6) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (7) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (8) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (9) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (10) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (11) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (12) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (13) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (14) addr: 858101F8
14:01:03:309 4500 DetectCureTDL3: IrpHandler (15) addr: 858101F8
14:01:03:309 4500 DetectCureTDL3: IrpHandler (16) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (17) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (18) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (19) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (20) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (21) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (22) addr: 858101F8
14:01:03:309 4500 DetectCureTDL3: IrpHandler (23) addr: 858101F8
14:01:03:309 4500 DetectCureTDL3: IrpHandler (24) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (25) addr: 8202B9D2
14:01:03:309 4500 DetectCureTDL3: IrpHandler (26) addr: 8202B9D2
14:01:03:309 4500 TDL3_FileDetect: Processing driver: atapi
14:01:03:309 4500 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
14:01:03:309 4500 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
14:01:03:317 4500 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Clean
14:01:03:317 4500
14:01:03:317 4500 DetectCureTDL3: DEVICE_OBJECT: 85A3DA78
14:01:03:317 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85A3DA78
14:01:03:317 4500 DetectCureTDL3: DEVICE_OBJECT: 85899F08
14:01:03:317 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85899F08
14:01:03:317 4500 DetectCureTDL3: DEVICE_OBJECT: 8586A8D0
14:01:03:318 4500 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8586A8D0
14:01:03:318 4500 KLMD_ReadMem: Trying to ReadMemory 0x8586A8D0[0x38]
14:01:03:318 4500 DetectCureTDL3: DRIVER_OBJECT: 85890CC8
14:01:03:318 4500 KLMD_ReadMem: Trying to ReadMemory 0x85890CC8[0xA8]
14:01:03:318 4500 KLMD_ReadMem: Trying to ReadMemory 0x8588E868[0x1A]
14:01:03:318 4500 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:01:03:318 4500 DetectCureTDL3: IrpHandler (0) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (1) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (2) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (3) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (4) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (5) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (6) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (7) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (8) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (9) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (10) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (11) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (12) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (13) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (14) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (15) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (16) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (17) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (18) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (19) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (20) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (21) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (22) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (23) addr: 858101F8
14:01:03:318 4500 DetectCureTDL3: IrpHandler (24) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (25) addr: 8202B9D2
14:01:03:318 4500 DetectCureTDL3: IrpHandler (26) addr: 8202B9D2
14:01:03:319 4500 TDL3_FileDetect: Processing driver: atapi
14:01:03:319 4500 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
14:01:03:319 4500 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
14:01:03:321 4500 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Clean
14:01:03:321 4500
14:01:03:321 4500 Completed
14:01:03:321 4500
14:01:03:322 4500 Results:
14:01:03:322 4500 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:01:03:322 4500 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:01:03:323 4500 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:01:03:323 4500
14:01:03:324 4500 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
14:01:03:325 4500 UtilityDeinit: KLMD(ARK) unloaded successfully
:bigthumb:

peku006
2010-01-18, 12:17
Hi az-apache

Please try to run ComboFix

Thanks peku006

peku006
2010-01-18, 12:21
page 3 was not visible :sad:

