Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Malware on MS Explorer, Google Chrome, Foxfire but not Safari  (Read 6217 times)

0 Members and 1 Guest are viewing this topic.

oils65mustang

    Topic Starter


    Greenhorn

    • Experience: Beginner
    • OS: Unknown
    For MX Explorer, Google Chrome, Foxfire I would type in, for example "newegg" and search.  I would click on the newegg from the search results and the browser would redirect to another site.  These sites vary but all deal with shopping or video viewing like youtube.  It does not redirect to porn or other questionable sites.  It would take me three or four attempts to finally get to newegg.  I decided to try Safari and thus far I have not had any problems.
    At that time I was running Norton with full protection. I performed full scans, Norton said my computer was clean.  I then did research and determined that spydoctor from PC Tools may solve the problem.  I scanned with spydoctor and it found adware, spyware, and trojans.  They were removed.
    Problem still remained with MS Explorer, Foxfire and Google Chrome.
    I found Computer Hope and performed the steps laid out in Computer Hopes Malware Removal steps. Below are the logs, I separated them with a line of dashes.  I have not attempted to use Explorer, Google or Foxfire until I get the adware removed.
    Thanks for the help


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:20:28 PM, on 3/24/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\PC Tools Security\pctsGui.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\PC Tools Security\BDT\FGuard.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PC Tools Security\pctsAuxs.exe
    C:\Program Files\PC Tools Security\pctsSvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\PC Tools Security\TFEngine\TFService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HPQ\shared\hpqwmi.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\coIEPlg.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\coIEPlg.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
    O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: Norton Safe Web Lite (NSL) - Symantec Corporation - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Security\TFEngine\TFService.exe

    --
    End of file - 8528 bytes

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6161

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/24/2011 4:59:21 PM
    mbam-log-2011-03-24 (16-59-21).txt

    Scan type: Quick scan
    Objects scanned: 164815
    Time elapsed: 17 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 22
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{A666CBF9-6A04-43A1-AB7C-945FC8B6F055} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{E62A18AC-1B05-4FFD-AE09-8C4B23AD6948} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{4E639460-8FC4-45B2-A13C-8BA6FD5478C7} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\VRQScanner.VRQDll.1 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\VRQScanner.VRQDll (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\A9YA3MI1CF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\program files\nortonvrq\Engine\5.0.0.20\vrqscanner.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

    ------------------------------------------------------------------------------------------------------------------------------------------------------------
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/24/2011 at 00:07 AM

    Application Version : 4.50.1002

    Core Rules Database Version : 6656
    Trace Rules Database Version: 4478

    Scan type       : Complete Scan
    Total Scan Time : 04:21:13

    Memory items scanned      : 583
    Memory threats detected   : 0
    Registry items scanned    : 7568
    Registry threats detected : 30
    File items scanned        : 119156
    File threats detected     : 2

    Adware.MyWebSearch
       HKU\S-1-5-21-1844237615-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
       HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
       HKU\S-1-5-21-1844237615-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
       HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
       HKU\S-1-5-21-1844237615-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
       HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

    Adware.MyWebSearch/FunWebProducts
       HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
       HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
       HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
       HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
       HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
       HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
       HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
       HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
       HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
       HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
       HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
       HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
       HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
       HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
       HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
       HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
       HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

    Malware.Trace
       C:\WINDOWS\TASKS\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
       HKU\S-1-5-21-1844237615-527237240-839522115-1003\Software\NtWqIVLZEWZU
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network#uid [ EARL-5E3D7C59F2_00E4E24C ]

    Trojan.Agent/Gen-Koobface[Bonkers]
       C:\PROGRAM FILES\EA GAMES\THE SIMS 2\TSBIN\BM.EXE

    SuperDave

    • Malware Removal Specialist


    • Genius
    • Thanked: 996
    • Certifications: List
    • Experience: Expert
    • OS: Windows 8
    Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
    « Reply #1 on: March 25, 2011, 12:49:01 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    ****************************************************
    Download Security Check by screen317 from one of the following links and save it to your desktop.

    Link 1
    Link 2

    * Unzip SecurityCheck.zip and a folder named Security Check should appear.
    * Open the Security Check folder and double-click Security Check.bat
    * Follow the on-screen instructions inside of the black box.
    * A Notepad document should open automatically called checkup.txt
    * Post the contents of that document in your next reply.

    Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
    ***************************************************
    Download DDS from HERE or HERE and save it to your desktop.

    Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    * XP users Double click on dds to run it.
    * If your antivirus or firewall try to block DDS then please allow it to run.
    * When finished DDS will open two (2) logs.

    1) DDS.txt
    2) Attach.txt

    * Save both logs to your desktop.
    * Please copy and paste the entire contents of both logs in your next reply.

    Note: DDS will instruct you to post the Attach.txt log as an attachment.
    Please just post it as you would any other log by copy and pasting it into the reply.
    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

    oils65mustang

      Topic Starter


      Greenhorn

      • Experience: Beginner
      • OS: Unknown
      Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
      « Reply #2 on: March 26, 2011, 08:59:05 PM »
       Hi Dave,  Thank you for the help.  Here are the results of the scans your requested. I hope that it's complete, I'm not sure about firewall stuff.

      Results of screen317's Security Check version 0.99.10 
       Windows XP Service Pack 3 
       Internet Explorer 8 
      ``````````````````````````````
      Antivirus/Firewall Check:

       Windows Security Center service is not running! This report may not be accurate!
       Windows Firewall Enabled! 
       Norton AntiVirus     
       Antivirus up to date! 
      ```````````````````````````````
      Anti-malware/Other Utilities Check:

       Malwarebytes' Anti-Malware   
       CCleaner     
       Java(TM) 6 Update 24 
       Java(TM) 6 Update 5 
       Java(TM) 6 Update 7 
       Out of date Java installed!
       Adobe Flash Player    10.2.152.32 
      Adobe Reader 9.4.2
      Out of date Adobe Reader installed!
       Mozilla Firefox (3.6.15) Firefox Out of Date! 
      ````````````````````````````````
      Process Check: 
      objlist.exe by Laurent

       Norton ccSvcHst.exe
       ThreatFire TFService.exe
      ``````````End of Log````````````



