Jump to content

I can't remove rootkit bubnix + agent


noot

Recommended Posts

I run Windows Vista SP2...

These two rootkits are difficult to remove... Malwarebytes detects them but when I do a reboot and a rescan, they show up again.

rootkit.bubnix

c:\\Windows\system32\Drivers\phqufdrd.sys

rootkit.agent

c:\\Windows\system32\Drivers\str.sys

Here's the HJT report:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:22:37 AM, on 9/21/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18943)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Windows\System32\osk.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\DllHost.exe

C:\Users\Michael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKCU\..\Run: [Google Update] "C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 6858 bytes

What do I do now?

Link to post
Share on other sites

Hello noot

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Here's OTL.txt...

OTL logfile created on: 9/21/2010 3:24:20 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Michael\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18943)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 137.59 Gb Total Space | 81.95 Gb Free Space | 59.56% Space Free | Partition Type: NTFS

Drive D: | 11.46 Gb Total Space | 2.00 Gb Free Space | 17.46% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MICHAEL-PC

Current User Name: Michael

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Michael\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Users\Michael\Documents\quietHDD\quietHDD.exe ()

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

PRC - C:\Program Files\Apoint2K\hidfind.exe (Alps Electric Co., Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Users\Michael\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Windows\System32\p2phfmon.dll ()

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)

MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)

========== Driver Services (SafeList) ==========

DRV - (SymIMMP) -- C:\Windows\System32\DRIVERS\SymIM.sys File not found

DRV - (SymIM) -- C:\Windows\System32\DRIVERS\SymIM.sys File not found

DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found

DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found

DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found

DRV - (Point32) -- C:\Windows\System32\drivers\point32k.sys (Microsoft Corporation)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)

DRV - (NvnUsbAudio) -- C:\Windows\System32\drivers\nvnusbaudio.sys (Novation DMS Ltd.)

DRV - (RTL8023xp) -- C:\Windows\System32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )

DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)

DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)

DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)

DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)

DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)

DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)

DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)

DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)

DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)

DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)

DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)

DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)

DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)

DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)

DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)

DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)

DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)

DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)

DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)

DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)

DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)

DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)

DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)

DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)

DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)

DRV - (NETw3v32) Intel® -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)

DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)

DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)

DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)

DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)

DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)

DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)

DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

DRV - (HdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.)

DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)

DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)

DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)

DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)

DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)

DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)

DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)

DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)

DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)

DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)

DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)

DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)

DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)

DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)

DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)

DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)

DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)

DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)

DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)

DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)

DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)

DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)

DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)

DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.optimum.net/optonline"

FF - prefs.js..extensions.enabledItems: {7831399D-5ED1-4510-B9DC-FC0284C3C0A7}:1.9.1

FF - prefs.js..extensions.enabledItems: {477D05A1-1B00-49E5-A33A-23530EF50300}:1.9.1

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 55878

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}: C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}\ [2010/09/21 01:52:53 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{477D05A1-1B00-49E5-A33A-23530EF50300}: C:\Users\Michael\AppData\Local\{477D05A1-1B00-49E5-A33A-23530EF50300} [2010/09/20 21:56:04 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/21 12:11:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/21 12:11:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/08/12 13:41:55 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/08/17 09:19:41 | 000,000,000 | ---D | M]

[2010/06/23 15:45:48 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Mozilla\Extensions

[2010/06/23 15:45:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010/09/21 12:31:01 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\8b5b9tql.default\extensions

[2010/09/21 12:31:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\8b5b9tql.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/09/21 12:11:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.