az-apache
2010-01-18, 15:13
ComboFix 10-01-17.02 - Dale 01/18/2010 5:58.1.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1786 [GMT -7:00]
Running from: c:\users\Dale\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
C:\install.exe
c:\users\Dale\AppData\Roaming\inst.exe
c:\users\Dale\eula.txt
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPHW.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP0678W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP0760W.DAT
c:\windows\system32\Data\CTP0773W.DAT
c:\windows\system32\Data\CTP0930W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\H8SRTcymhvjgbic.dll
c:\windows\system32\H8SRTdektpttbti.dll
c:\windows\system32\H8SRTdrcyawnuiv.dat
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTnbboxtqcnv.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\Startup.exe
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 13:05 . 2010-01-18 13:06 -------- d-----w- c:\users\Dale\AppData\Local\temp
2010-01-18 13:05 . 2010-01-18 13:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-18 12:52 . 2010-01-18 12:54 -------- d-----w- C:\32788R22FWJFW
2010-01-17 16:22 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-17 16:22 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-15 11:58 . 2010-01-15 11:58 -------- d-----w- c:\users\Dale\AppData\Roaming\Malwarebytes
2010-01-15 11:58 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 11:58 . 2010-01-15 11:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 11:58 . 2010-01-15 11:58 -------- d-----w- c:\programdata\Malwarebytes
2010-01-15 11:58 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 10:50 . 2010-01-08 10:50 -------- d-----w- c:\users\Dale\AppData\Roaming\FFSJ
2010-01-08 10:43 . 2010-01-08 10:43 -------- d-----w- c:\windows\system32\FFSJ
2009-12-26 18:15 . 2009-12-26 18:15 320 ----a-w- c:\windows\system32\filerenamerrer.sys
2009-12-26 16:34 . 2009-12-26 17:54 224 ----a-w- c:\windows\system32\filerenamerred.sys
2009-12-26 16:34 . 2004-02-23 07:00 150528 ----a-w- c:\windows\system32\TLBINF32.DLL
2009-12-25 20:27 . 2009-12-25 20:27 138168 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-25 17:03 . 2009-11-03 03:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-25 16:50 . 2009-11-04 23:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-25 16:50 . 2009-11-04 23:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-25 16:50 . 2009-11-04 23:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-25 16:50 . 2009-07-16 19:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-25 16:50 . 2009-12-25 16:50 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-25 16:50 . 2009-12-25 16:50 -------- d-----w- c:\program files\McAfee.com
2009-12-25 16:50 . 2010-01-08 22:45 -------- d-----w- c:\program files\McAfee
2009-12-25 16:47 . 2009-11-04 23:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-25 12:59 . 2009-12-25 12:59 -------- d-----w- c:\program files\iPod
2009-12-25 12:56 . 2009-12-25 12:57 -------- d-----w- c:\program files\QuickTime
2009-12-25 12:54 . 2009-12-25 12:54 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 12:56 . 2008-11-09 12:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-18 12:47 . 2007-10-23 03:07 -------- d-----w- c:\users\Dale\AppData\Roaming\uTorrent
2010-01-18 10:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-17 21:33 . 2008-11-09 12:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 15:41 . 2007-10-12 22:43 1356 ----a-w- c:\users\Dale\AppData\Local\d3d9caps.dat
2010-01-05 00:17 . 2007-10-16 00:18 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-05 00:17 . 2007-10-16 00:18 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-03 12:39 . 2009-12-06 16:49 -------- d-----w- c:\program files\PeerGuardian2
2009-12-25 16:54 . 2007-10-13 14:39 -------- d-----w- c:\programdata\McAfee
2009-12-25 12:59 . 2009-10-18 17:40 -------- d-----w- c:\program files\iTunes
2009-12-25 12:59 . 2007-10-16 14:23 -------- d-----w- c:\program files\Common Files\Apple
2009-12-22 12:12 . 2009-07-20 12:48 -------- d-----w- c:\users\Dale\AppData\Roaming\vlc
2009-12-17 05:35 . 2009-12-06 14:38 439816 ----a-w- c:\users\Dale\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-01 01:08 . 2008-04-16 14:20 -------- d-----w- c:\users\Dale\AppData\Roaming\Vso
2009-12-01 01:08 . 2009-12-01 01:08 -------- d-----w- c:\program files\DVDFab 6
2009-11-28 02:34 . 2009-11-28 02:34 -------- d-----w- c:\programdata\BioWare
2009-11-27 17:55 . 2007-10-13 19:54 -------- d-----w- c:\programdata\Media Center Programs
2009-11-21 06:40 . 2009-12-10 03:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 03:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 03:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 03:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 10:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-09 12:31 . 2009-12-10 11:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 11:40 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 11:40 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-09 01:21 . 2009-06-06 13:59 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-09 01:21 . 2009-06-06 13:59 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-04 23:54 . 2009-11-04 23:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 09:17 . 2009-11-25 10:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-20 20:33 . 2009-11-07 10:22 545280 ----a-w- c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-10-20 20:33 . 2009-11-07 10:22 4716544 ----a-w- c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\components\cooliris.dll
2009-10-20 20:33 . 2009-11-07 10:22 153600 ----a-w- c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-10-20 20:33 . 2009-11-07 10:22 103424 ----a-w- c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-10-20 20:33 . 2009-11-07 10:22 344064 ----a-w- c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Steam"="d:\program files\steam\steam.exe" [2009-10-31 1217808]
"ABIT uGuruIII"="c:\program files\U-ABIT\uGuru\LaunchuGuru.exe" [2007-02-09 22528]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"igndlm.exe"="d:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTXFIREG"="CTxfiReg.exe" [2007-05-10 43520]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 92704]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"VolPanel"="c:\program files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" [2008-08-28 233588]
"CTHelper"="CTHELPER.EXE" [2007-05-10 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-05-10 19968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]
"CtxfiReg"="CTXFIREG.exe" [2007-05-10 43520]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Iomega StorCenter.lnk - c:\program files\Iomega StorCenter\sohoclient.exe [2009-11-14 1865040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2007-12-22 07:20 222080 ----a-w- d:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 22:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2007-03-05 21:57 1103480 ----a-w- d:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
2008-05-23 21:51 688217 ----a-w- c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-12-07 22:08 21686568 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-12-30 21:27 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSClientFinder]
2004-11-12 16:38 45056 ----a-w- c:\program files\vsclient\VSClientFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):dd,c9,78,bd,8b,34,ca,01

R1 UGURU;UGURU;c:\windows\System32\drivers\uGuru.sys [10/13/2007 7:57 AM 21048]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/25/2009 9:52 AM 93320]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/17/2007 7:16 PM 715248]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/9/2008 5:53 AM 1153368]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [9/7/2009 8:44 AM 79360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/27/2009 2:08 PM 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/22/2008 4:04 PM 21504]
S3 skfiltv;skfiltv;c:\windows\System32\drivers\skfiltv.sys [9/7/2009 8:47 AM 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 00:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 17:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-25 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-25 19:22]