      .
      DDS (Ver_11-03-05.01) - NTFSx86 
      Run by Earl Young at 19:44:36.90 on Sat 03/26/2011
      internet explorer: 8.0.6001.18702
      Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.302 [GMT -7:00]
      .
      AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
      AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
      .
      ============== Running Processes ===============
      .
      C:\WINDOWS\system32\svchost -k DcomLaunch
      svchost.exe
      C:\WINDOWS\System32\svchost.exe -k netsvcs
      svchost.exe
      svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\rundll32.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Apoint2K\Apoint.exe
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
      C:\Program Files\PC Tools Security\pctsGui.exe
      C:\Program Files\PC Tools Security\BDT\FGuard.exe
      C:\Program Files\Google\Update\GoogleUpdate.exe
      svchost.exe
      C:\Program Files\Apoint2K\Apntex.exe
      C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
      C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
      C:\WINDOWS\system32\svchost.exe -k HPService
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
      C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      C:\Program Files\PC Tools Security\pctsAuxs.exe
      C:\Program Files\PC Tools Security\pctsSvc.exe
      C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
      C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
      C:\WINDOWS\system32\svchost.exe -k imgsvc
      C:\Program Files\HPQ\shared\hpqwmi.exe
      C:\WINDOWS\System32\svchost.exe -k HTTPFilter
      C:\Program Files\PC Tools Security\TFEngine\TFService.exe
      C:\Program Files\Safari\Safari.exe
      C:\Program Files\PC Tools Security\Update.exe
      C:\Documents and Settings\Earl Young\Desktop\dds.scr
      .
      ============== Running Processes ===============
      .
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\rundll32.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Apoint2K\Apoint.exe
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
      C:\Program Files\PC Tools Security\pctsGui.exe
      C:\Program Files\PC Tools Security\BDT\FGuard.exe
      C:\Program Files\Google\Update\GoogleUpdate.exe
      C:\Program Files\Apoint2K\Apntex.exe
      C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
      C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
      C:\Program Files\PC Tools Security\pctsAuxs.exe
      C:\Program Files\PC Tools Security\pctsSvc.exe
      C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
      C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
      C:\WINDOWS\system32\wbem\wmiprvse.exe
      C:\Program Files\HPQ\shared\hpqwmi.exe
      C:\Program Files\PC Tools Security\TFEngine\TFService.exe
      C:\Program Files\Safari\Safari.exe
      C:\Program Files\PC Tools Security\Update.exe
      C:\Documents and Settings\Earl Young\Desktop\dds.scr
      C:\WINDOWS\system32\wbem\wmiprvse.exe
      C:\WINDOWS\System32\svchost.exe -k netsvcs
      C:\WINDOWS\system32\svchost.exe -k NetworkService
      C:\WINDOWS\system32\svchost.exe -k LocalService
      C:\WINDOWS\system32\svchost.exe -k LocalService
      C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
      C:\WINDOWS\system32\svchost.exe -k HPService
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      C:\WINDOWS\system32\svchost.exe -k imgsvc
      C:\WINDOWS\System32\svchost.exe -k HTTPFilter
      .
      ============== Pseudo HJT Report ===============
      .
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_CURRENT_USER\software\microsoft\internet explorer\main
         Disable Script Debugger   REG_SZ            yes
         Anchor Underline   REG_SZ            yes
         Cache_Update_Frequency   REG_SZ            Once_Per_Session
         Display Inline Images   REG_SZ            yes
         Do404Search   REG_BINARY        01000000
         Save_Session_History_On_Exit   REG_SZ            no
         Show_FullURL   REG_SZ            no
         Show_StatusBar   REG_SZ            yes
         Show_ToolBar   REG_SZ            yes
         Show_URLinStatusBar   REG_SZ            yes
         Show_URLToolBar   REG_SZ            yes
         Use_DlgBox_Colors   REG_SZ            yes
         Search Bar   REG_SZ            http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
         XMLHTTP   REG_DWORD         1 (0x1)
         UseClearType   REG_SZ            yes
         SearchMigrated   REG_DWORD         1 (0x1)
         Expand Alt Text   REG_SZ            yes
         Move System Caret   REG_SZ            no
         NoUpdateCheck   REG_DWORD         1 (0x1)
         NscSingleExpand   REG_DWORD         0 (0x0)
         DisableScriptDebuggerIE   REG_SZ            yes
         Error Dlg Displayed On Every Error   REG_SZ            no
         Page_Transitions   REG_DWORD         1 (0x1)
         Enable Browser Extensions   REG_SZ            yes
         UseThemes   REG_DWORD         1 (0x1)
         EnableSearchPane   REG_DWORD         0 (0x0)
         Force Offscreen Composition   REG_DWORD         0 (0x0)
         NotifyDownloadComplete   REG_SZ            no
         AllowWindowReuse   REG_DWORD         1 (0x1)
         Friendly http errors   REG_SZ            yes
         SmoothScroll   REG_DWORD         1 (0x1)
         Enable AutoImageResize   REG_SZ            yes
         Play_Animations   REG_SZ            yes
         Play_Background_Sounds   REG_SZ            yes
         Show image placeholders   REG_DWORD         1 (0x1)
         Print_Background   REG_SZ            no
         AutoSearch   REG_DWORD         4 (0x4)
         FullScreen   REG_SZ            no
         Window_Placement   REG_BINARY        2c0000000200000003000000fffffffffffffff fffffffffffffffff1700000017000000b00300 00a0020000
         CompatibilityFlags   REG_DWORD         0 (0x0)
         ShowedCheckBrowser   REG_SZ            Yes
         Check_Associations   REG_SZ            yes
         Use FormSuggest   REG_SZ            no
         FormSuggest PW Ask   REG_SZ            yes
         Start Page   REG_SZ            http://www.bing.com/
         LastCheckedHi   REG_DWORD         30000561 (0x1c9c5b1)
         IE8RunOnceLastShown   REG_DWORD         1 (0x1)
         IE8RunOnceLastShown_TIMESTAMP   REG_BINARY        84a2a0f99702cb01
         IE8RunOncePerInstallCompleted   REG_DWORD         1 (0x1)
         IE8RunOnceCompletionTime   REG_BINARY        e88f43649802cb01
         IE8TourShown   REG_DWORD         1 (0x1)
         IE8TourShownTime   REG_BINARY        7636609ac2c5c901
         AlwaysShowMenus   REG_DWORD         0 (0x0)
         ControlTooltipCount   REG_DWORD         5 (0x5)
         FormSuggest Passwords   REG_SZ            yes
         NoJITSetup   REG_DWORD         1 (0x1)
         NoWebJITSetup   REG_DWORD         1 (0x1)
         StatusBarOther   REG_DWORD         1 (0x1)
      .
      HKEY_CURRENT_USER\software\microsoft\internet explorer\main\Default Feeds
      .
      HKEY_CURRENT_USER\software\microsoft\internet explorer\main\FeatureControl
      .
      HKEY_CURRENT_USER\software\microsoft\internet explorer\main\WindowsSearch
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
         Enable_Disk_Cache   REG_SZ            yes
         Cache_Percent_of_Disk   REG_BINARY        0a000000
         Delete_Temp_Files_On_Exit   REG_SZ            yes
         Anchor_Visitation_Horizon   REG_BINARY        01000000
         Use_Async_DNS   REG_SZ            yes
         Placeholder_Width   REG_BINARY        1a000000
         Placeholder_Height   REG_BINARY        1a000000
         CompanyName   REG_SZ            Microsoft Corporation
         Custom_Key   REG_SZ            MICROSO
         Wizard_Version   REG_SZ            6.0.2600.0000
         Default_Secondary_Page_URL   REG_MULTI_SZ      \0
         Extensions Off Page   REG_SZ            about:NoAdd-ons
         Security Risk Page   REG_SZ            about:SecurityRisk
         Check_Associations   REG_SZ            yes
         FullScreen   REG_SZ            no
      .
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\ErrorThresholds
      .
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\FeatureControl
      .
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\UrlTemplate
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings
         User Agent   REG_SZ            Mozilla/4.0 (compatible; MSIE 8.0; Win32)
         IE5_UA_Backup_Flag   REG_SZ            5.0
         NoNetAutodial   REG_DWORD         0 (0x0)
         MigrateProxy   REG_DWORD         1 (0x1)
         EmailName   REG_SZ            [email protected]
         AutoConfigProxy   REG_SZ            wininet.dll
         MimeExclusionListForCache   REG_SZ            multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
         WarnOnPost   REG_BINARY        01000000
         UseSchannelDirectly   REG_BINARY        01000000
         EnableHttp1_1   REG_DWORD         1 (0x1)
         PrivacyAdvanced   REG_DWORD         0 (0x0)
         EnableNegotiate   REG_DWORD         1 (0x1)
         ProxyEnable   REG_DWORD         0 (0x0)
         WarnOnZoneCrossing   REG_DWORD         0 (0x0)
         SecureProtocols   REG_DWORD         40 (0x28)
         PrivDiscUiShown   REG_DWORD         1 (0x1)
         EnableAutodial   REG_DWORD         0 (0x0)
         WarnOnIntranet   REG_DWORD         1 (0x1)
         ProxyHttp1.1   REG_DWORD         1 (0x1)
         ShowPunycode   REG_DWORD         0 (0x0)
         EnablePunycode   REG_DWORD         1 (0x1)
         UrlEncoding   REG_DWORD         0 (0x0)
         DisableIDNPrompt   REG_DWORD         0 (0x0)
         CertificateRevocation   REG_DWORD         0 (0x0)
         DisableCachingOfSSLPages   REG_DWORD         0 (0x0)
         WarnonBadCertRecving   REG_DWORD         1 (0x1)
         WarnOnPostRedirect   REG_DWORD         1 (0x1)
         ZonesSecurityUpgrade   REG_BINARY        60f92424c2c5c901
         GlobalUserOffline   REG_DWORD         0 (0x0)
         MaxConnectionsPerServer   REG_DWORD         10 (0xa)
         MaxConnectionsPer1_0Server   REG_DWORD         10 (0xa)
         ProxyOverride   REG_SZ            *.local
         5   REG_BINARY        9665bd6deb57c2fb7253abe0af676d5c44a3363 5ce7cdfd73d7c1f54a8433eaf60aff9e24c3ba7 3d4c73748efa7fd1b24204fb8d873401d3b9bce 5fa488479e6a509
