Yet ANOTHER virtumonde victim...

**CmBarrett** · 2009-01-01, 20:23

And on top of it, it comes with Smitfraud-C.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:12 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Ttoqumo] rundll32.exe "C:\WINDOWS\Vcewew.dll",e
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotda...tDateTeleX.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 6137 bytes

Thanks in advance!

Somebody restarted the computer (grrr), so I ran another HJT scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:35 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Ttoqumo] rundll32.exe "C:\WINDOWS\Vcewew.dll",e
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotda...tDateTeleX.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 6518 bytes

**Juliet** · 2009-01-05, 23:19

Hi and welcome

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It appears you have McAffe antivirus and Norton antivirus?
We only need one on the machine or we will run into problems with fixes needing to be made.
I need to ask that you make a decision which to keep and which to uninstall.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Download ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
by right-clicking on the link, and choosing Save As. Save it to your desktop, or
somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Ttoqumo] rundll32.exe "C:\WINDOWS\Vcewew.dll",e
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below in it: (don't forget to copy and paste REGEDIT4)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ttoqumo"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msiexec.exe"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msiexec.exe"=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select - Show hidden files and folders.
Uncheck- Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\WINDOWS\Vcewew.dll <--delete this file

Now please reboot your machine.

**
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt along with a new HJT log in your next reply for further review.

**CmBarrett** · 2009-01-06, 13:46

Originally Posted by Juliet

Hi and welcome

Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It appears you have McAffe antivirus and Norton antivirus?
We only need one on the machine or we will run into problems with fixes needing to be made.
I need to ask that you make a decision which to keep and which to uninstall.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Download ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
by right-clicking on the link, and choosing Save As. Save it to your desktop, or
somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Ttoqumo] rundll32.exe "C:\WINDOWS\Vcewew.dll",e
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below in it: (don't forget to copy and paste REGEDIT4)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ttoqumo"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msiexec.exe"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msiexec.exe"=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select - Show hidden files and folders.
Uncheck- Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\WINDOWS\Vcewew.dll <--delete this file

Now please reboot your machine.

**
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt along with a new HJT log in your next reply for further review.

I'll do this right away. I actually only have McAfee - I had Norton a while ago, but uninstalled it. For some reason, that piece just won't go away.

**Juliet** · 2009-01-06, 14:16

I'll do this right away. I actually only have McAfee - I had Norton a while ago, but uninstalled it. For some reason, that piece just won't go away.

Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that was installed on your system. http://basconotw.mvps.org/SymRem.htm

When you reply please use the Post Reply button, using the Quote button will cut your logs off.

**CmBarrett** · 2009-01-06, 14:59

Thanks a bunch! I seem to have cleared off Norton and have ran ComboFix. However, this is one problem - no matter what settings I seem to change, I can't seem to shut off mcafee. It won't let itself be shut down. Do you have any solutions?

Anyways, here are the logs:
COMBOFIX:
ComboFix 08-12-31.01 - Anna 2009-01-06 8:45:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2219 [GMT -5:00]
Running from: c:\documents and settings\Anna\Desktop\Fixes\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000026_.tmp.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekablltliqh.sys
c:\windows\system32\msiconf.exe
c:\windows\system32\pmnljJDT.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaklhrqakn.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaparstymy.dll
c:\windows\system32\senekatxtqsilc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 12:21 . 2009-01-05 12:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-01 14:07 . 2009-01-01 14:07 <DIR> d-------- c:\documents and settings\Anna\Application Data\Malwarebytes
2009-01-01 14:07 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 14:06 . 2009-01-05 12:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 14:06 . 2009-01-01 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 14:06 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 14:05 . 2009-01-01 14:05 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 13:48 . 2009-01-01 13:48 <DIR> d-------- C:\VundoFix Backups
2009-01-01 10:22 . 2009-01-01 10:22 95 --a------ c:\windows\wininit.ini
2009-01-01 10:02 . 2009-01-01 10:02 <DIR> d-------- c:\documents and settings\Anna\Application Data\McAfee
2009-01-01 08:14 . 2009-01-01 08:14 40,448 --a------ c:\windows\system32\k9261108.exe
2009-01-01 07:59 . 2009-01-01 07:59 72,192 --a------ c:\windows\system32\xxyaxWQg.dll
2009-01-01 07:35 . 2009-01-01 07:35 <DIR> d-------- c:\documents and settings\Administrator
2008-12-24 17:05 . 2008-12-24 19:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 17:05 . 2009-01-06 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 13:32 . 2008-12-21 13:32 <DIR> d-------- c:\documents and settings\Anna\Application Data\SPORE
2008-12-21 13:30 . 2008-12-21 13:30 <DIR> d-------- C:\ProgramData
2008-12-21 13:30 . 2008-12-21 13:30 <DIR> dr-h----- c:\documents and settings\Anna\Application Data\SecuROM
2008-12-21 13:28 . 2008-12-21 13:28 18,344 --a------ c:\windows\system32\ealregsnapshot1.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 22:23 --------- d-----w c:\program files\EA GAMES
2009-01-01 14:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-31 14:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 18:30 --------- d-----w c:\program files\Electronic Arts
2008-12-20 15:29 --------- d-----w c:\program files\Maxis
2008-11-27 20:50 --------- d-----w c:\program files\CCleaner
2008-11-08 20:26 --------- d-----w c:\program files\McAfee
2008-11-07 10:00 --------- d-----w c:\program files\Norton AntiVirus
2008-11-07 02:29 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-07 02:17 --------- d-----w c:\program files\Common Files\McAfee
2008-11-07 02:16 --------- d-----w c:\program files\McAfee.com
2008-08-28 22:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3084288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-06 c:\windows\Tasks\poefesul.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{14BC3680-B78F-46D3-A3BD-C2ECF7AD8519} - c:\windows\system32\rqRLcYPG.dll
BHO-{72B26D79-E6FB-4CAE-86AD-860CA5109830} - (no file)
BHO-{799BE07F-4FBC-464A-BB6A-C6FAE340CF41} - (no file)
BHO-{F64E16DE-1DEA-4246-9496-7B91395BA42A} - (no file)
Notify-acpiz - acpiz.dll
Notify-cbXRIBrQ - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
Trusted Zone: *.turbotax.com