O2 - BHO: (HP Print Clips) - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)

O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found

O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.245.130 167.206.245.129

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img8.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img8.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/02/27 03:45:25 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O36 - AppCertDlls: DWWIstrB - (C:\Windows\system32\p2phfmon.dll) - C:\Windows\System32\p2phfmon.dll ()

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - File not found

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/21 15:22:54 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Michael\Desktop\OTL.exe

[2010/09/21 10:21:04 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Michael\Desktop\HijackThis.exe

[2010/09/21 07:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos

[2010/09/20 21:56:04 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{477D05A1-1B00-49E5-A33A-23530EF50300}

[2010/09/20 21:53:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2010/09/20 21:47:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software

[2010/09/20 21:47:13 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software

[2010/09/20 18:45:03 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{896686F3-BFD4-4F05-B8E7-F7D3DFA9AE46}

[2010/09/20 16:59:22 | 000,000,000 | ---D | C] -- C:\Windows\IN

[2010/09/20 16:59:10 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{318944FA-1BB4-4224-B661-C8288FEA2D6F}

[2010/09/20 16:47:41 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\SUPERAntiSpyware.com

[2010/09/20 16:47:41 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com

[2010/09/20 16:47:30 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2010/09/20 07:28:49 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}(18)

[2010/09/18 08:14:17 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}

[2010/09/17 14:15:18 | 000,000,000 | -HSD | C] -- C:\ProgramData\System Restore

[2010/09/15 07:06:23 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL

[2010/08/28 10:22:05 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\FireShot

[2010/08/27 23:19:57 | 000,000,000 | ---D | C] -- C:\Users\Michael\Documents\AVS4YOU

[2010/08/26 10:07:51 | 010,915,840 | ---- | C] (Intel Corporation) -- C:\Windows\System32\libmfxhw32.dll

[2010/08/26 10:07:51 | 010,833,920 | ---- | C] (Intel Corporation) -- C:\Windows\System32\libmfxsw32.dll

[2003/06/16 15:17:50 | 004,317,184 | ---- | C] (rgc:audio software) -- C:\Program Files\Triangle II.dll

[2002/12/17 03:00:00 | 000,082,253 | ---- | C] (Jordan Russell) -- C:\Program Files\unins000.exe

========== Files - Modified Within 30 Days ==========

[2010/09/21 15:25:14 | 000,585,504 | ---- | M] () -- C:\Windows\System32\drivers\phqufdrd.sys

[2010/09/21 15:24:35 | 003,145,728 | -HS- | M] () -- C:\Users\Michael\ntuser.dat

[2010/09/21 15:24:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/09/21 15:22:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Michael\Desktop\OTL.exe

[2010/09/21 15:19:01 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-941656785-620473011-2608548256-1000UA.job

[2010/09/21 14:48:50 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/09/21 14:48:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/09/21 14:48:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/09/21 14:48:05 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/09/21 14:47:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/09/21 14:47:54 | 2137,014,272 | -HS- | M] () -- C:\hiberfil.sys

[2010/09/21 14:46:47 | 000,524,288 | -HS- | M] () -- C:\Users\Michael\ntuser.dat{f4381273-e8ca-11dd-8ccd-001eec6c2cf2}.TMContainer00000000000000000001.regtrans-ms

[2010/09/21 14:46:47 | 000,065,536 | -HS- | M] () -- C:\Users\Michael\ntuser.dat{f4381273-e8ca-11dd-8ccd-001eec6c2cf2}.TM.blf

[2010/09/21 14:46:43 | 002,236,673 | -H-- | M] () -- C:\Users\Michael\AppData\Local\IconCache.db

[2010/09/21 14:42:27 | 021,733,808 | ---- | M] () -- C:\Users\Michael\Desktop\TMMP.mp3

[2010/09/21 14:41:53 | 076,749,760 | ---- | M] () -- C:\Users\Michael\Desktop\TJRE.mp3

[2010/09/21 12:19:02 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-941656785-620473011-2608548256-1000Core.job

[2010/09/21 10:21:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Michael\Desktop\HijackThis.exe

[2010/09/21 07:02:59 | 126,421,982 | ---- | M] () -- C:\Users\Michael\Desktop\1'14 - THSS.mp3