         4   REG_BINARY        c2e6346052b7a6c54cf575756ec1234dd8c1d71 4c604d6c9f1a3e2672eb7ce8fef64efa1807d18 60349c3a9c0bc55814989b6f475e4fa7fb01860 8f12a49d70d34838b95890e224d872810b4cb74 9b80d53b2794994def7e8c5ed2913c0aa3dc0e5 0e89bf754b24f9b75a4cb1959c7d1de57127e3f 815405b0508ee6765e6676ed766b9f2f83e8d34 e0bd91103422584ae4e87820026a3af840400f1 a69eaa8947ee748da56c0461d02a9eb8c8632e3 02fc70ea38b3ed079c40b8f66b26beea6ef5a27 dfa1b3018166e21383bf9733221a5e8c8327251 48fa55a03a88c899bb56a5320b0eedf9f1b8a55 e14661afb5ac483dbd5a5160309a63cb7e1ffd5 60dad3a8cc15b1f17424c5340f032194c7ce813 d030e75c59d87d49398a274712c8269820489f5 8985de1e9ab0af559cf191e9a6bebb7bf9e23d6 d6ea3823670363355e3d70ac69f795c27ed6671 2e0c7eb4877f2cfbd804505e18ab37ceb769fe9 b02012b028abfb926d05fd9e0ccb0c4189fe1cc 9aae658a0320b69a3d8c290488029c57bcbb9bf e095bebf7c4a34939ae005a3002766139f8f6a6 4de84af6167ef97c1a008915286c89296b1b7bc b51dfd50fd4e442b19e7250de7f0473a2bc97bb 02eb1eb9e29876d682d1c9c2ea880d0951d93c7 46c5f2fe305c1db3f74a8e54f25c8d5e3aaf69d aee81e1969d9e1d7ef31404c499d01b3e10adf0 707ec509199c2d40c52bcd7d86ef07d603bf07d 92d8fdb3ac4872c823802a5f37d05a585977511 0c00e972e619f638df9c279d58f09a2bb7edcb0 c690533f7265fb1e1249de180255210dceb8947 e1bfc46167d334938d6b5d57c7b95022ad47054 5ef36df9193c0d33fb242af7d93d8da92d94890 67d2425013767d425794a44ed58958a80a8daa9 8546794c8ce668c3c969e9f9d823144cadb212f fb73062465bb2b7fbd3d907da270233f396c09b 7e450ba6dd04784b7246da4ef79d21575e607c8 299224d7e6ce99aa4875e7428cbec8e29c5fdb8 7f1324973c6456c3f7844926be6650451bbf7a3 e05ae801f8096a23bc4d6cb6bb24f8578a9fcb0 450f1c56c875158aa119a605de996204ac5d666 08f33c5c0439d54f99a94df442f6a7f333adcfd f626e2f4165b11f0a2e68b71645a7a30fec69dd 6f7b997cca5a9b869cf6af756b88b35fdd0e5cd 2b3c85b76b02305b5429ebd7ee89dc7196cec48 8da187cf40115a4477343c5ac40e686759f55b5 2abd9c1622d1742fc5a423adcf3c1ad4de6c882 0176dcbdb09669cd3fc10c3e1abe3880b1ae41e a1e67b1e353bd110c0832c6c885a205d8b95891 4e1a3fcb8a182a3a9fce0883afe68a76cba0860 b38cd3376b150221df60f7c0bd4ac9005afcd18 616e6b8068b055afc7b4791899aafb7cd233b54 22215dd1ba60328b8a4185bd646909dc626ebe1 a89255a252042b789f9c7e7f34a08bba22f4eb3 7e8f326cc1b3ba4d0de568df408c5dde2a55cea 29b6335949b271b3a3f45031a4184daeeda0093 dfa7e19b8a7e6f8b52ec080809f01525315bd3f 4fe34286270c54cc5b0440790cbb2c1fb9a9be8 bde9bdc97e81dfbe21dfa9bb317c1fa98423fc4 3d8d73a8582239c42b9a1dd0434ce918ae7e789 4531dc95b24a9896f02b35be47227944f42434c 4688c31d99fc1c3f3481568c4a74def3149efab 5b4f6eb77c1995aca9d2f5898af536867e8c6ef 6d297172013b866d716d413d8c4e6f11dfab315 907757db867edbf1f266d012764713a545aa267 74df25dc0f5bdad113078ff7f0f11ecadd657bb 94b30f1d70fd3fd9768a33860de1f02af43be13 b73ee16eceb2681903a2b38a3c7636162c8c99c 4239fae4ea5018b64da4821c158e73b135542cb c8b37ffb1300cfd7af631d49153824b13057d83 fc64fae9e3f38d467f9fdec411afe2d688df8b0 11534bbe5b8d0e0c983b8c7597b99e2e3962e5d 48de7347b08d711cd99704854518ea1b3b15aeb 134f3ecbf8ec4f437d5b5ef2cad06ac18b5d076 8bd4cb8538a79559a699af170b42473411cc4b7 715a69c4b9d51d7e95410025bbcb077c543b082 5c79031893cb6b2766de6f26a83c1c91dd7d3aa 52b4a86f4f2e7b1e5d5639c15ac9e126ccf3e4e 6938a54734323df2da7da9b7071c0ba4c6f8219 25790a9166f280cc31f89cc69211d01eebe53ed c36941c1447b9bde2961b99fbdd7c6c2d9376c2 e6419cb9883bbaa0c1df7b7127482a648d4a900 d3d036d02149474452bd11fedbb864ad99ec8c0 6943f5e24fe9ece05fdff1133d8a4b0657fcb8f 04d8cbf748f658c9e4e944ebea7c0a7035783ad a28f662f9da80088c6c63cf629123b084d9dd69 853887eb795c613f5ae45295ab0cb4f6b94e832 c3f1724dfb709db74636dfd3b12892a2a972f85 76c4696e3fb9a55a1fbc3dd5e0188bdf4387786 76890e066e988ee0a27aef036ed437a1fe2e611 86f6ce32c61c1ac45450a3c8dc2f4b28117a12e c65d414fd0ebf4c99d33f5addaa360081f6f85b ede99ce7cbc53d47ee348077dff19984816b564 3cbe8c336b5b8da1496e3041de729074ee5512f 2cea650549d8d85f932aca07a12c487c8e239e1 d35079084c6711ff61be529a3c0839f07ec1975 84fdada995f934eee078db2206395b8b50c0aa3 4e0cbaf5550ed56d21e7636ab8115b07f047bdf a0612558a3b97fadb2f35bd4a0983d49c6fc8b3 2e77c31e5d6a416fec9f4927a77129517f5b27b ff97edb2c2865b2d1659402e8278b05da6db49a 9e7d1534ce6d649519cf18e7338728bc0caddc4 c021ce50540900a3e42cb9fb7c99ee1e324599e af049d602275234fb08add43590a0ce6ccb75bf b13864522c264364d8332e8a072ab600603f05f 114aeaa7c92844be4a5979f58e9e3dc7420839f 17e33daedd02021754c447e5e14f9c486b83c30 b3917936efeb4d9ab4241a72e5572682893b5d7 af2d39f123390e726e6816d56052b7b4f296b71 d9c24d5d77706c62732702409bfb8fd0ecbe2a2 7b7661f19a1af27f4c6b4798a96cfbf0e34273f d2a5b0658aa1bd590e13916b7a569077b3f013b 2389112542f442f3e739feba508e57f6d25f534 ed8578fabd5607f377e0c3038da3a1df6c2a439 cc5462c80d5f7b3b7d37935f372c78c2e0176a1 968ec1c28ac8717749ad4ae2107098670fc431c e115379049e8be9e3a869c58f2c2d7ab57efeee b63fc59aa3ae46db04ceb60a3be7271a89d57f1 c1d9b015ea6c1b0c636bcb99bd1fe1e29f6786d 3b7f5d543a70144543e688f948fd9b5bd07a87f 2d7ac7c6ae40930791c169790531058ebd43565 3013b750fba7e72809e972f439d6dca4a31c53c 6a633d7e7d53ccd0fe21ecbf985c519eeffaf05 d437dc7bff39dc4dd09f6f77208efb17ee1ca0d 0f81d267f7047f016927fd54f8fcaa2b5ecee4b f13546a33315c6158391efb818d7c2671171ef3 579329b5570ff3ade4c24237765f850748d58b2 fe210e455862690703ac0d1e72a8c60e5513fa4 0dccc93f72239b25fb7ae043351600623c64a27 cb4c0be8c1ce5cdf84588bc975db0a232283af4 f1da753756069f93460d0a66b64c9099f4fd5dd 3badddb664691625f517f86464a29b5e7708121 1d639d30c4b6e6ea9ca7c7f3db13402e524276c ad6b63f611e0485d77bf43dad7cdc393654bd08 ef980d0e132ace06cdc86aec758f844cb20d734 cfe5bf525c041399e53366fd5b11fefbe286d79 42393f28825b6546771bf97409c6be4c7870113 dca26f6364f01aa34fd9f8832c3dc32e0e3ef2c 49186bf29556aaa2289de256480ea54327eaf2a cbb223f262f58d0b06d894cfd27c7603ca4f7af 15cc60122d3ab5cd2751f2070cc601a0bc28a50 d356f05fcb36006bdfda0a6706a0d9cc6ccb7ed bb73a575859302a12989a7c7474bde3caacacc4 f6be250c75f2b096b202d1d9dc142802bde34ed d3ce2e0bde9b0458fc1a51d6d331a82bb5c38d0 be7da86189117e42c7371fcee9b921a68a46ef4 82f61d5e73816deac7280cc31905a8478d349fe afcbc9635a0b7d21fa1e3275f9ba8af5108a76e 3103c8210bcdb6cfd336243a614647039551dc7 12a0c6985a35bec3c7791a37fd1e189901f2bee 0102a4f787ce3caa217383b20ddd6435987f58b a1e59f514e4f3f625f0e8b6790dbf75907e7852 8591af6096a36f2c2f0116108fd2aa2816643f0 166db224182b9d76075633993b26492f3396b91 ff2562e75aad327ac7bc47297d802f31a8104cf 3c1d4fa1cbfb93c51218594828dcc3462d9df22 e3a581287fc6f596594bea8af1cdee4d4e13229 190e594d10bc5ce36547fe3c48e9024d0cc22ad 5616edab71ee124e2cddf57dbe0637f59fff96a 9a2c8381c2a56f9d056844042d0fad5c9503c2f 82ab04f24aac239541f3114fe1e7d07c675794f cafdec1e2fd6380f2e97147e6f8de5298ea75cf d7f159382a45e6a77b44bb88c7a2aa18cb6ff66 334e3310bfdf14cdc15e7377674944f4d58f3d2 e19fb874205e7dd565e5f1997b3d069e74a5b59 b36c45d14cf2d74f19f8f7eeb12716f12c980fe c0cfe8d8eeb0af2cebe1016477c725758f03132 a79134fa346e9fb8c00ea2abd46b56f34b56f17 a7fba0ea96041485bbd13c877aa417662dc4d78 184f14bec92846083e860a79296631c56009efc 7bf827ff8e22148b26ebdaa576b5b7d0bf59677 dc597aecf35d6f6e618abee6dde0e6b2f3f76ae 1e9427677d59a39b9324552b1fbc3b639fe5710 9b711aef1980a5f90429c0f665e1d3784e6aced 23dd314e2007ffc6206aa9a1ae72290a92f267e 3978b5399ccecc2611269d0339ef6155493d679 5dd37281c3f03249bada9879b8d7ef273b8f1c9 6dc3829a35218a7e0e727e410b08e002fb46c25 8c6c19ad9cf710dc404f1fb2167358b933e9ee1 0fc10b6857f3c636afb53d03abd99bdf937ac74 efedc2f6550d0c8b5312367f8c695c470a2fae7 47670de483f9ec9fc59fd8c57a7031f24ded66e f70c3347cc56cfa2024607c37e3b9de4b2b2e91 1c038d9d10249f3830488cb46d83e4a36b13b04 a8d06c3a438d2ce12830a4fd774ffbf422aa9ce 9de2de2a0473d91d1efbd7fc9b12cdb0d155d8c 152514149358dd382b0959db8e6345c7cb2ea99 1f2b2e046e45ff1540ed7c66e96a274e1c62726 02fb599f2ab6d229aff165aa8b234a6c79044d0 b1ee75a1b69b0c80f312bfc33658511cad573de 501f095b99c6059ac3cc3226e41fdd1c47bca86 0eb386e8052da56648d61973f2f06a6bde2edac f1abd61250c9678dae1f399f2697c41da18676f 09fb494a99e7bd40672325019241c34de9e8612 07a7654360901f922bb107c8dffa5bb47be3a17 db9328a4ac1060664feeb09d8fb189128503b7b cd07790f2b21adba80fab2564185268d4cece21 9171e6ab257699f1ebaddc983bd3a3eb19ccb8c b5b22ce7ae8e8e9d108e00ce666e722d06a0c2f ce4d233d2c0249d3ed2aa03250961beb3aabb03 bf640eed64c6cb79bb40c275301b74c58375391 7e4fe67a6ef8d1e7e0dca2788af48a9a8d3d1df a3da2a3712287992922a12a8b58813522529942 1b38b0395c47a74b7db8da6550c21b30b28d47a 4e8f67f2a4dec1cae2388053d96a385b7dd72fe 52b15f229d194a7b2d968d1ba14db6915117350 7f4bd2fbed9190c48a2dc342ee8f4efdcc15a07 e88271e52a49140af6d3e01bbb7c1c456cb6e54 77380027b1c497450b8bf9c105d8a4dbb2ae11c 7872c2b2978fdd2bcdfebc196c1d37a59eae904 53f049f3dd1aad7c074c7fb6d818af410d0e4e4 702babbefed962af881e6502a0014c11fa9b8f1 32d81e9e41de6303804317fac1ec8b3503819c4 86fb045a9a9ccf67c680812c00d1a761298b419 a92556428ab386ee7ae8ddf5f917d1f852ce4e3 96d2576e2d41ec5477f980ba4bcbebe23b3db6e dcec0d53e7b740ca089d15300a29d25a843fa65 7a490c0a59b6606cfb4155a799cf424a25242dd d574d3e0c5bb76a6ac37cbccf008a74e8d42aef 40345b5473e9080e7b6f0bfedc389545baa156c e03cce97c06992720b0c60e941ee56dfd8dfecf a4126be725380abd136fd6650c4ef9bd907befc c3d88aac097b59dbfdf52a403ef7c8063010c58 6694ca143f90afd50796f09cab887c679fb1acd a96d936ff94945d27c17b447c44d1309d355ce5 1712698b4a34bf8bc32ea360cfe881e2813c782 a893025719f4c796e4c24dd70185faa3022d0ec af708b710bcb9c9f8d53f8020385448b5a9bc9f 2367d96a36adeda31644104f9d92d1d76c6fbef 58d85e1e3ffa8ec97aeaf22f98c5e4fe923bbf9 7bcc65a0a936dd6931e95e4489fa4e7bf1b5dea 5241d12e8bc443bdeb1d0d748cf40db76e9c843 09f76edab13dd474d042f6af9774b9c6af75308 aafc9a1a33f2d16b2b8333c9a193fb46124963e f3d4d0c04ec6b28f1edce373214720f5486bc8f e09daa6d5bd757908b0b8f6ac161b75ba069b1e 455353540d34da95acd1395243ddf3455c4f66e 69b34c0a1a7aea7d5fd5f17aeda92cb70f2073b 23a0835966fc1f9c2d08237c70a3d1915378447 722488841068de1c253b5fc00d6fde4b9340a5d 7cf9b916e9d1dd25a0e011e55ccd6ea1b4c3292 c907a5df78cfecf0c2b2f472e811c50d13c969e b8b8b954a5befe274cb6f5fc39d0b0a3cfdc0a6 53a48997fb2e400a7d01ff601850d2045b239f9 a7702b7501795a20800800bad4434913f1f7466 0672657cc228ca09cf8fb14d512a69a8158c47f a4b19d17184b00c24d7e60501b629acfc3b675f 817f8dade56ac1b83b827933cb02cef42ab8e62 56036959b7283ca8b19e0d997658b11980f7c8b fcea78cc8224924fe6ef9e7fa2ed31607420716 c7da5ba736b48d3f4058a83248315e0270800d9 3a3bc1bd0c7a0b8915f936ceef7667fb7988555 bb78b8697979fa2cbc192b97175b418e8001396 5990fcdeba7d3db3d6be1b8410c59523e1bb579 9fe83d264e525cb1200e34916791b3f534edbc2 f423f050926d86e601f448932884dbf447acd0f 93268d6d18fe178e34368831c1ff9a76e28701d c4bbe11189dff1f759e198dec2eba5c4d60a09d 5c5e6dd864e65f2737c96ffebe110b150ffe9ee 