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\MaxisHotDateTeleX.ocx
O16 -: {1671869C-25B3-4C80-9446-8AE6111F8765}
hxxp://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
c:\windows\Downloaded Program Files\MaxisHotDateTeleX.inf
FF - ProfilePath - c:\documents and settings\Anna\Application Data\Mozilla\Firefox\Profiles\i6bwnp4n.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 08:52:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\L*NULL*e*NULL*s*NULL* *NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL* *NULL*D*NULL*e*NULL*l*NULL*u*NULL*x*NULL*e*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,b4,04,00,00,01,00,00,00,08,00,00,00,92,00,\
00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,\
00,13,05,00,00,49,37,17,26,20,00,41,53,53,49,53,54,7e,31,2e,4c,4e,4b,00,00,\
48,00,03,00,04,00,ef,be,49,37,17,26,49,37,17,26,14,00,00,00,41,00,73,00,73,\
00,69,00,73,00,74,00,61,00,6e,00,63,00,65,00,20,00,74,00,65,00,63,00,68,00,\
6e,00,69,00,71,00,75,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,92,00,00,00,01,00,\
00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,00,0a,04,00,\
00,49,37,17,26,20,00,49,4e,53,43,52,49,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,\
04,00,ef,be,49,37,17,26,49,37,17,26,14,00,00,00,49,00,6e,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,20,00,65,00,6e,00,20,00,6c,00,69,00,\
67,00,6e,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,92,00,00,00,02,00,00,00,84,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,00,b4,07,00,00,49,37,17,\
26,20,00,4c,45,53,53,49,4d,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,04,00,ef,be,\
49,37,17,26,49,37,17,26,14,00,00,00,4c,00,65,00,73,00,20,00,20,00,53,00,69,\
00,6d,00,73,00,22,21,20,00,32,00,20,00,20,00,44,00,65,00,6c,00,75,00,78,00,\
65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,\
00,1c,00,00,00,00,00,00,00,00,00,b6,00,00,00,03,00,00,00,a8,00,00,00,41,75,\
67,4d,02,00,00,00,01,00,00,00,96,00,32,00,3f,07,00,00,49,37,17,26,20,00,4c,\
45,53,53,49,4d,7e,32,2e,4c,4e,4b,00,00,6c,00,03,00,04,00,ef,be,49,37,17,26,\
49,37,17,26,14,00,00,00,4c,00,65,00,73,00,20,00,20,00,53,00,69,00,6d,00,73,\
00,22,21,20,00,32,00,20,00,20,00,44,00,65,00,6c,00,75,00,78,00,65,00,20,00,\
2d,00,20,00,44,00,e9,00,73,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,61,\
00,74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,\
0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,96,00,00,00,04,00,00,\
00,88,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,76,00,32,00,e5,07,00,00,\
49,37,17,26,20,00,4c,45,53,53,49,4d,7e,33,2e,4c,4e,4b,00,00,4c,00,03,00,04,\
00,ef,be,49,37,17,26,49,37,4d,27,14,00,00,00,4c,00,65,00,73,00,20,00,53,00,\
69,00,6d,00,73,00,22,21,20,00,32,00,20,00,20,00,42,00,6f,00,69,00,74,00,40,\
00,4c,00,6f,00,6f,00,6b,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,\
0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,7a,00,00,00,05,00,00,\
00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,32,00,c8,03,00,00,\
49,37,17,26,20,00,4c,69,73,65,7a,4d,6f,69,2e,6c,6e,6b,00,00,30,00,03,00,04,\
00,ef,be,49,37,17,26,49,37,17,26,14,00,00,00,4c,00,69,00,73,00,65,00,7a,00,\
4d,00,6f,00,69,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,a4,00,00,00,06,00,00,00,96,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,84,00,32,00,38,00,00,00,49,37,17,\
26,20,00,4d,49,53,45,4a,4f,7e,31,2e,55,52,4c,00,00,5a,00,03,00,04,00,ef,be,\
49,37,17,26,49,37,17,26,14,00,00,00,4d,00,69,00,73,00,65,00,20,00,e0,00,20,\
00,6a,00,6f,00,75,00,72,00,20,00,28,00,73,00,69,00,74,00,65,00,20,00,65,00,\
6e,00,20,00,61,00,6e,00,67,00,6c,00,61,00,69,00,73,00,29,00,2e,00,75,00,72,\
00,6c,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,\
00,00,00,00,88,00,00,00,07,00,00,00,7a,00,00,00,41,75,67,4d,02,00,00,00,01,\
00,00,00,68,00,32,00,5e,04,00,00,49,37,17,26,20,00,57,57,57,4c,45,53,7e,31,\
2e,4c,4e,4b,00,00,3e,00,03,00,04,00,ef,be,49,37,17,26,49,37,17,26,14,00,00,\
00,77,00,77,00,77,00,2e,00,6c,00,65,00,73,00,73,00,69,00,6d,00,73,00,32,00,\
2e,00,66,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\L*NULL*e*NULL*s*NULL***NULL*S*NULL*i*NULL*m*NULL*s*NULL*"!**NULL*2*NULL* *NULL*B*NULL*o*NULL*n*NULL***NULL*V*NULL*o*NULL*y*NULL*a*NULL*g*NULL*e*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,bc,04,00,00,01,00,00,00,08,00,00,00,92,00,\
00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,\
00,21,05,00,00,98,38,4c,a0,20,00,41,53,53,49,53,54,7e,31,2e,4c,4e,4b,00,00,\
48,00,03,00,04,00,ef,be,98,38,4c,a0,db,38,f8,52,14,00,00,00,41,00,73,00,73,\
00,69,00,73,00,74,00,61,00,6e,00,63,00,65,00,20,00,74,00,65,00,63,00,68,00,\
6e,00,69,00,71,00,75,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,92,00,00,00,01,00,\
00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,00,7a,00,00,\
00,98,38,4c,a0,20,00,49,4e,53,43,52,49,7e,31,2e,55,52,4c,00,00,48,00,03,00,\