[2010/09/20 20:21:54 | 000,000,458 | ---- | M] () -- C:\Users\Michael\AppData\Roaming\wklnhst.dat

[2010/09/18 08:12:36 | 000,047,616 | -H-- | M] () -- C:\Windows\System32\p2phfmon.dll

[2010/09/17 19:56:59 | 000,139,336 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys

[2010/09/17 19:56:46 | 000,214,720 | ---- | M] () -- C:\Windows\System32\PnkBstrB.xtr

[2010/09/16 20:05:14 | 000,039,936 | ---- | M] () -- C:\Users\Michael\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/09/12 07:10:57 | 000,697,560 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2010/09/12 07:10:57 | 000,599,826 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010/09/12 07:10:57 | 000,103,294 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010/09/10 19:02:40 | 000,000,038 | ---- | M] () -- C:\Windows\camcodec100.ini

[2010/08/26 10:13:35 | 000,001,808 | ---- | M] () -- C:\Users\Michael\Desktop\AVS Video Editor.lnk

========== Files Created - No Company Name ==========

[2010/09/21 14:42:12 | 021,733,808 | ---- | C] () -- C:\Users\Michael\Desktop\TMMP.mp3

[2010/09/21 14:41:06 | 076,749,760 | ---- | C] () -- C:\Users\Michael\Desktop\TJRE.mp3

[2010/09/21 07:48:40 | 2137,014,272 | -HS- | C] () -- C:\hiberfil.sys

[2010/09/21 06:55:02 | 126,421,982 | ---- | C] () -- C:\Users\Michael\Desktop\1'14 - THSS.mp3

[2010/09/18 08:13:00 | 000,585,504 | ---- | C] () -- C:\Windows\System32\drivers\phqufdrd.sys

[2010/09/18 08:12:36 | 000,047,616 | -H-- | C] () -- C:\Windows\System32\p2phfmon.dll

[2010/09/08 20:20:28 | 000,000,038 | ---- | C] () -- C:\Windows\camcodec100.ini

[2009/12/22 11:38:12 | 000,139,336 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys

[2009/08/07 16:46:07 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/04/18 20:14:00 | 000,000,126 | ---- | C] () -- C:\Windows\System32\quietHDD.ini

[2008/09/02 16:58:58 | 000,005,972 | ---- | C] () -- C:\Users\Michael\AppData\Local\d3d9caps.dat

[2008/07/28 16:58:00 | 000,039,936 | ---- | C] () -- C:\Users\Michael\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/07/28 16:56:55 | 000,000,458 | ---- | C] () -- C:\Users\Michael\AppData\Roaming\wklnhst.dat

[2008/07/24 13:56:11 | 000,002,206 | ---- | C] () -- C:\Program Files\unins000.dat

[2008/07/20 18:40:15 | 000,000,000 | ---- | C] () -- C:\Users\Michael\AppData\Local\QSwitch.txt

[2008/07/20 18:40:15 | 000,000,000 | ---- | C] () -- C:\Users\Michael\AppData\Local\DSwitch.txt

[2008/07/20 18:40:15 | 000,000,000 | ---- | C] () -- C:\Users\Michael\AppData\Local\AtStart.txt

[2008/05/21 18:08:07 | 000,155,648 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

[2008/02/27 03:59:45 | 000,000,729 | ---- | C] () -- C:\ProgramData\hpzinstall.log

[2008/02/11 20:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll

[2007/08/20 08:34:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1318.dll

[2007/08/20 08:25:00 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll

[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2003/06/16 15:23:22 | 000,131,072 | ---- | C] () -- C:\Program Files\T2DXi.dll

[2003/06/03 12:33:38 | 000,090,112 | ---- | C] () -- C:\Program Files\Triangle II.exe

========== LOP Check ==========

[2009/09/15 12:15:48 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\.bsnes

[2010/09/21 12:55:37 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\FileZilla