527b1aab4fc2ce3657b190b0a0676020ea6e83b 375959900d8668385f9f7533bbdcd818ab31881 5c30ab36132b07ad3636d3b1d984557f3fadb5b 743eb58d437c6aa675e2a0f8989f17002c133fb 93e04dc736f1c89f495eb7185db30d870c1a37d 0326f08fca04def9fc1429377b5e225a79fb543 4ac6ad082bd1788b55fed801f4519d69d5a1056 9ebf9db4b4e122982367ff91debc31f97b5f2c3 72996a3eac3d70704fbec29e17d6c40384cb85a 34e8820c7bb110256c9674f8a939590a1fc92ed 59428de73d1f04b3508f3bdb06c21348b2580bf cfe9e8ecec8b70f5fe1a35dc9a9d54e1c9220f1 4f2cedbbe08580ffab396b75c2357a3a77d4056 0f2c41bcce0359fc22be1b77793e24fe81a7e22 a3e10bb085c6eba00e86c5b2465230287acb9be 51e8f974350e5a40277015401f20fdb011b6e5a f0fae81c241d06d8984ceb9e315b220654306b9 c5837b288c283d37795c398d7e6fd43d3c0fe23 cac789d4d965a43ff15543d75bdb297fb465248 3c42ae346b82e29b3d0c33206446bdbc4f1dbe5 3175087b457d9b8f1c7e149afcfd97430cea8cd e9d92f643f4caf7b196e68f2cc6d1a9779e8fd5 9acb5c53a3c6fe140174bfe32c27332d9f25135 ceecee445baf0ac6b87597495d9eb2f4ec7e4b8 6b0929dbcb552dae307f34abd27d06db69c725a 788be7ea70c4f8a477566aca6784e325ccd68f9 8d7df81423db10c93d24884ffd031c0b2f183d7 21984e836da7e22eca1f762e7da4d9fe25b8fac cc0cd23f70c197af61bdf5d12c645b701692dea 9410ccc861f90d005c1c45c8e8f49010f26f223 653bb3f68d3a11f60fdc530c123a4ce41c3979e bd8e932bb9b0e0ad1f45b6c2d39fcf1f45004cd 87e259aa448304d1b87c69147fdce541bc99ba1 942fdf4df751e50e723bc76b8e9a52374768eaa 52758d1bced5f7077fe09e8ff82567b7ea92873 83d7eb4da8be49088694abc10dde675edc04613 658925657aef227c2d2471f6fedc374f4c99ecc 735f131d4b1b714f224092aa4bc792d2b6e11bc 6667914b079a26301bbd91914464a5a15c1ae95 a55fc3d3608a08c5062aa4b52cfa2457c4ee2d0 0c5c34afee8b09e2f11d500f7eef3f80fdb2a6d f96dd462191d2884b40baa67ec97a629e42f5e0 f8bf8005b2971544592c8766683f899709e2a2d cf5bd264fbea106a89de8ea36daab0336500bda 1c609cf0f1e3fff52b28052ae413a5f736500a5 ebce675c78b7f957829120584d68614cb2b3b93 d646cb29f68ed650c10a5e77e06300db4ce1244 3d72e2f5b6185fe191ec11d9ffa07c6d1f31094 482fd7a2d530cb53c5912d4ea5689e645d66d7b 03f8d22a7583a8f19b8419ab0e55b66525603c0 cba449bf179a7d299eaba152518872b5a99b197 1d87db964b4a1ff5b41033e5f30541da86f780b 14127c35e6f9ec7eb65b904e9bdbf027528bc9e 31007397e1481cc03e093e5f44b91f6c5b36f80 b80768b369ef82f19c8d5b65c382926c5ff3837 d289ca79b45e761592134645261306881a54bb1 1902c32091e8d5ecc0ceade08ae720288b2e6de 63a7506185c64b1996a84bb611d14dbdb8d2e51 6ca8ce88741557630bba497647af53bfae6e5a0 61f14e57fc112b1fbc6fb9369ef457949a135aa af6669a3bcba7173f1de4dc331e457f4bf72766 2cb1ac83191b12fa77116e2e28340560edbae1e f0f97df407b0658bc380901b7017a68c21befc8 a88e816b4a405f818301a2f989d2e71e9c9bf00 2e377bd0e0b0f056a5c067623b4dc621c3ba549 f4335c9d66228f4cf7a6ee8fe6b7799916a1dc1 f5a2a2ddf68d17eecfb897e73600fece7344c2a 3ad04bd739c37577cf6adaf7487b526b291e10e 418c0655df73b10d630657c10e313b757c69fc3 84c6b8161ef7364a64569149a3b10782499c870 eadb04c7e1e0560a49cb5a1eb16872f2616fcf0 184ded2617ad53de4675849da5f34b707f9b6af c14cb5fe9f8388d5b0e96bbd4f78bc11259e554 812c27ccf4a293ceccd059e46f5e1e688eb2109 bcc56802a03be7471ed04eadb61af75df56dfad 5623ba95639eb1d8df70f41e2dc2f7b54b946c9 14bb6df19236fd7ac6b38b117973352514adf59 26b886a6d2b8dcd09ef7acdcef4bf712573b394 0feffdea872ffcd668ae62300c4644a09fa3ca1 4fc9eedf1ba6c1e57aa88ffac7a1fc7899c1067 544059f42896df322c2191db911003494f26d9c d75a9bb36f854ba86093af2ebb691f4a790a91b 7252bf311b6279f2402a7bf927784dd4d12044c 02008379c0b805e119160ef4e6d52acc1511bcf c64ce2cd6e9fa14f4d816ec51e1ff5584448a6f dfadb478da7a6df23056b3edd9372c9f0cfe8cf ce23dea633c9003cc014eaa8bd324577896f103 85095deccb04d65e032ec25fead9d3a6e10d0e4 bd17d7debcd20ca87686f548f6315b3c6019a1e f8748930e330c37a2dc0c089a12bd9223c23804 0e6caef4eba79c769ef9543ff36d1bcbaf4ab80 722e17472a1b5568db24887207e73c2e4ec290a 8c8b6249e72011c3297b2e8e20a04799364bb34 a74d3ac768939d565d77a33fe9882b776efef3e 1eaf6b8fc0dc2b57e0fb05d972fac2a1704b227 e17cdeb9317924e0317bad43b71426ab888fe6e 02d99670a015f066736bb74fa9d2828cbbf74fa 2ea038e7c8f878b039c7852ee634f38facea42e cda2887f8cded53d132a8f177ebd654b7183dcf 7cb5099747d0af25ad20bd1d57834b35267af44 5ca3ca1e3f4faf0abc551f89ccafc3c8bfaa63c 5790ac3af7de26010af9c3633953489e1c9cef0 60f37d8b6ada3fe2bb5f333accf39273f0d3aa1 57ccc00c041e2fe6140eddb4d214f62c1806ec7 ab54a995a991b8abdfe22dc6d5959190ab60020 7302fe2775bad5890210d010a567344c969f7e1 19621ef42cb382255fd84ce6d95e18c6ca25e59 88386112194abd8a1672baf30ef55a7155a11ba d8e87b679e1d83fb93466c2542ca83877d14163 a2a07d07a3f23113277c9707bb97e963197816d b0242e0090ea7c63c05d184b86019b94c28a504 3d227a82d0cc37216347b8adb2543e994886896 579ea4c1bd694e28adb71b3092f01390bd18fb4 9a870f5f60d3b4519e230df7bf0f79df8f4d27a b89980758a7fc843b5f35bd093433ac3051c50e 6279c62ee375f4655f6b0b606896cdb920e593c 0702ed84033372618e8477131b58b3c0263570d d7d3922568972bf34ad1ce38d7c7bd02d716ed9 dd0ced7b3e6dc33412d6fb28113bec9dc836f5f 6052c2e82f6985032641c364bd5b1046a93914f 00cab2f41ab65fe1f7c2878c986b969066f9a4b 21f76052199cbe361188fe8901058d687c5a70b d8fdaf421588a29ddc8752d1c441fe7aa211e99 6f3ca9d1d05c28f8382e532d2a2e71e613cc5ba 718c6598c73ff38b0c0aed57db8c773a51ed30b bb433839411e842090afaf6c0f187dc34bbf315 2ff4e9ad1bf00fc65b752baa952ef8e7f4943a6 935ee3c6430a48c6c0449cf7192de4ea06d5b34 e0108e3b2986b3ad8084b92627fd9ba530981a3 db539214a5bc86d4d85b51059e5834c6673c661 9bf36f0f8a91e6b266ba3d1ee8b2f69c687df5c e52c3a75cf833f59f3be468ae7d93ac855a186b 8855a5a60c7cfaaf5e8241079a71e39d4db72c2 b2dc7ed4c89ea9cdc5a2c3f1d8a4e497759130b 540f0e9616aec8997b645263342aad6ebefb8e1 71436ea4c502d4874271001862370729231dbda 29453c285551bea4fcdcd2f8ff56a319f2aec07 727f09ee96b40189f7dde5bf89e29e9f6d293dc 4f81a66e96ed35ddff1cf1c1674e983b4dadfb0 e297dcbb707a552ad7484362c846d7ae3c7816d 54a9295914c9c01abd37b5066e36cd807b79f42 8b6d8a26eea391c6a94150e0340637478d038cb d85e003d72e71cc8b867471f2fdc8f0f3e1ef61 eca9168d264c1a2704bf1e50d71582320679d37 77e9a802d718e357ab416edef310ec5cb522177 45668981950326af0d9b636556e03c9e685749f a8de74dbba9834
         2   REG_BINARY        09d6dec4524045e9b78469b94a8b76c493733fb bfcd446445e25e4cb2dedafae6b59a5916ce922 52fb49a831c96c0d8f4ffe
         7   REG_BINARY        5caa557f970aeeceb9f7
         8   REG_BINARY        2bcc5e525676e6ec4c09ecae8c0e4788aca4906 7a937fcab9cfbbe9db0da019a60984225386dec 0b0788ef3b3e4ccc14b842b68e
         1   REG_BINARY        ef4d486298
         3   REG_BINARY        83175331b2709e6b819cbbbe4153519a8cdb7c9 668554529240fa1360df945e69383b67e300682 1a84c79ae7bf63842fad478a28c76443145b777 aa026
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\5.0
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Activities
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Cache
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Connections
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Lockdown_Zones
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\P3P
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Protocols
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Url History
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\ZoneMap
      .
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Zones
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_CURRENT_USER\software\microsoft\internet explorer\search
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
      SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
      Written by Bobbi Flekman 2006 (C)URLSearchHooks: H - No File
      HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
         {472734EA-242A-422b-ADF8-83D1E48CC825}URLSearchHooks: H - No File
      SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
      Written by Bobbi Flekman 2006 (C)URLSearchHooks: H - No File
      HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
      SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
      Written by Bobbi Flekman 2006 (C)URLSearchHooks: H - No File
      Error: Key: .default\software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
         AutoRestartShell   REG_DWORD         1 (0x1)
         DefaultDomainName   REG_SZ            EARL-5E3D7C59F2
         DefaultUserName   REG_SZ            Earl Young
         LegalNoticeCaption   REG_SZ           
         LegalNoticeText   REG_SZ           
         PowerdownAfterShutdown   REG_SZ            0
         ReportBootOk   REG_SZ            1
         Shell   REG_SZ            explorer.exe
         ShutdownWithoutLogon   REG_SZ            0
         Userinit   REG_SZ            c:\windows\system32e\userinit.exe,
         VmApplet   REG_SZ            rundll32 shell32,Control_RunDLL "sysdm.cpl"
         SfcQuota   REG_DWORD         -1 (0xffffffff)
         allocatecdroms   REG_SZ            0
         allocatedasd   REG_SZ            0
         allocatefloppies   REG_SZ            0
         cachedlogonscount   REG_SZ            10
         forceunlocklogon   REG_DWORD         0 (0x0)
         passwordexpirywarning   REG_DWORD         14 (0xe)
         scremoveoption   REG_SZ            0
         AllowMultipleTSSessions   REG_DWORD         1 (0x1)
         UIHost   REG_EXPAND_SZ     logonui.exe
         LogonType   REG_DWORD         1 (0x1)
         Background   REG_SZ            0 0 0
         DebugServerCommand   REG_SZ            no
         SFCDisable   REG_DWORD         0 (0x0)
         WinStationsDisabled   REG_SZ            0
         HibernationPreviouslyEnabled   REG_DWORD         1 (0x1)
         ShowLogonOptions   REG_DWORD         0 (0x0)
         AltDefaultUserName   REG_SZ            Earl Young
         AltDefaultDomainName   REG_SZ            EARL-5E3D7C59F2
         ChangePasswordUseKerberos   REG_DWORD         1 (0x1)
         AutoAdminLogon   REG_SZ            0
         <NO NAME>   REG_SZ           
         System   REG_SZ           
         Taskman   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions
      .
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify
      .
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts
      .
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon
         ParseAutoexec   REG_SZ            1
         ExcludeProfileDirs   REG_SZ            Local Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook
         BuildNumber   REG_DWORD         2600 (0xa28)
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows
         DebugOptions   REG_SZ            2048
         Documents   REG_SZ           
         DosPrint   REG_SZ            no
         load   REG_SZ           
         NetMessage   REG_SZ            no
         NullPort   REG_SZ            None