04,00,ef,be,98,38,4c,a0,db,38,f8,52,14,00,00,00,49,00,6e,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,20,00,65,00,6e,00,20,00,6c,00,69,00,\
67,00,6e,00,65,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,96,00,00,00,02,00,00,00,88,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,76,00,32,00,ab,07,00,00,98,38,4c,\
a0,20,00,4c,45,53,53,49,4d,7e,33,2e,4c,4e,4b,00,00,4c,00,03,00,04,00,ef,be,\
98,38,4c,a0,db,38,77,83,14,00,00,00,4c,00,65,00,73,00,20,00,53,00,69,00,6d,\
00,73,00,22,21,20,00,32,00,20,00,20,00,42,00,6f,00,69,00,74,00,40,00,4c,00,\
6f,00,6f,00,6b,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,96,00,00,00,03,00,00,00,88,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,76,00,32,00,a1,07,00,00,98,38,4c,\
a0,20,00,4c,45,53,53,49,4d,7e,31,2e,4c,4e,4b,00,00,4c,00,03,00,04,00,ef,be,\
98,38,4c,a0,db,38,f2,52,14,00,00,00,4c,00,65,00,73,00,a0,00,53,00,69,00,6d,\
00,73,00,22,21,a0,00,32,00,20,00,42,00,6f,00,6e,00,a0,00,56,00,6f,00,79,00,\
61,00,67,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,ba,00,00,00,04,00,00,00,ac,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,9a,00,32,00,55,07,00,00,98,38,4c,\
a0,20,00,4c,45,53,53,49,4d,7e,32,2e,4c,4e,4b,00,00,70,00,03,00,04,00,ef,be,\
98,38,4c,a0,db,38,f8,52,14,00,00,00,4c,00,65,00,73,00,a0,00,53,00,69,00,6d,\
00,73,00,22,21,a0,00,32,00,20,00,42,00,6f,00,6e,00,a0,00,56,00,6f,00,79,00,\
61,00,67,00,65,00,20,00,2d,00,20,00,44,00,e9,00,73,00,69,00,6e,00,73,00,74,\
00,61,00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,\
00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,\
00,7a,00,00,00,05,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,\
5a,00,32,00,d2,03,00,00,98,38,4c,a0,20,00,4c,69,73,65,7a,4d,6f,69,2e,6c,6e,\
6b,00,00,30,00,03,00,04,00,ef,be,98,38,4c,a0,db,38,f8,52,14,00,00,00,4c,00,\
69,00,73,00,65,00,7a,00,4d,00,6f,00,69,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,\
00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,a4,00,\
00,00,06,00,00,00,96,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,84,00,32,\
00,38,00,00,00,98,38,4c,a0,20,00,4d,49,53,45,4a,4f,7e,31,2e,55,52,4c,00,00,\
5a,00,03,00,04,00,ef,be,98,38,4c,a0,db,38,f8,52,14,00,00,00,4d,00,69,00,73,\
00,65,00,20,00,e0,00,20,00,6a,00,6f,00,75,00,72,00,20,00,28,00,73,00,69,00,\
74,00,65,00,20,00,65,00,6e,00,20,00,61,00,6e,00,67,00,6c,00,61,00,69,00,73,\
00,29,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,\
00,00,1c,00,00,00,00,00,00,00,00,00,88,00,00,00,07,00,00,00,7a,00,00,00,41,\
75,67,4d,02,00,00,00,01,00,00,00,68,00,32,00,1e,05,00,00,98,38,4c,a0,20,00,\
57,57,57,4c,45,53,7e,31,2e,4c,4e,4b,00,00,3e,00,03,00,04,00,ef,be,98,38,4c,\
a0,db,38,f8,52,14,00,00,00,77,00,77,00,77,00,2e,00,6c,00,65,00,73,00,73,00,\
69,00,6d,00,73,00,32,00,2e,00,66,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,\
00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*H*NULL*&*NULL*M*NULL*®*NULL* *NULL*F*NULL*a*NULL*s*NULL*h*NULL*i*NULL*o*NULL*n*NULL* *NULL*S*NULL*t*NULL*u*NULL*f*NULL*f*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,a2,04,00,00,01,00,00,00,08,00,00,00,7c,00,\
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\
00,52,04,00,00,49,37,08,98,20,00,45,41,53,59,49,4e,7e,31,2e,4c,4e,4b,00,00,\
32,00,03,00,04,00,ef,be,49,37,08,98,4a,37,f3,0b,14,00,00,00,45,00,41,00,73,\
00,79,00,20,00,49,00,6e,00,66,00,6f,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,\
0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,98,00,00,\
00,01,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,00,\
56,04,00,00,49,37,08,98,20,00,45,4c,45,43,54,52,7e,31,2e,4c,4e,4b,00,00,4e,\
00,03,00,04,00,ef,be,49,37,08,98,4a,37,f3,0b,14,00,00,00,45,00,6c,00,65,00,\
63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,73,\
00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,00,00,\
1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,\
00,00,00,02,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,\
32,00,ec,03,00,00,49,37,08,98,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,\
00,2e,00,03,00,04,00,ef,be,49,37,08,98,4a,37,f3,0b,14,00,00,00,52,00,65,00,\
61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,03,00,\
00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,17,05,00,\
00,49,37,08,98,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,\
04,00,ef,be,49,37,08,98,4a,37,f3,0b,14,00,00,00,54,00,65,00,63,00,68,00,6e,\
00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,94,00,00,00,04,00,00,00,86,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,74,00,32,00,ef,07,00,00,49,37,08,98,20,00,54,48,45,\
53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,49,37,08,98,4a,37,\
f3,0b,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,\
00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,00,\
6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,\