[2010/08/28 10:22:05 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\FireShot

[2010/09/20 08:33:17 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Gisay

[2008/07/22 18:33:05 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\gtk-2.0

[2008/09/01 20:59:47 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Juce VST Host

[2008/07/20 19:00:47 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\MSNInstaller

[2009/08/15 17:51:56 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\muvee Technologies

[2010/09/20 07:25:50 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Myop

[2009/09/10 15:21:50 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\OpenCandy

[2008/12/06 14:32:18 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Opera

[2008/07/28 16:56:56 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Template

[2010/06/23 15:45:47 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Thunderbird

[2009/12/14 21:26:33 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\UB

[2010/09/21 14:46:58 | 000,032,548 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2008/02/27 03:45:25 | 000,000,074 | ---- | M] () -- C:\autoexec.bat

[2009/04/11 02:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr

[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2010/09/21 14:47:54 | 2137,014,272 | -HS- | M] () -- C:\hiberfil.sys

[2008/02/27 03:22:08 | 000,000,383 | -H-- | M] () -- C:\IPH.PH

[2010/05/09 18:39:16 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt

[2010/09/21 14:47:53 | 2450,804,736 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\*.dll /lockedfiles >

[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll

[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

[2009/04/11 02:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV

[2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV

[2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV

[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV

[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >

[2010/09/21 15:26:40 | 000,585,504 | ---- | M] () -- C:\Windows\System32\drivers\phqufdrd.sys

[2010/09/17 19:56:59 | 000,139,336 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

[2008/01/20 22:23:14 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL

[2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

[2006/10/26 23:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 81 bytes -> C:\Program Files\Cake Poker:MID

< End of report >

Here's Extras.txt...

OTL Extras logfile created on: 9/21/2010 3:24:20 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Michael\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18943)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 137.59 Gb Total Space | 81.95 Gb Free Space | 59.56% Space Free | Partition Type: NTFS

Drive D: | 11.46 Gb Total Space | 2.00 Gb Free Space | 17.46% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MICHAEL-PC

Current User Name: Michael

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UacDisableNotify" = 0

"InternetSettingsDisableNotify" = 0

"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-941656785-620473011-2608548256-1000]

"EnableNotifications" = 0

"EnableNotificationsRef" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0998FF26-4ECE-4AD8-A80A-E31A150369A5}" = rport=137 | protocol=17 | dir=out | app=system |

"{0FBD07CC-70CC-410F-9DFB-5ABFCE19E6FA}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

"{2ABCC795-C479-49B5-83BE-42EF8BA1E52F}" = lport=138 | protocol=17 | dir=in | app=system |

"{2DECEAEE-F306-49AB-98F4-82B33D3AD115}" = lport=445 | protocol=6 | dir=in | app=system |

"{43B7E658-6FC4-42F3-A6BF-F2FC3EEC2AAC}" = lport=137 | protocol=17 | dir=in | app=system |

"{52232E98-52DB-4DA5-A554-73987804321F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{66ECEE94-2FE6-4A84-BAC8-E3911A4F29CE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{946B4565-1B7B-44AB-A891-6A56A44C7494}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

"{9B69784E-E973-45B1-A7A0-76CDEA390341}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

"{9FD87443-58A7-4573-936A-28463C8CD6E8}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{AA03AEA2-FD4C-4C31-8F65-9A3E2C862FF1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{AFED80DA-9D0B-4266-AF51-3C964F1C1D40}" = rport=445 | protocol=6 | dir=out | app=system |

"{B2F7F836-5E53-4121-A8CF-36C6F3413A0A}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |

"{BBB7651F-68FE-4EB2-B1BB-30D517CAD988}" = lport=139 | protocol=6 | dir=in | app=system |

"{CD3E53DE-9697-41B4-8698-B060145A328E}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{DC242860-9629-4CF3-B1D7-A35E5DC2EA72}" = rport=139 | protocol=6 | dir=out | app=system |

"{F6D52A15-7D97-4C26-B5DF-3E4AC7E2B4D9}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{F8F08EF8-8EE6-4580-A009-D803DD600F02}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{01CA4C70-B84A-412A-A500-A0FEE55BAFDA}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{07F0ED00-9FD9-4691-ACF1-14513B50A265}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{09EF94DC-ACB8-4E2D-B74E-8A2BD7C9154D}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

"{152A25A7-DCB2-4DE9-8C34-5C9FCC4F3497}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{197F4383-CAD2-4EE7-AB7B-7E221E1B4AEE}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |

"{213F55D8-E4B3-4C71-A10E-648840BF043C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{2A1A24FA-B14A-4329-987E-390D55A05FCC}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{2A5488F6-01D7-497B-B06D-2F5B1613E473}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |

"{2C6D3A93-DF33-47A9-870F-981795654032}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{2D240A1D-933D-4677-9A93-22E9BDA7F034}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |

"{385DA6A1-D6E8-47C4-BAD5-C2E034DA65D2}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{45F90EDF-2826-4017-902F-D2F26BF62255}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{4B9429C0-DA86-4FC2-BDA2-8DBC0A6574C7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{539695C1-3B0E-4DCC-A752-159AB04F5179}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{551AA842-81B3-446D-800A-D9FB519E677D}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |

"{5E66FD85-E4DD-4282-A960-63A599574477}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{62C88C58-2131-4E5F-A72F-07FA16A0B054}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{69901683-9008-4023-8E5F-E3F0C34AE8DE}" = protocol=6 | dir=in | app=c:\program files\holdem indicator\holdemindicator.exe |

"{6AF0F1B5-901B-49AA-BA43-BD36DD46465E}" = protocol=17 | dir=in | app=c:\program files\holdem indicator\holdemindicator.exe |

"{70C37D40-BB13-4C3F-9637-F9C08D8EBAED}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{797DDE1C-1E13-4A86-A3AF-B40585A65347}" = protocol=6 | dir=in | app=c:\program files\holdem indicator\holdemindicator.exe |

"{809EE854-80A4-474E-8CFF-99831AB34BC9}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |

"{9D6B7519-1520-48FB-AF26-18D4E4DDEB8C}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

"{A86CF7E4-260D-4EC4-A14A-9AA4BC1B2E39}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |

"{B0C1E210-6743-48B6-8893-C1BDCE1A0DE4}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |

"{B3CF36D9-405C-4A85-A083-EAD92E2B16C1}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{BABB9F67-12F4-430C-A97F-5467E9D17955}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |

"{C24E93DB-5693-43E7-A78C-0EE754B290DB}" = protocol=17 | dir=in | app=c:\program files\holdem indicator\holdemindicator.exe |

"{C42F399A-8562-4EF3-8658-83D0BC7E9ED2}" = protocol=6 | dir=in | app=c:\program files\omaha indicator\omahaindicator.exe |

"{CB8E5433-1536-41EA-9D39-63612E2C6842}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{E17D7CBE-EFF4-4297-BBA3-C33EA99909D6}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{FADA3561-4CB6-4B6F-87A2-01A1492B1481}" = protocol=17 | dir=in | app=c:\program files\omaha indicator\omahaindicator.exe |

"{FCC963A6-F572-4057-8F19-8854F6EB8D88}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"TCP Query User{0C627C81-8798-4ABC-AF2E-869E5AA38756}C:\program files\quake3.exe" = protocol=6 | dir=in | app=c:\program files\quake3.exe |

"TCP Query User{335310A2-FE03-4219-86B9-7B081FF71616}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

"TCP Query User{9255BEEA-2205-48BF-9E31-703E49D99179}C:\program files\carbonpoker\client.exe" = protocol=6 | dir=in | app=c:\program files\carbonpoker\client.exe |