         Programs   REG_SZ            com exe bat pif cmd
         Run   REG_SZ           
         Device   REG_SZ            HP Photosmart Premium C309g-m (Copy 1),winspool,Ne00:
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0347C33E-8762-4905-BF09-768834316C61} - No File
      BHO:    <NO NAME> - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
      BHO:    <NO NAME> - No File
      BHO:    NoExplorer - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
      BHO:    <NO NAME> - No File
      BHO:    NoExplorer - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
      BHO:    NoExplorer - No File
      BHO:    <NO NAME> - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
      BHO:    NoExplorer - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
      BHO:    <NO NAME> - No File
      BHO:    NoExplorer - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - No File
      BHO:    NoExplorer - No File
      BHO:    <NO NAME> - No File
      BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - No File
      BHO:    <NO NAME> - No File
      BHO:    NoExplorer - No File
      urun: [ctfmon.exe] c:\WINDOWS\system32e\ctfmon.exe
      mrun: [Apoint] c:\Program Files\Apoint2Ke\Apoint.exe
      mrun: [hpWirelessAssistant] c:\Program Files\hpq\HP Wireless Assistante\HP Wireless Assistant.exe
      mrun: [ISTray] "c:\Program Files\PC Tools Securitye\pctsGui.exe" /hideGUI
      mrun: [PCTools FGuard] c:\Program Files\PC Tools Security\BDTe\FGuard.exe
      .
      ie: SteelWerX Registry Console Tool 2.0
      ie: Written by Bobbi Flekman 2006 (C)
      .
      ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext
      .
      ie: {SteelWerX Registry Console Tool 2.0
      ie: {Written by Bobbi Flekman 2006 (C)
      .
      ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions
      .
      ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{DDE87865-83C5-48c4-8357-2F5B1AA84522}
      ie: {   Icon - REG_SZ            c:\Program Files\HP\Digital Imaging\Smart Web Printinge\hpswp_BHO.dll,202
      ie: {   HotIcon - REG_SZ            c:\Program Files\HP\Digital Imaging\Smart Web Printinge\hpswp_BHO.dll,201
      ie: {   Default Visible - REG_SZ            Yes
      ie: {   ButtonText - REG_SZ            Show or hide HP Smart Web Printing
      .
      ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
      ie: {   MenuText - REG_SZ            @xpsp3res.dll,-20001
      ie: {   Exec - REG_SZ            %windir%\Network Diagnostic\xpnetdiag.exe
      .
      ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
      ie: {   ButtonText - REG_SZ            Messenger
      ie: {   Default Visible - REG_SZ            Yes
      ie: {   Exec - REG_SZ            c:\Program Files\Messengere\msmsgs.exe
      ie: {   HotIcon - REG_SZ            c:\Program Files\Messengere\msmsgs.exe,302
      ie: {   Icon - REG_SZ            c:\Program Files\Messengere\msmsgs.exe,301
      ie: {   MenuText - REG_SZ            Windows Messenger
      ie: {   ToolTip - REG_SZ            Windows Messenger
      IE: {   CLSID - REG_SZ            {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
      IE: {   ClsidExtension - REG_SZ            {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {dde87865-83c5-48c4-8357-2f5b1aa84522}\inprocserver32 does not exist!
      IE: {   CLSID - REG_SZ            {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
      IE: {   CLSID - REG_SZ            {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
      .
      .
      ..
      .
      .
         https   REG_DWORD         2 (0x2)
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}\DownloadInformation
         CODEBASE   REG_SZ            http://components.metastream.com/MTSInstallers/MetaStream3.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\MetaStream3.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}\InstalledVersion
         <NO NAME>   REG_SZ            3,5,0,13
         LastModified   REG_SZ            Fri, 05 Jan 2007 15:32:16 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}\Contains\Files
         c:\WINDOWS\system32e\unicows.dll   REG_SZ           
         c:\WINDOWS\Downloaded Program Filese\PhotoUploader5.ocx   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}\DownloadInformation
         CODEBASE   REG_SZ            http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\PhotoUploader5.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}\InstalledVersion
         <NO NAME>   REG_SZ            5,5,8,0
         LastModified   REG_SZ            Mon, 02 Feb 2009 02:05:22 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation
         CODEBASE   REG_SZ            http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\swdir.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\InstalledVersion
         <NO NAME>   REG_SZ            11,0,3,472
         LastModified   REG_SZ            Fri, 16 Jan 2009 11:50:18 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
         Installer   REG_SZ            MSICD
         SystemComponent   REG_DWORD         0 (0x0)
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\Contains\Files
         c:\Program Files\Yahoo!\Commone\Yinsthelper.dll   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\DownloadInformation
         CODEBASE   REG_SZ            c:\Program Files\Yahoo!\Commone\Yinsthelper.dll
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\InstalledVersion
         LastModified   REG_SZ           
         <NO NAME>   REG_SZ            2007,3,15,1
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}\DownloadInformation
         CODEBASE   REG_SZ            http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\setup.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}\InstalledVersion
         <NO NAME>   REG_SZ            9,7,2,0
         LastModified   REG_SZ            Tue, 07 Apr 2009 22:55:29 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8100D56A-5661-482C-BEE8-AFECE305D968}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8100D56A-5661-482C-BEE8-AFECE305D968}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8100D56A-5661-482C-BEE8-AFECE305D968}\Contains\Files
         c:\WINDOWS\system32e\unicows.dll   REG_SZ           
         c:\WINDOWS\Downloaded Program Filese\PhotoUploader55.ocx   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8100D56A-5661-482C-BEE8-AFECE305D968}\DownloadInformation
         CODEBASE   REG_SZ            http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\PhotoUploader55.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8100D56A-5661-482C-BEE8-AFECE305D968}\InstalledVersion
         <NO NAME>   REG_SZ            5,5,8,1
         LastModified   REG_SZ            Mon, 16 Nov 2009 02:06:31 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.6.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion
         <NO NAME>   REG_SZ            1.6.0.24
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{A44B714B-EE0F-453E-9300-A69B321FEF6C}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{A44B714B-EE0F-453E-9300-A69B321FEF6C}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{A44B714B-EE0F-453E-9300-A69B321FEF6C}\Contains\Files
         c:\WINDOWS\system32e\msvcrt.dll   REG_SZ           
         c:\WINDOWS\system32e\mfc42.dll   REG_SZ           
         c:\WINDOWS\system32e\olepro32.dll   REG_SZ           
         c:\WINDOWS\Downloaded Program Filese\MaxisSimsFamilyTeleX.ocx   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{A44B714B-EE0F-453E-9300-A69B321FEF6C}\DownloadInformation
         CODEBASE   REG_SZ            http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\MaxisSimsFamilyTeleX.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{A44B714B-EE0F-453E-9300-A69B321FEF6C}\InstalledVersion
         <NO NAME>   REG_SZ            1,0,0,13
         LastModified   REG_SZ            Tue, 02 Mar 2004 03:02:45 GMT
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.5.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InstalledVersion
         <NO NAME>   REG_SZ            1.5.0.4
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.6.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\InstalledVersion
         <NO NAME>   REG_SZ            1.6.0.5
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.6.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InstalledVersion
         <NO NAME>   REG_SZ            1.6.0.7
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.6.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\InstalledVersion
         <NO NAME>   REG_SZ            1.6.0.24
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
         <NO NAME>   REG_SZ            Java Runtime Environment 1.6.0
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation
         CODEBASE   REG_SZ            http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
         INF   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion
         <NO NAME>   REG_SZ            1.6.0.24
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}
         SystemComponent   REG_DWORD         0 (0x0)
         Installer   REG_SZ            MSICD
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Contains
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Contains\Files
         c:\WINDOWS\Downloaded Program Filese\FP_AX_CAB_INSTALLER.exe   REG_SZ           
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation
         CODEBASE   REG_SZ            http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
         INF   REG_SZ            c:\WINDOWS\Downloaded Program Filese\swflash.inf
      .
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\InstalledVersion
         <NO NAME>   REG_SZ            9,0,115,0
      .
      SteelWerX Registry Console Tool 2.0
      Written by Bobbi Flekman 2006 (C)
      .
      HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
         NameServer   REG_SZ           
      ssodl: wpdshserviceobj - {aaa288ba-9a4c-45b0-95d7-94d524869db5} - c:\WINDOWS\system32e\WPDShServiceObj.dll
      .
      SteelWerX Registry Console Tool 2.0
      .
      HKEY_CLASSES_ROOT\clsid\{5ae067d3-9afb-48e0-853a-ebb7f4a000da}
         AppID   REG_SZ            {C615554D-7B87-4275-84FF-8E0BA2AD071B}
      .
         <
      « Last Edit: March 29, 2011, 09:59:36 AM by Allan »