2010-01-17 c:\windows\Tasks\User_Feed_Synchronization-{7E19759A-658D-4CB0-93F9-50F32AAE7E4D}.job
- c:\windows\system32\msfeedssync.exe [2009-12-10 04:59]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - d:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\hoy92zrr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: d:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinSys2 - c:\windows\system32\startup.exe
AddRemove-File Splitter and Joiner_is1 - c:\windows\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 06:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\users\Dale\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1471351151-1603121566-3479547269-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*R‘•Na0j00\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1471351151-1603121566-3479547269-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*@*ōusY-*M*O*M*O*ųvd¨Ch\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1471351151-1603121566-3479547269-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:dc,17,f3,be,81,90,89,a7,e5,78,e4,63,ef,9e,a5,03,11,ca,27,b2,99,b5,77,
07,9b,ad,87,fb,19,fa,f7,bd,b9,06,28,2f,96,3e,c6,5b,54,bc,90,c2,e1,28,48,61,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1471351151-1603121566-3479547269-1000\Software\SecuROM\License information*]
"datasecu"=hex:c5,ea,6e,b4,7e,66,1e,1d,55,5e,c9,13,59,ef,37,33,9a,9d,7f,7f,88,
3e,72,92,1b,4d,9f,f0,9b,37,c2,f2,f5,94,a8,c6,e9,d1,3a,e6,9d,4a,03,73,1c,2c,\
"rkeysecu"=hex:c9,1c,f9,51,31,cc,79,67,72,bf,bc,8a,81,68,78,6b

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-01-18 06:08:39
ComboFix-quarantined-files.txt 2010-01-18 13:08

Pre-Run: 28,835,500,032 bytes free
Post-Run: 28,730,695,680 bytes free

- - End Of File - - F35A66202DABBD8018BF71BDEC85ECC8

peku006
2010-01-18, 15:27
Hi az-apache

How's the computer running now? Any problems?

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

az-apache
2010-01-19, 00:06
Things seem a bit sluggish but at least I'm out of Safe mode. Many Thanks Obie Wan.

Eset Log

C:\Qoobox\Quarantine\C\Windows\System32\H8SRTcymhvjgbic.dll.vir a variant of Win32/Kryptik.BWG trojan
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTdektpttbti.dll.vir a variant of Win32/Kryptik.BWG trojan
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTnbboxtqcnv.dll.vir a variant of Win32/Kryptik.BWG trojan
C:\Users\Dale\Desktop\Jar\Hirens.BootCD.9.6.with.keyboardpatch-MaxT.dk.zip probably unknown NewHeur_PE virus
C:\Users\Dale\Desktop\Jar\Hirens.BootCD.9.6\Hiren's.BootCD.9.6.iso probably unknown NewHeur_PE virus


=====

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:50 PM, on 1/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Creative\USB Headsets\Volume Panel\VolPanlu.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Iomega StorCenter\sohoclient.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Users\Dale\Desktop\AntiV\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\LaunchuGuru.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'Default user')
O4 - Global Startup: Iomega StorCenter.lnk = C:\Program Files\Iomega StorCenter\sohoclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - d:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - d:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 10346 bytes


Anything else I should do?

peku006
2010-01-19, 09:41
Hi az-apache

good job :bigthumb: For general slowness, see here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

all logs are ok,we can check if some software needs updating

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

az-apache
2010-01-19, 12:56
Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is disabled!)
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
ESET Online Scanner v3
King's Bounty: Armored Princess
McAfee SecurityCenter
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

peku006
2010-01-19, 15:55
Hi az-apache

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

Go to Java Site (http://java.sun.com/javase/downloads/index.jsp)
Click to Download Java SE Runtime Environment (JRE) 6 Update 18
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u18-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer


It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos

Install it, then go to Add Remove Programs and remove any older versions that may remain.

Please reply with

a fresh HijackThis log

Thanks peku006

az-apache
2010-01-20, 04:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:43 PM, on 1/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Creative\USB Headsets\Volume Panel\VolPanlu.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Iomega StorCenter\sohoclient.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dale\Desktop\AntiV\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\LaunchuGuru.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: Iomega StorCenter.lnk = C:\Program Files\Iomega StorCenter\sohoclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - d:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - d:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 10266 bytes


=========

Again thank you for all your help.

peku006
2010-01-20, 11:12
Hi az-apache

Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Delete dds , Rkill , RootRepeal ,gmer , TDSS Killer and Security Check from your desktop.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Turn off System Restore-Vista

Click the Vista/Start icon.
Right Click >> Computer
Click Properties.
Click the System Protection tab.
Uncheck All drives
Click Turn Off System Restore at the prompt then click Apply.
Restart your computer.

Turn ON System Restore-Vista

Click the Vista/Start icon
Right Click >> Computer
Click Properties.
Click the System Protection tab.
Checkmark All drives that were selected previously then click Apply.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy safe surfing! :bigthumb:

peku006

peku006
2010-01-25, 10:28
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)