"TCP Query User{A39B5F96-3F8A-4FDB-A2B9-5DDAC9AAAF72}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

"UDP Query User{4D4F6527-771D-4A97-852B-0400693D588C}C:\program files\quake3.exe" = protocol=17 | dir=in | app=c:\program files\quake3.exe |

"UDP Query User{815A703F-C7DB-4EAD-A73B-D4DB4E3018B4}C:\program files\carbonpoker\client.exe" = protocol=17 | dir=in | app=c:\program files\carbonpoker\client.exe |

"UDP Query User{D867AAA0-3C87-4115-B673-2D86577B326C}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

"UDP Query User{E3267033-D2FB-47D8-A856-664FD6836143}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1

"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer

"{082F8ABA-84D5-4837-9DFC-F365D91A07D4}" = HP Smart Web Printing

"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime

"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan

"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library

"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1

"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan

"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite

"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget

"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)

"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant

"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check

"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java 6 Update 18

"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program

"{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support

"{2BEB102E-F9CD-4881-984B-E288F66FD394}" = Quake Live Mozilla Plugin

"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{405ABBEB-8DF1-4174-86C0-DCB5E1C78F14}" = NetDeviceManager

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.6

"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour

"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver

"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0

"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1

"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin

"{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}" = Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari

"{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support

"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5

"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements

"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"{C716522C-3731-4667-8579-40B098294500}" = Toolbox

"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B

"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant

"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D063F201-FAC4-4D5C-B10B-615058ADE5A7}" = HP Update

"{D55D7EE6-3013-47AC-BE71-51AA35A221AB}" = Quake Live Internet Explorer Plugin

"{D7358B07-4F10-4014-9869-7999578BE8ED}" = HP User Guides 0093

"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader

"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1

"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software

"{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}" = Microsoft IntelliPoint 7.0

"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer

"{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link

"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo

"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"ASIO4ALL" = ASIO4ALL

"AVS Audio Editor_is1" = AVS Audio Editor version 6.1

"AVS Screen Capture_is1" = AVS Screen Capture version 1.1.2

"AVS Update Manager_is1" = AVS Update Manager 1.0

"AVS Video Editor_is1" = AVS Video Editor 5

"AVS Video Recorder_is1" = AVS Video Recorder 2.4

"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4

"CamStudio" = CamStudio

"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4

"CCleaner" = CCleaner (remove only)

"CNXT_AUDIO_HDA" = Conexant HD Audio

"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP

"Collab" = Collab

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"FileZilla Client" = FileZilla Client 3.3.3

"FL Studio 9" = FL Studio 9

"Hardcore" = Hardcore

"HDD Health_is1" = HDD Health v3.3 Beta

"HDMI" = Intel® Graphics Media Accelerator Driver

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"HP Photosmart Essential" = HP Photosmart Essential 2.5

"HP Smart Web Printing" = HP Smart Web Printing

"HTMLKit_is1" = HTML-Kit

"IL Download Manager" = IL Download Manager

"InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link

"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Basic)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Maximus" = Maximus

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)

"Mozilla Thunderbird (3.1.2)" = Mozilla Thunderbird (3.1.2)

"MSNINST" = MSN

"Novation USB Audio Driver_is1" = Novation USB Audio Driver 1.2.6

"Omaha Indicator_is1" = Omaha Indicator 1.1.2

"PoiZone" = PoiZone

"PunkBusterSvc" = PunkBuster Services

"Sawer" = Sawer

"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6

"Toxic Biohazard" = Toxic Biohazard

"TVWiz" = Intel® TV Wizard

"ViewpointMediaPlayer" = Viewpoint Media Player

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

I can't run RKUnhookerLE... I keep getting this error.