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 996
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
      « Reply #3 on: March 27, 2011, 01:02:00 PM »
      You can uninstall these: Java(TM) 6 Update 5  Java(TM) 6 Update 7.

      Please download the newest version of Adobe Acrobat Reader from Adobe.com

      Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
      Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
      Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

      Once old versions are gone, please install the newest version.
      ********************************************
      The log shows that you're running two AV programs on your computer; Spyware Doctor with AntiVirus and Norton AntiVirus. This is a no-no. One will have to go.

      Please download ComboFix from BleepingComputer.com

      Alternate link: GeeksToGo.com

      and save it to your Desktop.
      It would be easiest to download using Internet Explorer.
      If you insist on using Firefox, make sure that your download settings are as follows:

      * Tools->Options->Main tab
      * Set to "Always ask me where to Save the files".

      Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
      Double click ComboFix.exe & follow the prompts.
      As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

      Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


      Click on Yes, to continue scanning for malware.
      When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

      If you have problems with ComboFix usage, see How to use ComboFix
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      oils65mustang

        Topic Starter


        Greenhorn

        • Experience: Beginner
        • OS: Unknown
        Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
        « Reply #4 on: March 28, 2011, 01:54:22 AM »
        I removed Java 6 update 5 and 7.  Removed Norton and kept PC Tools spyware doctor.  Adobe X will not install, error about cannot find sequence for patches.  Presently I am running Adobe reader 9.4.
        However, the first link for combofix says it is a corrupt file and freezes on the machine, did a restart on computer to get out of it.
        The second link gives an error message that the OS is not compatible, that the computer must have NT or XP.  I am running XP with SP3.  I am stuck here for now. I ensured that all windows were closed and the antivirus was shutdown.

        SuperDave

        • Malware Removal Specialist


        • Genius
        • Thanked: 996
        • Certifications: List
        • Experience: Expert
        • OS: Windows 8
        Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
        « Reply #5 on: March 28, 2011, 12:58:12 PM »
        Please try downloading it on another computer and transfer it to the affected computer using this method.
        If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

        oils65mustang

          Topic Starter


          Greenhorn

          • Experience: Beginner
          • OS: Unknown
          Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
          « Reply #6 on: March 29, 2011, 09:12:13 AM »
          I'll do that, but it will be a few days until I can get access to another computer.  Thanks.

          oils65mustang

            Topic Starter


            Greenhorn

            • Experience: Beginner
            • OS: Unknown
            Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
            « Reply #7 on: April 09, 2011, 04:25:07 PM »
            Finally.  I ran combofix and here are the results.  It did notify me via a pop up window that it detected Rootkit.