00,00,00,00,00,00,00,a6,00,00,00,05,00,00,00,98,00,00,00,41,75,67,4d,02,00,\
00,00,01,00,00,00,86,00,32,00,e0,07,00,00,49,37,08,98,20,00,54,48,45,53,49,\
4d,7e,31,2e,4c,4e,4b,00,00,5c,00,03,00,04,00,ef,be,49,37,08,98,4a,37,f3,0b,\
14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,\
00,20,00,48,00,26,00,4d,00,ae,00,20,00,46,00,61,00,73,00,68,00,69,00,6f,00,\
6e,00,20,00,53,00,74,00,75,00,66,00,66,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,\
00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,ba,00,\
00,00,06,00,00,00,ac,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,9a,00,32,\
00,ad,07,00,00,49,37,08,98,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,4b,00,00,\
70,00,03,00,04,00,ef,be,49,37,08,98,4a,37,f3,0b,14,00,00,00,55,00,6e,00,69,\
00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,65,00,20,00,53,00,\
69,00,6d,00,73,00,22,21,20,00,32,00,20,00,48,00,26,00,4d,00,ae,00,20,00,46,\
00,61,00,73,00,68,00,69,00,6f,00,6e,00,20,00,53,00,74,00,75,00,66,00,66,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,8a,00,00,00,07,00,00,00,7c,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,6a,00,32,00,6e,04,00,00,49,37,08,98,20,00,57,57,57,\
54,48,45,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,49,37,08,98,4a,37,\
f3,0b,14,00,00,00,77,00,77,00,77,00,2e,00,74,00,68,00,65,00,73,00,69,00,6d,\
00,73,00,32,00,2e,00,63,00,6f,00,6d,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,\
0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*K*NULL*i*NULL*t*NULL*c*NULL*h*NULL*e*NULL*n*NULL* *NULL*&*NULL* *NULL*B*NULL*a*NULL*t*NULL*h*NULL* *NULL*I*NULL*n*NULL*t*NULL*e*NULL*r*NULL*i*NULL*o*NULL*r*NULL* *NULL*D*NULL*e*NULL*s*NULL*i*NULL*g*NULL*n*NULL* *NULL*S*NULL*t*NULL*u*NULL*f*NULL*f*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,6e,04,00,00,01,00,00,00,07,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,7a,00,00,00,9f,39,64,77,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,9f,39,64,77,21,3a,9c,75,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
78,00,00,00,01,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,\
00,32,00,46,04,00,00,9f,39,64,77,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,\
00,00,2e,00,03,00,04,00,ef,be,9f,39,64,77,21,3a,9c,75,14,00,00,00,52,00,65,\
00,61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,02,\
00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,95,05,\
00,00,9f,39,64,77,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,\
00,04,00,ef,be,9f,39,64,77,21,3a,9c,75,14,00,00,00,54,00,65,00,63,00,68,00,\
6e,00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,91,08,00,00,9f,39,64,77,20,00,54,48,\
45,53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,9f,39,64,77,21,\
3a,9c,75,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,\
20,00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,ca,00,00,00,04,00,00,00,bc,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,aa,00,32,00,bf,08,00,00,9f,39,64,77,20,00,54,48,45,53,\
49,4d,7e,31,2e,4c,4e,4b,00,00,80,00,03,00,04,00,ef,be,9f,39,64,77,21,3a,9d,\
75,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,\
32,00,20,00,4b,00,69,00,74,00,63,00,68,00,65,00,6e,00,20,00,26,00,20,00,42,\
00,61,00,74,00,68,00,20,00,49,00,6e,00,74,00,65,00,72,00,69,00,6f,00,72,00,\
20,00,44,00,65,00,73,00,69,00,67,00,6e,00,20,00,53,00,74,00,75,00,66,00,66,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,de,00,00,00,05,00,00,00,d0,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,be,00,32,00,73,08,00,00,9f,39,64,77,20,00,55,4e,\
49,4e,53,54,7e,31,2e,4c,4e,4b,00,00,94,00,03,00,04,00,ef,be,9f,39,64,77,21,\
3a,9d,75,14,00,00,00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,\
20,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,00,20,\
00,4b,00,69,00,74,00,63,00,68,00,65,00,6e,00,20,00,26,00,20,00,42,00,61,00,\
74,00,68,00,20,00,49,00,6e,00,74,00,65,00,72,00,69,00,6f,00,72,00,20,00,44,\
00,65,00,73,00,69,00,67,00,6e,00,20,00,53,00,74,00,75,00,66,00,66,00,2e,00,\
6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,\
00,00,00,00,00,00,00,8a,00,00,00,06,00,00,00,7c,00,00,00,41,75,67,4d,02,00,\
00,00,01,00,00,00,6a,00,32,00,31,00,00,00,9f,39,64,77,20,00,57,57,57,54,48,\
45,7e,31,2e,55,52,4c,00,00,40,00,03,00,04,00,ef,be,9f,39,64,77,21,3a,9d,75,\
14,00,00,00,77,00,77,00,77,00,2e,00,74,00,68,00,65,00,73,00,69,00,6d,00,73,\
00,32,00,2e,00,63,00,6f,00,6d,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\L*NULL*e*NULL*s*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*H*NULL*i*NULL*s*NULL*t*NULL*o*NULL*i*NULL*r*NULL*e*NULL*s*NULL* *NULL*d*NULL*e*NULL* *NULL*v*NULL*i*NULL*e*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,24,04,00,00,01,00,00,00,07,00,00,00,92,00,\
00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,\
00,0f,05,00,00,4c,37,38,42,20,00,41,53,53,49,53,54,7e,31,2e,4c,4e,4b,00,00,\