Error loading driver, NTSTATUS code: 0xC0000001

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Yes that is normal about the icon it is the original and you can delete the duplicate.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.malwarebytes.org/index.php?showtopic=63166&st=0entry316754

Driver::
Normandy
phqufdrd
khqlmxop

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Collect::
c:\windows\system32\drivers\oopuhnpkpjv.sys
c:\windows\system32\drivers\str.sys
C:\Windows\System32\drivers\phqufdrd.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\khqlmxop]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\phqufdrd]

DirLook::
c:\users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}
c:\users\Michael\AppData\Roaming\Gisay
c:\users\Michael\AppData\Roaming\Myop

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Rootkit::
c:\windows\system32\drivers\oopuhnpkpjv.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\phqufdrd.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\khqlmxop]

Folder::
c:\users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}
c:\users\Michael\AppData\Roaming\Gisay
c:\users\Michael\AppData\Roaming\Myop

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2010/09/20 07:28:49 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}(18)
    [2010/09/18 08:14:17 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}

    :Files
    c:\windows\system32\drivers\oopuhnpkpjv.sys

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here is OTL's results:

All processes killed

========== OTL ==========

C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}(18)\chrome\content folder moved successfully.

C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}(18)\chrome folder moved successfully.

C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}(18) folder moved successfully.

Folder C:\Users\Michael\AppData\Local\{7831399D-5ED1-4510-B9DC-FC0284C3C0A7}\ not found.

========== FILES ==========

c:\windows\system32\drivers\oopuhnpkpjv.sys moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Michael

->Temp folder emptied: 1778 bytes

->Temporary Internet Files folder emptied: 49286 bytes

->Java cache emptied: 83009307 bytes

->FireFox cache emptied: 43091822 bytes

->Google Chrome cache emptied: 41627616 bytes

->Apple Safari cache emptied: 0 bytes

->Opera cache emptied: 1420775 bytes

->Flash cache emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1607 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 161.00 mb

OTL by OldTimer - Version 3.2.14.1 log created on 09222010_142041

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Here is MBAM's results:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4672

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18943

9/22/2010 3:53:26 PM

mbam-log-2010-09-22 (15-53-26).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 316913

Time elapsed: 1 hour(s), 18 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\Windows\System32\drivers\phqufdrd.sys.vir (Rootkit.Bubnix) -> Quarantined and deleted successfully.

C:\Windows\System32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Here is ESET's results:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a7eb74bd0b0ed145a21ca72fda2d485a

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-09-22 09:23:10

# local_time=2010-09-22 05:23:10 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 100 0 121793716 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=183134

# found=7

# cleaned=7

# scan_time=4402

C:\Qoobox\Quarantine\C\Windows\System32\p2phfmon.dll.vir a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\SwSetup\AOLIMS\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Michael\AppData\Roaming\Thunderbird\Profiles\bd4jp989.default\Mail\Local Folders\Inbox multiple threats (contained infected files) 00000000000000000000000000000000 C

C:\Users\Michael\AppData\Roaming\Thunderbird\Profiles\bd4jp989.default\Mail\Local Folders\Trash multiple threats (contained infected files) 00000000000000000000000000000000 C

C:\Users\Michael\AppData\Roaming\Thunderbird\Profiles\bd4jp989.default\Mail\mail.mekkem-4.com\Trash multiple threats (contained infected files) 00000000000000000000000000000000 C

C:\Users\Michael\Documents\Misc\UD-V4 Back-Up\wp-content\themes\default\preview.php probably a variant of PHP/Rst.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\_OTL\MovedFiles\09222010_142041\c_windows\system32\drivers\oopuhnpkpjv.sys Win32/Rustock.NMC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Hi can you tell me if this file is present still?

C:\Windows\System32\drivers\str.sys

If you cannot see it then please make sure that hidden files and folders are shown.

If you do not know how to do that then please refer to the following link for instructions.

http://www.bleepingcomputer.com/tutorials/tutorial130.html

Let me know about that and let me knowhow things are running?

Link to post
Share on other sites

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.