            ComboFix 11-04-07.08 - Earl Young 04/09/2011  14:33:06.1.1 - x86
            Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.710 [GMT -7:00]
            Running from: c:\documents and settings\Earl Young\My Documents\Downloads\ix.exe
            AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
            .
            .
            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            c:\documents and settings\Earl Young\Application Data\Adobe\plugs
            c:\documents and settings\Earl Young\WINDOWS
            c:\windows\system32\pthreadVC.dll
            .
            Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
            Restored copy from - Kitty had a snack :p
            .
            (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            -------\Legacy_NPF
            .
            .
            (((((((((((((((((((((((((   Files Created from 2011-03-09 to 2011-04-09  )))))))))))))))))))))))))))))))
            .
            .
            2011-04-09 20:43 . 2011-04-09 20:45   --------   d-----w-   C:\ix
            2011-04-09 06:10 . 2011-04-09 21:01   --------   d-----w-   c:\documents and settings\Earl Young\Application Data\Uniblue
            2011-04-09 06:10 . 2011-04-09 21:01   --------   d-----w-   c:\program files\Uniblue
            2011-04-09 06:10 . 2011-04-09 06:10   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
            2011-04-09 06:09 . 2011-04-09 06:09   --------   d-----w-   c:\documents and settings\Earl Young\Local Settings\Application Data\PackageAware
            2011-04-09 05:18 . 2011-04-09 05:18   --------   d-----w-   c:\program files\iPod
            2011-04-09 05:17 . 2011-04-09 05:20   --------   d-----w-   c:\program files\iTunes
            2011-04-09 05:07 . 2011-04-09 05:07   --------   d-----w-   c:\program files\Bonjour
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
            2011-04-09 05:04 . 2011-04-09 05:04   159744   ----a-w-   c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
            2011-04-09 05:03 . 2011-04-09 05:04   --------   d-----w-   c:\program files\QuickTime
            2011-04-09 04:50 . 2011-04-09 04:50   --------   d-----w-   c:\program files\Common Files\xing shared
            2011-04-03 23:50 . 2011-04-03 23:50   --------   d-----w-   c:\documents and settings\Earl Young\Application Data\PCTools
            2011-04-03 21:38 . 2011-04-03 21:38   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
            2011-04-03 21:25 . 2011-04-03 21:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinMaximizer
            2011-04-03 19:22 . 2011-04-03 19:22   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
            2011-03-28 18:56 . 2011-03-28 18:56   --------   d-----w-   c:\program files\RemoveReg
            2011-03-28 17:56 . 2011-03-28 17:56   --------   d-----w-   c:\documents and settings\Earl Young\Application Data\ElevatedDiagnostics
            2011-03-25 00:11 . 2011-03-25 00:11   388096   ----a-r-   c:\documents and settings\Earl Young\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
            2011-03-25 00:11 . 2011-03-25 00:11   --------   d-----w-   c:\program files\Trend Micro
            2011-03-24 23:27 . 2011-03-24 23:27   --------   d-----w-   c:\documents and settings\Earl Young\Application Data\Malwarebytes
            2011-03-24 23:27 . 2010-12-21 01:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2011-03-24 23:26 . 2011-03-24 23:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
            2011-03-24 23:26 . 2011-03-24 23:27   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
            2011-03-24 23:26 . 2010-12-21 01:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2011-03-24 02:34 . 2011-03-24 02:34   --------   d-----w-   c:\documents and settings\Earl Young\Application Data\SUPERAntiSpyware.com
            2011-03-24 02:34 . 2011-03-24 02:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
            2011-03-24 02:33 . 2011-03-24 02:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
            2011-03-23 04:06 . 2011-03-23 04:06   --------   d-----w-   c:\program files\CCleaner
            2011-03-23 03:52 . 2011-03-23 03:52   --------   d-----w-   c:\program files\ACW
            2011-03-17 23:33 . 2011-03-17 23:33   --------   d-----w-   c:\documents and settings\Earl Young\Local Settings\Application Data\Threat Expert
            2011-03-17 18:27 . 2010-12-31 16:36   69392   ----a-w-   c:\windows\system32\drivers\TfSysMon.sys
            2011-03-17 18:27 . 2010-12-31 16:36   33552   --s---w-   c:\windows\system32\drivers\TfNetMon.sys
            2011-03-17 18:27 . 2010-12-31 16:36   51984   ----a-w-   c:\windows\system32\drivers\TfFsMon.sys
            2011-03-17 17:54 . 2011-01-07 21:54   767952   ----a-w-   c:\windows\BDTSupport.dll
            2011-03-17 17:54 . 2011-01-07 21:54   149456   ----a-w-   c:\windows\SGDetectionTool.dll
            2011-03-17 17:54 . 2011-01-07 21:54   1533904   ----a-w-   c:\windows\PCTBDRes.dll
            2011-03-17 17:54 . 2011-01-07 21:54   2000848   ----a-w-   c:\windows\PCTBDCore.dll
            2011-03-17 17:50 . 2010-07-16 21:59   656320   ----a-w-   c:\windows\system32\drivers\pctEFA.sys
            2011-03-17 17:50 . 2010-07-16 21:59   338880   ----a-w-   c:\windows\system32\drivers\pctDS.sys
            2011-03-17 17:50 . 2011-01-17 16:10   251560   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
            2011-03-17 17:50 . 2010-12-10 23:57   160448   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
            2011-03-17 17:50 . 2010-12-10 20:24   239168   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
            2011-03-17 17:50 . 2010-12-16 15:46   70536   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
            2011-03-17 17:49 . 2011-04-09 20:35   --------   d-----w-   c:\program files\PC Tools Security
            2011-03-17 17:49 . 2011-03-17 17:55   --------   d-----w-   c:\program files\Common Files\PC Tools
            2011-03-17 17:48 . 2011-03-17 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
            2011-03-17 02:46 . 2011-02-03 04:40   472808   ----a-w-   c:\windows\system32\deployJava1.dll
            2011-03-17 02:44 . 2011-03-17 02:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
            2011-03-16 21:48 . 2011-03-17 00:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\STOPzilla!
            2011-03-16 20:18 . 2011-03-16 20:18   105472   --sha-r-   c:\windows\system32\nethv.dll
            2011-03-16 20:18 . 2011-03-16 20:18   105472   --sha-r-   c:\windows\system32\msvcrt203.dll
            2011-03-12 19:28 . 2011-03-12 19:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
            .
            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2011-04-09 04:49 . 2008-04-05 16:29   348160   ----a-w-   c:\windows\system32\msvcr71.dll
            2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
            2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
            2011-02-03 02:19 . 2008-04-05 22:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
            2011-02-02 07:58 . 2008-04-05 16:22   2067456   ----a-w-   c:\windows\system32\mstscax.dll
            2011-01-27 11:57 . 2008-04-05 16:22   677888   ----a-w-   c:\windows\system32\mstsc.exe
            2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
            .
            .
            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4
            .
            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
            "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
            "PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
            .
            c:\documents and settings\Administrator\Start Menu\Programs\Startup\
            AutoTBar.exe [2003-9-30 57344]
            .
            c:\documents and settings\Default User\Start Menu\Programs\Startup\
            AutoTBar.exe [2003-9-30 57344]
            .
            [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
            "NoSetTaskbar"= 1 (0x1)
            "NoCommonGroups"= 1 (0x1)
            .
            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
            2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
            backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
            backup=c:\windows\pss\DVD Check.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
            backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
            backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
            backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
            backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
            backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^Earl Young^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
            path=c:\documents and settings\Earl Young\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
            backup=c:\windows\pss\Yahoo! Widgets.lnkStartup
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
            2010-09-21 06:07   932288   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
            2011-01-31 08:44   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
            2005-04-13 10:12   88209   -c--a-r-   c:\windows\AGRSMMSG.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
            2010-12-15 00:17   47904   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
            2005-03-29 22:45   233534   -c--a-w-   c:\program files\HPQ\Default Settings\Cpqset.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
            2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
            2004-12-03 21:24   290816   ----a-w-   c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
            2007-01-13 16:47   163840   -c--a-w-   c:\windows\system32\hkcmd.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
            2011-02-18 21:49   49208   ----a-w-   c:\program files\Hp\HP Software Update\hpwuschd2.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
            2007-01-13 16:47   131072   -c--a-w-   c:\windows\system32\igfxtray.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
            2004-08-04 12:00   208952   -c--a-w-   c:\windows\ime\IMJP8_1\imjpmig.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
            2005-08-11 22:30   81920   -c--a-w-   c:\program files\Common Files\InstallShield\UpdateService\issch.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
            2011-03-07 22:33   421160   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
            2008-04-14 00:12   1695232   -csha-w-   c:\program files\Messenger\msmsgs.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
            2004-08-04 12:00   59392   -c--a-w-   c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
            2007-01-13 16:46   135168   -c--a-w-   c:\windows\system32\igfxpers.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
            2004-08-04 12:00   455168   -c--a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
            2004-08-04 12:00   455168   -c--a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
            2010-11-30 00:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
            2004-08-06 16:27   860160   -c--a-w-   c:\program files\Analog Devices\SoundMAX\SMax4.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
            2004-10-14 17:11   1388544   -c--a-w-   c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
            2010-10-29 21:49   249064   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
            2011-04-09 04:49   273544   ----a-w-   c:\program files\Real\realplayer\Update\realsched.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
            2007-10-26 23:42   509224   -c--a-w-   c:\progra~1\Yahoo!\YOP\yop.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
            "MDM"=2 (0x2)
            "idsvc"=3 (0x3)
            "gusvc"=2 (0x2)
            "gupdate1c9d4ffa8c0ace"=2 (0x2)
            "BITS"=3 (0x3)
            "YPCService"=3 (0x3)
            "WMPNetworkSvc"=3 (0x3)
            "rpcapd"=2 (0x2)
            "iPod Service"=3 (0x3)
            "IntuitUpdateService"=2 (0x2)
            "Bonjour Service"=2 (0x2)
            "Apple Mobile Device"=2 (0x2)
            "TapiSrv"=2 (0x2)
            "RasAuto"=3 (0x3)
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
            "DisableMonitoring"=dword:00000001
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
            "DisableMonitoring"=dword:00000001
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
            "DisableMonitoring"=dword:00000001
            .
            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\WINDOWS\\system32\\sessmgr.exe"=
            "%windir%\\system32\\sessmgr.exe"=
            "c:\\WINDOWS\\LMI7.tmp\\lmi_rescue.exe"=
            "c:\\WINDOWS\\system32\\mmc.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
            "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
            "c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
            "c:\\Program Files\\Hp\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
            "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
            "c:\\Documents and Settings\\Earl Young\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
            "c:\\Program Files\\iTunes\\iTunes.exe"=
            .
            R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/17/2011 10:50 AM 239168]
            R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [3/17/2011 10:50 AM 338880]
            R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [3/17/2011 10:50 AM 656320]
            R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/17/2011 11:27 AM 51984]
            R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/17/2011 11:27 AM 69392]
            R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/17/2011 10:50 AM 251560]
            R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
            R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
            R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [3/17/2011 10:54 AM 247760]
            S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
            S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [3/17/2011 10:50 AM 70536]
            S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [3/17/2011 10:49 AM 366840]
            S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/17/2011 11:27 AM 33552]
            S3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
            S4 gupdate1c9d4ffa8c0ace;Google Update Service (gupdate1c9d4ffa8c0ace);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 6:46 PM 133104]
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
            HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
            HPService   REG_MULTI_SZ      HPSLPSVC
            hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
            .
            Contents of the 'Scheduled Tasks' folder
            .
            2011-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
            .
            2011-04-09 c:\windows\Tasks\Google Software Updater.job
            - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-08 14:13]
            .
            2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
            - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 01:46]
            .
            2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
            - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 01:46]
            .
            2011-04-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-527237240-839522115-1003.job
            - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
            .
            2011-04-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-527237240-839522115-1003.job
            - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
            .
            2011-04-09 c:\windows\Tasks\RegistryBooster.job
            - c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]
            .
            2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{75FA182C-8F30-4A23-AF0A-4600A03317E7}.job
            - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
            .
            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.bing.com/
            uInternet Settings,ProxyOverride = *.local
            LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
            Trusted Zone: intuit.com\ttlc
            .
            - - - - ORPHANS REMOVED - - - -
            .
            WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
            MSConfigStartUp-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
            MSConfigStartUp-Dell AIO Printer A960 - c:\program files\Dell AIO Printer A960\dlbfbmgr.exe
            MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
            MSConfigStartUp-Google Update - c:\documents and settings\Earl Young\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
            MSConfigStartUp-Home Theater SchSvr - c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe
            MSConfigStartUp-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
            MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
            MSConfigStartUp-msupdate - msupdate.exe
            MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
            MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
            MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
            MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
            MSConfigStartUp-SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC\launcher.exe
            MSConfigStartUp-WatchDog - c:\program files\InterVideo\DVD Check\DVDCheck.exe
            MSConfigStartUp-WINREMOTE - c:\program files\InterVideo\Common\Bin\WinRemote.exe
            MSConfigStartUp-winupdate - c:\windows\system32\winupdate.exe
            MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
            .
            .
            .
            **************************************************************************
            .
            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2011-04-09 14:47
            Windows 5.1.2600 Service Pack 3 NTFS
            .
            scanning hidden processes ... 
            .
            scanning hidden autostart entries ...
            .
            scanning hidden files ... 
            .
            scan completed successfully
            hidden files: 0
            .
            **************************************************************************
            .
            --------------------- LOCKED REGISTRY KEYS ---------------------
            .
            [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
            @Denied: (A 2) (Everyone)
            @="FlashBroker"
            "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
            .
            [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
            "Enabled"=dword:00000001
            .
            [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
            @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
            .
            [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
            @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
            .
            [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
            @Denied: (A 2) (Everyone)
            @="IFlashBroker4"
            .
            [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
            @="{00020424-0000-0000-C000-000000000046}"
            .
            [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
            @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
            "Version"="1.0"
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------
            .
            - - - - - - - > 'winlogon.exe'(592)
            c:\program files\SUPERAntiSpyware\SASWINLO.DLL
            c:\windows\system32\WININET.dll
            .
            - - - - - - - > 'lsass.exe'(652)
            c:\program files\common files\pc tools\lsp\pctlsp.dll
            .
            - - - - - - - > 'explorer.exe'(1296)
            c:\windows\system32\WININET.dll
            c:\windows\IME\SPGRMR.DLL
            c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
            c:\windows\system32\ieframe.dll
            c:\windows\system32\mshtml.dll
            c:\windows\system32\msls31.dll
            c:\windows\system32\webcheck.dll
            c:\windows\system32\WPDShServiceObj.dll
            c:\windows\system32\PortableDeviceTypes.dll
            c:\windows\system32\PortableDeviceApi.dll
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\windows\system32\LEXBCES.EXE
            c:\windows\system32\LEXPPS.EXE
            c:\windows\system32\rundll32.exe
            c:\program files\Java\jre6\bin\jqs.exe
            c:\program files\Analog Devices\SoundMAX\SMAgent.exe
            c:\program files\Apoint2K\Apntex.exe
            c:\program files\HPQ\shared\hpqwmi.exe
            .
            **************************************************************************
            .
            Completion time: 2011-04-09  14:53:14 - machine was rebooted
            ComboFix-quarantined-files.txt  2011-04-09 21:53
            .
            Pre-Run: 70,082,318,336 bytes free
            Post-Run: 70,210,154,496 bytes free
            .
            WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
            [boot loader]
            timeout=2
            default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
            [operating systems]
            c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
            UnsupportedDebug="do not select this" /debug
            multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
            .
            - - End Of File - - A58F837F4034E37E1143997FA232467B