48,00,03,00,04,00,ef,be,4c,37,38,42,5f,37,78,49,14,00,00,00,41,00,73,00,73,\
00,69,00,73,00,74,00,61,00,6e,00,63,00,65,00,20,00,74,00,65,00,63,00,68,00,\
6e,00,69,00,71,00,75,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,92,00,00,00,01,00,\
00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,32,00,61,04,00,\
00,4c,37,38,42,20,00,49,4e,53,43,52,49,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,\
04,00,ef,be,4c,37,38,42,5f,37,78,49,14,00,00,00,49,00,6e,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,20,00,65,00,6e,00,20,00,6c,00,69,00,\
67,00,6e,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,9e,00,00,00,02,00,00,00,90,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7e,00,32,00,fb,07,00,00,4c,37,38,\
42,20,00,4c,45,53,53,49,4d,7e,31,2e,4c,4e,4b,00,00,54,00,03,00,04,00,ef,be,\
4c,37,38,42,5f,37,78,49,14,00,00,00,4c,00,65,00,73,00,20,00,53,00,69,00,6d,\
00,73,00,22,21,20,00,48,00,69,00,73,00,74,00,6f,00,69,00,72,00,65,00,73,00,\
20,00,64,00,65,00,20,00,76,00,69,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,\
00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,c2,00,\
00,00,03,00,00,00,b4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,a2,00,32,\
00,c2,07,00,00,4c,37,38,42,20,00,4c,45,53,53,49,4d,7e,32,2e,4c,4e,4b,00,00,\
78,00,03,00,04,00,ef,be,4c,37,38,42,5f,37,78,49,14,00,00,00,4c,00,65,00,73,\
00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,48,00,69,00,73,00,74,00,6f,00,\
69,00,72,00,65,00,73,00,20,00,64,00,65,00,20,00,76,00,69,00,65,00,20,00,2d,\
00,20,00,44,00,e9,00,73,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,61,00,\
74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,\
00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,7a,00,00,00,04,00,00,00,\
6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,32,00,09,04,00,00,4c,\
37,38,42,20,00,4c,69,73,65,7a,4d,6f,69,2e,6c,6e,6b,00,00,30,00,03,00,04,00,\
ef,be,4c,37,38,42,5f,37,78,49,14,00,00,00,4c,00,69,00,73,00,65,00,7a,00,4d,\
00,6f,00,69,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,\
00,00,00,00,1c,00,00,00,00,00,00,00,00,00,96,00,00,00,05,00,00,00,88,00,00,\
00,41,75,67,4d,02,00,00,00,01,00,00,00,76,00,32,00,e7,03,00,00,4c,37,38,42,\
20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,4c,00,03,00,04,00,ef,be,4c,\
37,38,42,5f,37,78,49,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,\
66,00,74,00,20,00,44,00,69,00,72,00,65,00,63,00,74,00,58,00,20,00,45,00,55,\
00,4c,00,41,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,\
00,00,00,00,1c,00,00,00,00,00,00,00,00,00,84,00,00,00,06,00,00,00,76,00,00,\
00,41,75,67,4d,02,00,00,00,01,00,00,00,64,00,32,00,3a,00,00,00,4c,37,38,42,\
20,00,53,49,54,45,49,4e,7e,31,2e,55,52,4c,00,00,3a,00,03,00,04,00,ef,be,4c,\
37,38,42,5f,37,78,49,14,00,00,00,53,00,69,00,74,00,65,00,20,00,69,00,6e,00,\
74,00,65,00,72,00,6e,00,65,00,74,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,0e,\
00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1177238915-1604221776-725345543-1004\Software\SecuROM\License information*NULL*]
@Security="Inherited"
"datasecu"=hex:67,6a,97,60,56,78,ad,b5,1b,23,a5,85,72,ec,ce,c9,97,9e,11,fe,56,\
2f,11,6e,46,16,23,d1,09,9c,55,63,89,05,0c,90,5f,e2,11,6a,4c,ee,b2,62,e8,5c,\
73,b8,e6,5d,8f,19,5f,f6,23,97,87,f3,8f,00,64,62,59,7e,93,04,ad,fa,0f,f4,2a,\
b4,b4,96,b2,d9,5e,6d,e9,e3,d8,b8,91,f2,ef,db,9f,c5,9d,6b,83,b4,5e,11,c1,ec,\
23,31,b5,7e,9b,28,3d,f8,aa,d5,0c,fb,a5,c9,7d,13,a6,fc,6e,b8,78,0f,7d,b4,d4,\
57,e6,a7,6a,1d,13,f6,8c,34,10,a8,0d,1e,76,b3,32,79,e7,fd,13,62,ee,79,82,35,\
a2,a8,6f,2d,12,69,59,ec,70,b6,bd,8b,e3,ed,d6,91,45,1c,43,83,f7,36,b1,00,7c,\
af,6e,e1,cd,a2,3d,ee,53,61,da,97,e6,c8,24,27,2d,06,7b,db,46,0c,a2,91,67,cf,\
34,e2,3d,ae,38,93,07,98,85,30,6e,78,32,b8,8c,62,ad,82,d1,0b,e8,8f,00,74,ce,\
b7,94,64,c4,01,cf,f0,6b,ef,85,87,4d,a1,56,90,7f,60,cd,d8,a3,cd,ef,4e,ca,b4,\
2b,ad,75,6c,34,64,b4,75,dc,43,b9,a4,7d,d3,5e,8b,6b,53,9f,b0,46,b6,fd,60,1e,\
2c,fc,86,8c,85,7e,c3,bf,26,a6,8d,af,ed,33,c2,5b,6f,55,e4,52,48,43,2a,e4,4f,\
71,b1,ba,eb,5c,58,41,4b,cb,76,df,7f,c2,3b,2a,e8,f0,92,dd,48,fc,59,60,d8,91,\
ee,75,1f,cd,1c,5a,f2,bb,03,fd,78,5f,b1,03,6d,e0,3d,24,f2,c9,19,82,47,75,2d,\
53,3d,ff,5c,0c,0a,46,92,ee,84,0a,45,2a,d6,38,17,e5,0c,cd,85,c5,25,fd,72,51,\
b9,24,4a,6c,5b,8e,33,56,7e,8a,e3,e8,8a,6b,e4,ca,7b,1a,c2,ab,c7,50,b8,38,56,\
59,32,d1,7f,ff,b5,29,f4,5a,7f,ff,35,7d,08,fa,b8,38,1f,53,7d,08,ff,6d,4d,e4,\
3d,78,db,2a,04,ce,a0,06,29,89,38,a9,d5,65,be,fd,8d,7c,62,72,ca,2c,67,a3,1e,\
ae,bf,85,eb,fd,35,10,ed,5e,66,98,7c,46,69,78,84,ef,78,f2,1b,7d,43,52,19,1f,\
2f,36,6b,2f,43,51,d4,0a,5b,b2,af,55,9e,d5,74,ca,a7,ac,8d,44,ed,69,ee,f4,96,\
0b,5c,4d,64,53,70,14,8d,23,e8,a5,10,04,ef,8e,59,7f,e0,df,20,3d,46,7c,78,3c,\
36,3f,0c,43,db,35,79,28,61,5d,a4,94,39,66,20,d0,5c,a0,f3,5e,de,49,f4,f8,c8,\
ca,fa,e5,15,52,8f,41,aa,93,92,fc,e6,5e,57,ec,db,ae,0f,8c,80,da,a5,b8,d3,51,\
b6,91,58,d5,63,dc,60,9f,28,01,f6,24,09,38,26,00,ab,d3,d8,bf,dd,be,93,d1,2b,\
b0,a9,fe,75,5f,44,7a,c0,a9,68,5e,59,a6,20,29,35,a5,a0,e1,a2,c8,6c,8f,29,35,\
96,ca,82,f4,ad,ba,eb,07,8d,20,7a,aa,b5,03,33,c7,db,dd,03,7a,45,9c,c3,8e,9a,\
2f,cb,33,c0,1c,27,35,f2,cd,22,06,14,02,83,e4,6c,c9,ab,ee,7e,66,3b,a0,5e,5a,\
14,47,e6,db,a9,3d,d5,e2,68,8b,d5,8e,b6,01,b7,3d,fb,1a,26,00,77,ec,5c,e0,49,\
71,05,cf,a1,45,0d,9d,23,8a,53,5e,19,47,06,76,a4,ef,15,b5,13,c0,b3,8d,cf,71,\
57,e0,25,c4,b3,db,b5,a5,4d,36,6c,eb,44,ec,a6,29,b1,cf,60,e0,d4,92,10,71,75,\
81,5c,f3,cc,a6,fe,5b,56,50,c9,a6,8b,7e,68,4b,94,ef,d1,9d,62,80,ea,6c,16,21,\
b1,4b,45,24,8b,18,78,3d,21,e9,2c,51,76,d9,6f,0a,fb,71,4f,4f,27,91,7e,70,2c,\
18,aa,92,55,61,a3,e2,19,4e,80,7e,c2,6d,86,ca,c1,ec,fb,8a,f5,44,65,0b,05,ae,\
53,04,31,01,ff,d9,2e,6b,e0,af,0b,ce,b7,c2,61,c2,a2,de,f1,c1,f5,02,96,1a,4d,\
5e,17,16,4e,36,8c,e7,af,21,e3,05,ed,a4,9c,82,a5,88,a1,e5,92,77,65,6b,e1,c0,\
2e,3f,4b,3f,c7,1b,65,37,ce,bf,5f,93,da,46,90,82,3d,f9,36,a8,9a,fa,ff,52,7a,\
b1,d8,00,22,98,4b,c0,29,95,7a,95,c1,20,c1,ed,26,42,c1,52,15,d4,07,8b,5d,00,\
42,70,cc,d5,cf,9e,e6,bb,7e,7e,ae,32,29,19,2c,d2,49,f3,eb,54,af,21,ea,3f,b3,\
e7,1b,9e,68,31,d9,66,70,b6,06,43,c0,22,a1,23,db,0e,98,e5,a0,e7,c5,0f,05,11,\
e1,3f,4b,dc,6e,d7,28,d9,1d,5f,97,5f,3d,87,e6,42,59,a4,49,69,ea,17,33,35,ad,\
67,2b,f0,bd,0c,80,ad,5c,be,63,fd,c6,67,ca,e9,fc,fe,6a,18,d0,53,4b,7d,33,65,\
1d,36,51,a7,96,e5,05,60,33,49,6f,52,5e,c0,81,0f,e4,ee,a5,f9,60,68,e5,d0,49,\
b7,3e,0d,33,68,5f,28,a8,5b,f1,59,64,73,cd,b6,8a,c3,5c,07,c8,f7,be,2b,29,22,\
b3,34,48,f3,de,20,5c,f4,00,ff,9a,f0,7f,ee,be,3c,53,31,33,2b,40,59,84,0f,99,\
a4,d2,82,d0,34,7d,fd,ba,2b,76,ca,11,0b,dd,1b,de,9e,6f,e6,19,5c,f1,ec,d5,b8,\
c1,8b,bf,20,3d,f9,a0,2b,41,53,e9,e0,ce,f8,48,cb,03,c5,02,29,84,ef,78,f4,6a,\
df,bf,45,ee,86,ae,9e,5f,df,3a,fa,c7,32,aa,34,45,97,da,0a,ef,d1,28,34,ec,03,\
4b,44,60,c9,87,f6,75,a3,87,42,23,c2,5c,3e,d1,4e,44,30,be,72,89,7e,7b,94,87,\
10,c4,14,46,df,4a,2f,73,96,67,a7,44,4d,09,bc,57,84,83,b1,f0,44,ee,b5,04,22,\
8b,c0,00,b4,af,dd,ac,65,fc,3f,71,73,6f,b4,32,08,0f,1f,cd,7f,b0,13,8f,de,70,\
58,5c,8d,f7,fb,b2,54,a8,72,99,0c,22,07,b1,07,fe,a2,22,ad,6c,cb,73,bf,27,b2,\
07,00,7d,33,84,cd,17,1c,2d,c7,7d,63,89,63,36,f5,03,40,8e,ff,d5,3f,18,f8,90,\
de,e0,38,6d,62,e7,22,62,c4,6b,66,d0,3d,2d,a6,f1,8b,37,e0,10,24,d9,0c,88,9c,\
fc,6f,6d,28,f0,b6,47,07,65,9f,11,f5,53,fa,3c,c0,e9,8c,e5,e6,80,0b,3c,55,dd,\
ac,58,7a,5d,6f,05,0f,68,9f,3f,fa,5e,c9,81,c2,1a,ca,8f,c1,a0,22,e1,f1,db,c2,\
dc,76,55,37,f3,e5,70,e1,27,8b,c5,b6,18,2e,8d,16,e5,2b,8e,9d,01,4c,a9,62,2c,\
9b,a6,17,af,0f,97,99,6b,e9,01,26,53,b4,76,b9,a3,08,74,6a,28,a2,95,b8,b9,d6,\
52,05,0d,56,82,24,02,c6,11,de,b6,b2,bb,f9,b2,1c,74,2f,be,a7,27,aa,89,2f,c2,\
42,c7,48,8e,5f,e0,6f,73,ab,1a,da,b8,5c,d8,d1,13,26,8d,2f,6e,9d,9f,d4,fb,e4,\
55,4e,9c,80,56,2f,20,3b,de,17,20,28,55,73,f2,4e,aa,a3,0b,d6,62,f0,4b,4d,d9,\
ab,5c,a3,9a,46,62,77,b2,f2,d7,ab,0b,a6,0a,70,3b,ab,67,0d,dc,39,2b,42,b6,ad,\
38,c9,fa,73,c0,67,97,47,a4,5c,4e,9c,7b,0c,2e,f5,a5,95,b0,d7,dc,6f,be,19,55,\
e6,f5,4c,9b,61,fd,f6,75,1c,b9,f5,24,0e,54,52,d3,c0,26,0e,c2,34,e0,a9,24,53,\
07,16,69,0d,26,a9,54,a6,62,7a,1d,d5,d9,42,4d,87,1c,05,06,da,14,9b,77,cc,30,\
8a,96,69,be,0a,42,8d,c8,53,49,ec,55,7d,41,78,35,a2,79,3b,0d,3d,09,bc,d0,8b,\
cd,47,e4,59,b1,e2,4b,fe,18,d7,3f,99,16,0f,4e,a4,ea,6e,16,52,56,65,4d,52,6f,\
07,f5,77,8a,91,d2,cd,3a,95,0b,27,f2,d0,d0,de,fd,24,16,02,9e,b5,58,42,bd,6d,\
b0,12,e2,d5,0a,a1,b7,35,19,a5,fd,09,da,44,60,90,be,23,11,e7,2a,4a,04,3c,a5,\
32,35,59,de,29,c5,1a,fe,2a,bb,9c,3d,4c,31,0a,2c,ea,e6,fc,df,42,3c,82,21,81,\
23,ce,5e,f4,49,54,f0,5f,1c,c1,40,c3,d9,fe,ca,e6,be,36,43,aa,78,b6,c1,3e,6f,\
00,ed,32,e9,0d,d0,d9,90,f4,c9,95,80,c1,dc,c1,5a,af,d6,da,20,aa,b8,16,61,94,\
b9,19,4a,f2,ee,fe,89,47,bd,0d,00,a9,a1,7a,33,7a,e2,14,ab,7a,bf,d3,ab,f9,6c,\
0e,1e,1b,55,f3,be,00,e4,3d,bb,c8,93,68,cd,20,f3,cd,d8,3a,c0,e4,3e,fd,ea,f3,\
3b,49,ee,68,e0,a0,ba,27,37,57,63,68,2d,45,6e,c4,54,dd,d3,40,ee,9e,5b,b7,4e,\
6f,93,e8,fb,64,da,b3,70,c0,f8,24,7c,48,12,ec,12,2c,a1,6f,18,11,3e,38,4b,ac,\
a9,f2,88,d6,e0,46,d4,82,52,13,36,d7,16,04,8f,9e,f7,67,ce,b8,a7,09,9d,0b,b2,\
78,09,bd,2b,2c,2e,31,39,3f,5e,80,df,09,8e,00,b1,ae,ae,a0,84,80,5f,a1,cf,01,\
23,bb,7d,5a,94,b5,77,69,a7,ae,00,fd,a0,18,d9,01,ea,97,e8,b4,1f,6a,a0,77,2f,\
11,f5,31,68,91,c0,e9,d3,6d,50,b6,91,e6,93,90,db,40,c5,c7,f2,f2,93,55,2f,e3,\
a1,25,a3,67,62,4c,c6,7c,48,61,2c,0e,04,a4,d0,3e,6b,cc,c3,c8,76,01,1a,d1,a1,\
6d,a0,dd,2a,64,5d,ec,d3,57,11,19,24,08,f2,98,c6,7e,d6,16,c6,ea,39,2c,cc,c8,\
f6,01,ea,71,68,4d,9f,42,5f,e9,08,94,ad,a3,d3,bb,82,14,ff,8c,73,9b,0f,e2,4a,\
51,dc,5b,d4,7f,07,12,5e,64,89,29,05,7d,bb,ce,74,96,81,42,a4,27,5f,2f,47,42,\
2e,aa,6c,da,db,39,03,de,0b,aa,94,e4,fe,5f,fc,1c,ad,f2,de,14,76,11,4c,3a,c2,\
36,85,12,56,a1,be,56,c7,23,57,cd,76,29,68,ca,cd,93,6a,ff,b5,90,db,cc,fc,9e,\
02,de,26,04,03,a9,b7,96,66,72,8a,40,91,0b,a6,8b,56,14,08,ff,70,e6,19,9a,60,\
d3,34,24,36,fe,34,2f,f0,f8,6e,c5,06,c7,00,5d,55,36,3a,62,39,ce,cd,96,b4,3c,\
74,d0,2e,ab,9b,8b,9f,dc,bc,d3,fd,21,7c,7d,c3,b9,97,86,7d,9f,5c,fd,60,cc,06,\
57,8b,9f,88,9e,c8,c3,80,3c,91,65,91,29,31,16,22,34,7b,db,9b,b9,ba,a8,16,c1,\
bf,ed,77,1e,f1,0f,8b,91,03,38,d5,97,b6,9c,b2,07,0d,04,c4,dc,c8,4f,f2,fa,32,\
a0,0a,1e,6e,51,ee,21,04,e3,5a,c9,3c,24,11,80,71,6e,4c,f3,c4,e5,e7,21,ba,51,\
e7,cc,d9,80,be,a1,73,91,13,b5,ac,5e,5d,f1,a8,39,7a,63,63,98,39,c6,31,8f,71,\
49,bb,24,ce,1b,d2,05,4a,7f,4e,ca,ae,69,ac,b2,48,4a,32,18,9f,c3,b3,d4,f1,90,\
43,3b,91,4f,7c,3e,6c,43,72,a4,e5,8d,62,15,18,98,4c,43,9e,ea,cf,33,53,e3,b3,\
4e,00,d5,1c,dd,9d,12,a5,9e,81,54,8d,7a,22,20,fb,69,66,54,2f,dd,95,bf,e2,4b,\
18,6e,7b,d3,3d,51,53,96,93,2f,60,d0,8c,41,65,fa,db,c7,7f,51,cc,28,f1,10,4d,\
6b,b7,2c,f4,7c,df,86,60,01,ae,d7,a6,b8,32,30,89,8e,2a,1a,b1,d7,93,06,84,a7,\
2a,60,f2,0a,ae,82,46,5e,54,11,8d,ce,ee,6f,87,80,74,62,79,94,70,87,ac,e5,61,\
5a,29,40,af,71,f2,1a,75,71,0e,c5,93,31,2e,45,3e,86,1d,70,c0,8f,ee,23,73,b1,\
81,92,aa,7e,93,10,d9,77,43,a7,6b,7e,0f,27,e4,28,84,17,22,bc,12,59,bf,a3,62,\
00,f8,1b,d6,fb,ec,5f,de,e7,0f,73,f9,1c,b5,3a,9f,43,e9,2c,f0,6c,3b,cb,c0,8f,\
94,9d,65,5a,30,8c,4c,e9,4a,50,cd,b3,fc,54,f1,75,26,cf,48,e4,e6,be,e0,89,3e,\
8d,4e,32,c3,47,33,88,21,18,d7,5b,07,51,62,3d,10,71,f9,54,e1,c8,db,f5,8c,6b,\
4e,99,92,54,81,76,09,2a,69,fa,50,65,87,11,c3,27,87,1a,a2,22,ce,26,48,d1,fe,\
6c,73,81,a3,5a,55,87,1a,f3,67,80,9f,38,b3,c7,45,a3,3c,1d,0a,85,82,ff,d2,7d,\
05,7f,0f,ab,d9,53,14,53,de,92,50,7c,69,89,5d,be,34,6a,e0,84,9c,79,f3,a5,f5,\
64,a3,88,6a,66,25,65,d0,5f,52,13,29,cc,83,0b,da,b2,a8,0d,78,db,24,fa,58,64,\
19,a8,0b,b6,51,7d,8d,7f,36,17,fd,40,5a,2f,d4,5e,f2,33,6e,17,fb,e1,b3,e1,62,\
d2,35,6c,a2,f0,6a,14,ed,09,3f,84,70,38,77,a9,1d,57,27,ac,a5,f2,c9,59,71,d1,\
d3,ec,e5,8b,91,52,a2,b7,d0,78,8f,ee,d6,32,77,43,70,c4,38,7c,71,92,fa,48,e3,\
bf,82,7b,c7,ef,a5,ff,82,a7,64,db,3b,5c,5e,f6,e9,58,d8,aa,bb,d2,ba,33,30,ed,\
98,59,8f,aa,a1,9d,6e,db,c4,2b,d4,8b,e6,2d,5f,40,d5,da,39,c6,a1,32,fa,4f,e4,\
d2,04,7f,1d,a8,da,eb,27,62,ed,3f,e0,c4,7f,6b,fb,7c,b2,18,43,8a,22,73,17,68,\
ae,14,22,6c,65,97,fd,56,4a,cc,a9,10,1a,93,c9,ca,d7,12,1d,ca,89,08,dc,6d,ae,\
18,55,56,7b,c1,3d,55,16,c3,df,00,3c,c6,8d,4b,3b,83,74,a9,63,af,f5,3a,21,ea,\
4c,66,f2,bf,a4,3f,a2,c9,dd,8d,7c,e9,81,da,af,6e,4c,22,21,1b,d9,c0,ae,7a,6f,\
a1,78,9e,2b,cb,aa,dd,6f,26,fe,f9,c9,c1,3b,57,73,f0,90,ef,14,5e,8d,4f,39,f2,\
45,54,0a,4f,40,9d,04,ae,43,19,6d,a3,dc,5a,a9,54,cc,5e,29,24,f7,95,20,4c,61,\
5c,e9,27,c3,e7,c5,c5,6a,71,23,85,db,15,8c,ae,8c,07,e9,95,85,16,66,7a,c9,97,\
a3,76,37,3d,25,9f,d1,44,1a,7b,cf,41,81,4d,5c,60,41,58,47,a5,bf,1a,3a,fe,73,\
9f,10,3a,b8,31,41,9d,e4,3d,e3,0b,a6,e3,85,dd,69,64,05,14,c0,de,11,5f,fb,22,\
19,9f,85,b6,65,07,3b,4c,f5,9c,d0,26,5a,02,dc,43,13,4b,0a,c9,57,9e,b2,6b,5d,\
4e,a7,d4,ee,42,ea,65,68,da,38,7c,9c,fb,65,61,c2,b4,fe,f9,5e,ac,d4,e0,df,0b,\
f1,0d,5c,91,eb,45,e7,e6,18,89,b1,97,2d,f7,20,01,4b,48,14,f3,08,cf,de,b3,da,\
ab,b0,b3,a9,9a,b1,fb,f3,bf,6f,a8,f8,76,43,6e,0c,a0,ec,ce,e2,73,15,34,93,f8,\
eb,6e,07,71,1c,a8,8c,49,b2,19,f4,34,d3,04,4c,f1,2f,f9,39,a2,3f,ec,11,8a,cd,\
81,ce,4c,c1,a0,98,bd,07,5a,cb,62,2f,96,a4,f2,d0,6e,62,5a,a5,83,50,a5,e9,14,\
33,c8,f7,f6,78,db,49,6d,67,71,c7,8d,0c,39,a3,0a,bc,3e,4d,eb,0f,2b,36,2c,50,\
de,b6,0d,5e,31,fa,b1,53,6f,5c,a4,c3,87,69,56,8b,11,fb,e2,22,a4,c6,d6,ba,bb,\
0e,e3,c1,b8,2c,81,55,26,b6,b6,2b,98,ea,df,66,e8,5a,55,cb,0c,be,7f,60,39,b2,\
25,a6,5c,a1,ae,d5,79,45,d3,19,60,e3,63,bd,eb,a0,32,e7,eb,28,8b,cf,7c,39,9b,\
45,d5,8f,82,bf,e6,e2,1b,de,37,69,cd,7b,70,de,99,4c,cb,bc,ec,27,7f,5c,de,42,\
41,84,d6,c9,e6,be,3c,76,dd,d4,07,cc,54,6d,4b,ef,de,cf,92,7c,57,09,df,fa,fa,\
06,ad,1a,ea,ca,64,87,40,2d,76,db,5d,10,38,2a,32,01,7b,01,ec,3c,15,c2,27,7f,\
c2,00,a0,f9,5b,6e,b4,6a,ee,39,d6,0d,20,c0,26,0b,98,1a,78,b1,93,a2,e6,cf,22,\
7f,f7,79,d2,53,5e,f5,20,2d,00,2e,2d,e7,38,c6,24,3d,52,9c,05,39,e4,55,4d,ea,\
e5,6b,13,9f,35,5d,9b,ce,7c,af,d8,4b,83,dc,72,23,4e,19,d1,e8,17,02,5b,44,f2,\
48,8e,37,33,6d,c7,be,5a,05,81,0b,fd,55,fb,4e,ee,7f,a0,76,40,91,85,9d,ea,73,\
70,2c,4b,e1,46,03,4a,1c,8d,0b,09,19,ce,fa,25,fd,90,b6,18,d7,4e,1f,7d,d4,28,\
02,fd,dc,a2,3a,03,22,a3,b2,9c,53,88,8c,5f,c4,fa,cb,5f,fd,c7,cb,5e,e9,87,a3,\
64,a1,ed,f8,c5,38,24,34,7d,29,b2,5e,e4,75,0e,47,42,a5,08,c5,76,12,8d,a8,57,\
66,3b,2b,8a,ac,69,72,1b,ba,37,e1,52,96,c0,f9,8f,da,3d,88,d6,45,95,ea,ad,15,\
f3,9f,27,66,74,52,93,8b,5f,12,5e,be,d9,ad,75,88,f0,3c,52,fb,36,11,45,3b,c5,\
41,5c,be,56,ef,28,5e,04,0d,f8,1e,f4,46,c3,eb,a2,ef,80,76,53,3f,e3,31,37,c1,\
31,d8,7f,05,8c,2a,63,36,87,7c,ac,cb,e6,97,ed,8c,34,4d,59,f0,e2,21,6c,3f,30,\
94,2d,90,9e,8e,08,23,64,f1,4a,4f,98,75,9f,33,40,78,26,1d,1c,a7,1a,14,82,2e,\
12,c4,97,54,4e,30,30,04,27,03,40,86,77,70,3b,e4,2a,a4,2c,1a,71,cb,52,ad,62,\
dc,04,d1,d4,18,2f,81,76,43,78,dc,e3,c9,68,e4,e3,c9,68,ec,e3
"rkeysecu"=hex:fa,e7,c5,a8,35,e1,18,32,54,8f,2a,e7,b7,24,75,29

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\€*NULL*À`Ò*NULL*]
@Security="Inherited"
"DisplayName"="?\11?\11??"
"DeviceDesc"="?\11?\11??"
"ProviderName"="???\11?\1f?\11??"
"MFG"="?"
"ReinstallString"="6.14.10.6444"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r78628\\driver\\2kxp_inf\\cx_15827.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-06 8:54:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 13:54:33

Pre-Run: 14,055,002,112 bytes free
Post-Run: 14,726,717,440 bytes free

589 --- E O F --- 2008-10-24 07:00:51

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:55 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotda...tDateTeleX.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 5625 bytes

Thanks for the help!

**Juliet** · 2009-01-06, 17:51

Welcome back

From what I can see it was more of the Firewall not being disabled.
The good news is .....it let you continue.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

No Validation is required.

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'NO' to run the full ComboFix scan.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File::
c:\windows\system32\k9261108.exe
c:\windows\system32\xxyaxWQg.dll
c:\windows\Tasks\poefesul.job

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Download the latest version of Java Runtime Environment (JRE)
Second install - -Java Runtime Environment Offline install

*** be sure that when you update Java, to uncheck any toolbars for OpenOffice.org if you don't want those added to you computer***

Click on the Accept License Agreement button Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment License Agreement.".
Download Now! Windows Offline Installation, Multi-language

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

NEXT-remove all older versions of Java Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove.
Close any programs you may have running - especially your web browser.
Repeat as many times as necessary to remove each older Java versions.
Reboot your computer once all Java components are removed.

NEXT**
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin
Agree to the prompt to perform the action...

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs. [*]The program will install and then begin downloading the latest definition
files. [*]After the files have been downloaded on the left side of the page in the Scan section select My Computer. [*]This will start the program and scan your system. [*]The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
[*]Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

At this time I need an update on how the computer is at the moment.

**CmBarrett** · 2009-01-06, 23:38

I'm working on the Kaspersky scan now. However, the computer I've been fixing seems to have difficulty connecting to the internet. Is there any way I could do this scan offline? I can get files to the computer to run them.

**CmBarrett** · 2009-01-06, 23:56

Haven't yet fixed the internet problem on the other computer (the one that's had the problems and that you have been helping me with).

Well, here is the combofix log, at any rate. Thanks for all your help.

ComboFix 08-12-31.01 - Anna 2009-01-06 16:49:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2098 [GMT -5:00]
Running from: c:\documents and settings\Anna\Desktop\Fixes\ComboFix.exe
Command switches used :: c:\documents and settings\Anna\Desktop\Fixes\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\k9261108.exe
c:\windows\system32\xxyaxWQg.dll
c:\windows\Tasks\poefesul.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\k9261108.exe
c:\windows\system32\xxyaxWQg.dll
c:\windows\Tasks\poefesul.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 16:48 . 2009-01-06 16:48 <DIR> d-------- C:\32788R22FWJFW
2009-01-05 12:21 . 2009-01-05 12:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-01 14:07 . 2009-01-01 14:07 <DIR> d-------- c:\documents and settings\Anna\Application Data\Malwarebytes
2009-01-01 14:07 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 14:06 . 2009-01-05 12:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 14:06 . 2009-01-01 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 14:06 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 14:05 . 2009-01-01 14:05 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 13:48 . 2009-01-01 13:48 <DIR> d-------- C:\VundoFix Backups
2009-01-01 10:22 . 2009-01-01 10:22 95 --a------ c:\windows\wininit.ini
2009-01-01 10:02 . 2009-01-01 10:02 <DIR> d-------- c:\documents and settings\Anna\Application Data\McAfee
2009-01-01 07:35 . 2009-01-01 07:35 <DIR> d-------- c:\documents and settings\Administrator
2008-12-24 17:05 . 2008-12-24 19:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 17:05 . 2009-01-06 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 13:32 . 2008-12-21 13:32 <DIR> d-------- c:\documents and settings\Anna\Application Data\SPORE
2008-12-21 13:30 . 2008-12-21 13:30 <DIR> d-------- C:\ProgramData
2008-12-21 13:30 . 2008-12-21 13:30 <DIR> dr-h----- c:\documents and settings\Anna\Application Data\SecuROM
2008-12-21 13:28 . 2008-12-21 13:28 18,344 --a------ c:\windows\system32\ealregsnapshot1.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 22:23 --------- d-----w c:\program files\EA GAMES
2009-01-01 14:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-31 14:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 18:30 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-21 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 18:30 --------- d-----w c:\program files\Electronic Arts
2008-12-20 15:29 --------- d-----w c:\program files\Maxis
2008-11-27 20:50 --------- d-----w c:\program files\CCleaner
2008-11-08 20:26 --------- d-----w c:\program files\McAfee
2008-11-07 10:00 --------- d-----w c:\program files\Norton AntiVirus
2008-11-07 02:29 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-07 02:17 --------- d-----w c:\program files\Common Files\McAfee
2008-11-07 02:16 --------- d-----w c:\program files\McAfee.com
2008-08-28 22:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 8.53.45.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-06 13:34:34 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-06 20:08:15 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-06 13:34:34 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-06 20:08:15 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-06 13:34:34 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-06 20:08:15 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3084288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
Trusted Zone: *.turbotax.com

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\MaxisHotDateTeleX.ocx
O16 -: {1671869C-25B3-4C80-9446-8AE6111F8765}
hxxp://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
c:\windows\Downloaded Program Files\MaxisHotDateTeleX.inf
FF - ProfilePath - c:\documents and settings\Anna\Application Data\Mozilla\Firefox\Profiles\i6bwnp4n.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 16:50:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-06 16:51:20
ComboFix-quarantined-files.txt 2009-01-06 21:51:18
ComboFix2.txt 2009-01-06 13:54:38

Pre-Run: 14,628,704,256 bytes free
Post-Run: 14,617,829,376 bytes free

163 --- E O F --- 2008-10-24 07:00:51

**Juliet** · 2009-01-07, 01:03

This last log looks to be in good shape

lets check some settings on your system.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category, otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for Cable and DSL, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says "Obtain DNS servers automatically"
Press OK twice to get out of the properties screen and reboot if it asks.

That option might not be available on some systems.
Next go Start, Run and type cmd and hit OK
now type:
ipconfig /flushdns
(note that a space between ipconfig and / is needed)
then hit Enter, type exit and hit Enter again.

Is the machine hooked up to a router or DSL/Cable modem?

If so try this

Turn off the router.....turn off the modem and now the computer.

Wait about 3 minutes
Trun on the router and wait for the reset lights to finish
Turn on the modem box and wait for all lights to finish
Now turn on the computer

Check to see if you have internet connection on this computer now.

Thread: Yet ANOTHER virtumonde victim...

Thread Tools

Display

Posting Permissions