            SuperDave

            • Malware Removal Specialist


            • Genius
            • Thanked: 996
            • Certifications: List
            • Experience: Expert
            • OS: Windows 8
            Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
            « Reply #8 on: April 09, 2011, 05:43:55 PM »
            Do you know what this program is for? c:\program files\RemoveReg

            Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
            RegistryBooster
            There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

            For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

            Further reading: XP Fixes Myth #1: Registry Cleaners
            *********************************************
            SysProt Antirootkit

            Download
            SysProt Antirootkit from the link below (you will find it at the bottom
            of the page under attachments, or you can get it from one of the
            mirrors).

            http://sites.google.com/site/sysprotantirootkit/

            Unzip it into a folder on your desktop.
            • Double click Sysprot.exe to start the program.
            • Click on the Log tab.
            • In the Write to log box select the following items.
              • Process << Selected
              • Kernel Modules << Selected
              • SSDT << Selected
              • Kernel Hooks << Selected
              • IRP Hooks << NOT Selected
              • Ports << NOT Selected
              • Hidden Files << Selected
            • At the bottom of the page
              • Hidden Objects Only << Selected
            • Click on the Create Log button on the bottom right.
            • After a few seconds a new window should appear.
            • Select Scan Root Drive. Click on the Start button.
            • When it is complete a new window will appear to indicate that the scan is finished.
            • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

            oils65mustang

              Topic Starter


              Greenhorn

              • Experience: Beginner
              • OS: Unknown
              Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
              « Reply #9 on: April 10, 2011, 09:01:43 AM »
              Here is the SpyProt info.


              SysProt AntiRootkit v1.0.1.0
              by swatkat

              ******************************************************************************************
              ******************************************************************************************

              No Hidden Processes found

              ******************************************************************************************
              ******************************************************************************************
              No Hidden Kernel Modules found

              ******************************************************************************************
              ******************************************************************************************
              No SSDT Hooks found

              ******************************************************************************************
              ******************************************************************************************
              No Kernel Hooks found

              ******************************************************************************************
              ******************************************************************************************
              No hidden files/folders found

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 996
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
              « Reply #10 on: April 10, 2011, 11:38:44 AM »
              I'd like to scan your machine with ESET OnlineScan

              •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
              ESET OnlineScan
              •Click the button.
              •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
              • Click on to download the ESET Smart Installer. Save it to your desktop.
              • Double click on the icon on your desktop.
              •Check
              •Click the button.
              •Accept any security warnings from your browser.
              •Check
              •Push the Start button.
              •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
              •When the scan completes, push
              •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
              •Push the button.
              •Push
              A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

              oils65mustang

                Topic Starter


                Greenhorn

                • Experience: Beginner
                • OS: Unknown
                Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
                « Reply #11 on: April 10, 2011, 09:07:50 PM »
                Here are the results of the ESET online scan.

                C:\Program Files\Uniblue\RegistryBooster\Launcher.exe   Win32/RegistryBooster application
                C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe   Win32/RegistryBooster application
                C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe   Win32/RegistryBooster application
                C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe   Win32/RegistryBooster application
                C:\Program Files\Uniblue\RegistryBooster\rb_ubm.exe   Win32/RegistryBooster application
                C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe   Win32/RegistryBooster application
                C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir   Win32/Olmarik.ZC trojan
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015506.exe   Win32/SpeedUpMyPC application
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015507.exe   Win32/SpeedUpMyPC application
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015508.exe   Win32/SpeedUpMyPC application
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015509.exe   Win32/SpeedUpMyPC application
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015510.exe   Win32/SpeedUpMyPC application
                C:\System Volume Information\_restore{5A0753A0-D8CA-46AB-AEDA-A14419D7203F}\RP25\A0015629.sys   Win32/Olmarik.ZC trojan
                Operating memory   Win32/RegistryBooster application

                SuperDave

                • Malware Removal Specialist


                • Genius
                • Thanked: 996
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
                « Reply #12 on: April 11, 2011, 12:36:06 PM »
                Please run ESET again and fix the infections.
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                oils65mustang

                  Topic Starter


                  Greenhorn

                  • Experience: Beginner
                  • OS: Unknown
                  Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
                  « Reply #13 on: April 12, 2011, 10:31:28 PM »
                  Ran ESET again and it found no infections.  I believe that the problem is solved.  Thank you.

                  SuperDave

                  • Malware Removal Specialist


                  • Genius
                  • Thanked: 996
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 8
                  Re: Malware on MS Explorer, Google Chrome, Foxfire but not Safari
                  « Reply #14 on: April 13, 2011, 11:47:09 AM »
                  Ok. If there are no other problems, let's do some cleanup.

                  You can uninstall ComboFix. I believe you saved it here: c:\documents and settings\Earl Young\My Documents\Downloads\ix.exe
                  If you can't uninstall it by going to Control Panel, Add/Remove programs just delete it.


                  To turn off Windows XP System Restore:

                  NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

                  1. Click Start.
                  2. Right-click the My Computer icon, and then click Properties.
                  3. Click the System Restore tab.
                  4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
                  5. Click Apply.
                  6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
                  7. Click OK.
                  8. Restart the computer and follow the instructions in the next section to turn on System Restore.

                  To turn on Windows XP System Restore:

                  1. Click Start.
                  2. Right-click My Computer, and then click Properties.
                  3. Click the System Restore tab.
                  4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
                  5. Click Apply, and then click OK.
                  *******************************************
                  Looking over your log it seems you don't have any evidence of a third party firewall.

                  Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

                  Remember only install ONE firewall

                  1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
                  2) Online Armor
                  3) Agnitum Outpost
                  4) PC Tools Firewall Plus

                  If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
                  **********************************************
                  Clean out your temporary internet files and temp files.

                  Download TFC by OldTimer to your desktop.

                  Double-click TFC.exe to run it.

                  Note: If you are running on Vista, right-click on the file and choose Run As Administrator

                  TFC will close all programs when run, so make sure you have saved all your work before you begin.

                  * Click the Start button to begin the cleaning process.
                  * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
                  * Please let TFC run uninterrupted until it is finished.

                  Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
                  ********************************************
                  Use the Secunia Software Inspector to check for out of date software.

                  •Click Start Now

                  •Check the box next to Enable thorough system inspection.

                  •Click Start

                  •Allow the scan to finish and scroll down to see if any updates are needed.
                  •Update anything listed.
                  .
                  ----------

                  Go to Microsoft Windows Update and get all critical updates.

                  ----------

                  I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                  SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                  * Using SpywareBlaster to protect your computer from Spyware and Malware
                  * If you don't know what ActiveX controls are, see here

                  Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

                  Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                  Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
                  Safe Surfing!
                  Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender