Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

mrofinu100186 and DIL.tmp will not LEAVE!


  • This topic is locked This topic is locked

#1
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Member
  • PipPip
  • 45 posts
This is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:36 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.c...h...DTP&M=T6532
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=T6532
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T6532
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T6532
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL19.tmp
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload....Plugin11USA.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bol...geUploader3.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload....Plugin10USA.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5769 bytes


I've tried to remove it with CCleaner, HijackThis and using msconfig but whenever I restart they always come back. I can't go to some sites properly and programs like AIM don't connect. Help please?

Edited by INNEEDOFHELPPLEASE, 05 April 2008 - 08:07 AM.

  • 0

Advertisements


#2
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
is anyone willing to help? :)
  • 0

#3
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hi inneed.......
First of all, you should read the rules about using this forum, you get lost in here when you bump your thread (or reply before someone helps).

You got a nasty infection there, first step is lets see if we can get rid of some of the root cause programs.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL19.tmp
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

AutoInclude
runner1


Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
C:\WINDOWS\TEMP\DIL19.tmp


After that, Reboot.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post a fresh HJT log also.

Harry
  • 0

#4
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
My computer is odd and I don't know what to do to get to safe mode so I entered here in normal. I had two options that I read, F2- BIOS Settings and F10- Boot Settings. I went to both and couldn't find a Safe Mode
  • 0

#5
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Still having problems getting into safe mode? It may be blocked by the malware :)

This will shed some light on whats going on:

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
  • 0

#6
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Quick Scan
Objects scanned: 30905
Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3EHG7KKQ\17PHolmes[1].cmt (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J4B8K2H0\718f466754402ac597de014577627f96[1].zip (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XHPZ1BWC\8154ff2675af1b6e0677560871425153[1].zip (Trojan.Downloader) -> No action taken.
C:\WINDOWS\mrofinu1001186.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32:drvshell.exe (Rootkit.ADS) -> No action taken.

Trend Micro HijackThis v2.0.2
Scan saved at 11:23:07 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\TEMP\DIL13.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.c...h...DTP&M=T6532
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...DTP&M=T6532
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=T6532
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T6532
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL11.tmp
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload....Plugin11USA.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bol...geUploader3.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload....Plugin10USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5879 bytes

I opened Task Manager and I still see a DIL and 17PHolmes
  • 0

#7
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Ok run the OTScanit,
post the results

Harry
  • 0

#8
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
OTScanIt logfile created on: 4/6/2008 11:36:33 AM

OTScanIt by OldTimer - Version 1.0.9.0	 Folder = C:\Documents and Settings\Owner\Desktop\OTScanIt

Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

895.36 Mb Total Physical Memory | 350.57 Mb Available Physical Memory | 39.15% Memory free

2.11 Gb Paging File | 1.72 Gb Available in Paging File | 81.15% Paging File free

Paging file location(s): C:\pagefile.sys 1344 2688;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 182.23 Gb Total Space | 60.51 Gb Free Space | 33.20% Space Free | Partition Type: NTFS

Drive D: | 4.06 Gb Total Space | 2.38 Gb Free Space | 58.67% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: YOUR-3148D5A58A

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user



[Processes - Non-Microsoft Only]

aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,7 | Size = 607576 bytes | Modified Date = 3/19/2008 5:08:58 PM | Attr =	]

mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 241664 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr =	]

tmntsrv.exe -> %ProgramFiles%\Trend Micro\Antivirus\Tmntsrv.exe -> Trend Micro Incorporated. [Ver = 11.25.0.2004 | Size = 286793 bytes | Modified Date = 2/17/2004 6:57:36 PM | Attr =	]

tmproxy.exe -> %ProgramFiles%\Trend Micro\Antivirus\tmproxy.exe -> Trend Micro Incorporated. [Ver = 11.25.0.2004 | Size = 282697 bytes | Modified Date = 2/17/2004 6:58:48 PM | Attr =	]

spysweeper.exe -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe -> Webroot Software, Inc. [Ver = 3,2,3,2132 | Size = 3473920 bytes | Modified Date = 11/17/2006 5:14:00 PM | Attr =	]

razerhid.exe -> %ProgramFiles%\Razer\DeathAdder\razerhid.exe ->  [Ver = 1, 0, 0, 1 | Size = 237568 bytes | Modified Date = 12/6/2006 11:30:42 PM | Attr =	]

razertra.exe -> %ProgramFiles%\Razer\DeathAdder\razertra.exe ->  [Ver = 1, 0, 0, 1 | Size = 221184 bytes | Modified Date = 11/24/2006 5:24:16 PM | Attr =	]

razerofa.exe -> %ProgramFiles%\Razer\DeathAdder\razerofa.exe -> Razer Inc. [Ver = 4.0.0.4 | Size = 176128 bytes | Modified Date = 11/22/2006 2:42:44 PM | Attr =	]

firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.13: 2008031114 | Size = 7660656 bytes | Modified Date = 3/27/2008 7:19:29 AM | Attr =	]

17pholmes1001186.exe -> %SystemRoot%\17PHolmes1001186.exe -> File not found

otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.9.0 | Size = 369152 bytes | Modified Date = 4/4/2008 12:24:38 PM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,7 | Size = 607576 bytes | Modified Date = 3/19/2008 5:08:58 PM | Attr =	]

(Bonjour Service) ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 241664 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr =	]

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 235520 bytes | Modified Date = 8/10/2004 3:00:00 PM | Attr =	]

(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 731136 bytes | Modified Date = 3/22/2008 10:58:21 AM | Attr =	]

(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] ->  -> File not found

(NVSvc) NVIDIA Display Driver Service [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8133 | Size = 176195 bytes | Modified Date = 9/18/2005 12:32:00 PM | Attr =	]

(PrismXL) PrismXL [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 1/31/2006 11:40:30 PM | Attr =	]

(Tmntsrv) Trend NT Realtime Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Antivirus\Tmntsrv.exe -> Trend Micro Incorporated. [Ver = 11.25.0.2004 | Size = 286793 bytes | Modified Date = 2/17/2004 6:57:36 PM | Attr =	]

(tmproxy) Trend Micro Proxy Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Antivirus\tmproxy.exe -> Trend Micro Incorporated. [Ver = 11.25.0.2004 | Size = 282697 bytes | Modified Date = 2/17/2004 6:58:48 PM | Attr =	]

(WebrootSpySweeperService) Webroot Spy Sweeper Engine [Win32_Own | Auto | Running] -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe -> Webroot Software, Inc. [Ver = 3,2,3,2132 | Size = 3473920 bytes | Modified Date = 11/17/2006 5:14:00 PM | Attr =	]



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

AutoInclude -> %SystemRoot%\Temp\DIL11.tmp [C:\WINDOWS\TEMP\DIL11.tmp] ->  [Ver =  | Size = 4096 bytes | Modified Date = 4/6/2008 11:03:55 AM | Attr =	]

DeathAdder -> %ProgramFiles%\Razer\DeathAdder\razerhid.exe ["C:\Program Files\Razer\DeathAdder\razerhid.exe"] ->  [Ver = 1, 0, 0, 1 | Size = 237568 bytes | Modified Date = 12/6/2006 11:30:42 PM | Attr =	]

runner1 -> %SystemRoot%\mrofinu1001186.exe [C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310] ->  [Ver = 1, 0, 0, 1 | Size = 50688 bytes | Modified Date = 4/6/2008 11:20:43 AM | Attr =	]

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

Steam -> %ProgramFiles%\Steam\steam.exe ["c:\program files\steam\steam.exe" -silent] -> Valve Corporation [Ver = 1.0.0.0 | Size = 1271032 bytes | Modified Date = 3/28/2008 7:00:29 AM | Attr =	]

< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 

< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup -> 

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 

WRNotifier -> %SystemRoot%\system32\WRLogonNtf.dll -> Webroot Software, Inc. [Ver = 3,2,3,2132 | Size = 209408 bytes | Modified Date = 11/17/2006 5:14:14 PM | Attr =	]

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.mss [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.the [C:\WINDOWS\Resources\Themes\Royale.theme] -> File not found

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSaveSettings -> 0 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 

< HOSTS File > (533 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6532 -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6532 -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6532 -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6532 -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ -> 

HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

HKEY_CURRENT_USER\: ProxyOverride -> *.local -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 

1 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 

1 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 5:56:50 AM | Attr =	]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:35 AM | Attr =	]

{CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\bae.dll [CBrowserHelperObject Object] -> Gateway Inc. [Ver = 1.1.0.1 | Size = 94208 bytes | Modified Date = 2/1/2006 7:54:30 AM | Attr =	]

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:35 AM | Attr =	]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:35 AM | Attr =	]

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}:Exec -> %ProgramFiles%\AIM\aim.exe [AIM] -> America Online, Inc. [Ver = 5.9.6089 | Size = 67112 bytes | Modified Date = 8/1/2006 3:35:36 PM | Attr =	]

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{1C0F6DB9-A396-49D2-AEA8-BB42F4BB059F} ->	(NVIDIA nForce Networking Controller) -> 

< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 

NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 94208 bytes | Modified Date = 2/28/2006 12:42:30 PM | Attr =	]

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{00000055-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/fhg.CAB[Reg Error: Key does not exist or could not be opened.] -> 

{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 

{5F5F9FB8-878E-4455-95E0-F64B2314288A}[HKEY_LOCAL_MACHINE] -> http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab[Reg Error: Key does not exist or could not be opened.] -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 

{A18962F6-E6ED-40B1-97C9-1FB36F38BFA8}[HKEY_LOCAL_MACHINE] -> http://filelodge.bolt.com/ImageUploader3.cab[Aurigma Image Uploader 3.5 Control] -> 

{A2E05F45-F127-4092-B9F7-9A02C3E04C77}[HKEY_LOCAL_MACHINE] -> http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab[Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab[Java Plug-in 1.5.0_07] -> 

{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09] -> 

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 

{CD995117-98E5-4169-9920-6C12D4C0B548}[HKEY_LOCAL_MACHINE] -> http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab[Reg Error: Key does not exist or could not be opened.] -> 

{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Reg Error: Key does not exist or could not be opened.] -> 

{DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF}[HKEY_LOCAL_MACHINE] -> http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab[Reg Error: Key does not exist or could not be opened.] -> 

< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjiPreNotify2.exe\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjiPreNotify2.exe\\.Owner -> {5F5F9FB8-878E-4455-95E0-F64B2314288A} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjiPreNotify2.exe\\{5F5F9FB8-878E-4455-95E0-F64B2314288A} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter.exe\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter.exe\\.Owner -> {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter.exe\\{DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter2.exe\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter2.exe\\.Owner -> {5F5F9FB8-878E-4455-95E0-F64B2314288A} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ijjistarter2.exe\\{5F5F9FB8-878E-4455-95E0-F64B2314288A} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ImageUploader3.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ImageUploader3.ocx\\.Owner -> {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ImageUploader3.ocx\\{A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\\.Owner -> {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\\{A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} ->  -> 







[Files/Folders - Created Within 30 days]

678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3 ->  [Folder | Created Date = 3/28/2008 10:05:31 PM | Attr =	]

ATI -> %SystemDrive%\ATI ->  [Folder | Created Date = 3/20/2008 6:27:56 PM | Attr =	]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 938921984 bytes | Created Date = 4/6/2008 11:03:28 AM | Attr =  HS]

NVIDIA -> %SystemDrive%\NVIDIA ->  [Folder | Created Date = 3/21/2008 10:38:32 AM | Attr =	]

wally -> %SystemDrive%\wally ->  [Folder | Created Date = 3/22/2008 11:47:19 AM | Attr =	]

atifglpf.xml -> %SystemRoot%\System32\atifglpf.xml ->  [Ver =  | Size = 7167 bytes | Created Date = 3/20/2008 7:36:13 PM | Attr = R  ]

atiicdxx.dat -> %SystemRoot%\System32\atiicdxx.dat ->  [Ver =  | Size = 160289 bytes | Created Date = 3/20/2008 7:36:09 PM | Attr = R  ]

ativva5x.dat -> %SystemRoot%\System32\ativva5x.dat ->  [Ver =  | Size = 3107788 bytes | Created Date = 3/20/2008 7:36:10 PM | Attr = R  ]

ativva6x.dat -> %SystemRoot%\System32\ativva6x.dat ->  [Ver =  | Size = 887724 bytes | Created Date = 3/20/2008 7:36:11 PM | Attr = R  ]

ativvaxx.dat -> %SystemRoot%\System32\ativvaxx.dat ->  [Ver =  | Size = 3107788 bytes | Created Date = 3/20/2008 7:36:09 PM | Attr = R  ]

d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat ->  [Ver =  | Size = 664 bytes | Created Date = 3/20/2008 4:17:28 PM | Attr =	]

MRT.INI -> %SystemRoot%\System32\MRT.INI ->  [Ver =  | Size = 52010 bytes | Created Date = 3/22/2008 10:31:29 AM | Attr =	]

NvApps.xml -> %SystemRoot%\System32\NvApps.xml ->  [Ver =  | Size = 0 bytes | Created Date = 3/21/2008 11:25:50 AM | Attr =	]

atiogl.xml -> %SystemRoot%\atiogl.xml ->  [Ver =  | Size = 11874 bytes | Created Date = 3/20/2008 7:36:14 PM | Attr = R  ]

ativpsrm.bin -> %SystemRoot%\ativpsrm.bin ->  [Ver =  | Size = 0 bytes | Created Date = 3/20/2008 7:36:19 PM | Attr =	]

mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe ->  [Ver = 1, 0, 0, 1 | Size = 50688 bytes | Created Date = 4/6/2008 11:20:43 AM | Attr =	]

nview -> %SystemRoot%\nview ->  [Folder | Created Date = 3/21/2008 10:50:59 AM | Attr =	]

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 3/26/2008 12:02:07 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 3/26/2008 12:02:07 PM | Attr =  H ]



[Files/Folders - Modified Within 30 days]

678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3 ->  [Folder | Modified Date = 3/28/2008 10:05:32 PM | Attr =	]

aidualc3 -> %SystemDrive%\aidualc3 ->  [Folder | Modified Date = 3/21/2008 11:05:33 AM | Attr =	]

ATI -> %SystemDrive%\ATI ->  [Folder | Modified Date = 3/20/2008 6:27:56 PM | Attr =	]

boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 208 bytes | Modified Date = 4/5/2008 9:36:01 PM | Attr = RHS]

Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 4/5/2008 3:01:46 PM | Attr =  HS]

Fraps -> %SystemDrive%\Fraps ->  [Folder | Modified Date = 4/5/2008 11:17:01 AM | Attr =	]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 938921984 bytes | Modified Date = 4/6/2008 11:19:52 AM | Attr =  HS]

NVIDIA -> %SystemDrive%\NVIDIA ->  [Folder | Modified Date = 3/21/2008 10:38:32 AM | Attr =	]

Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 4/6/2008 11:05:58 AM | Attr = R  ]

RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 4/6/2008 11:00:39 AM | Attr =  HS]

Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 3/28/2008 10:14:24 PM | Attr =	]

wally -> %SystemDrive%\wally ->  [Folder | Modified Date = 3/26/2008 12:23:09 PM | Attr =	]

WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 4/6/2008 11:20:54 AM | Attr =	]

CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 3/21/2008 11:14:36 AM | Attr =	]

9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 4/5/2008 11:22:47 AM | Attr =	]

config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 4/5/2008 11:19:07 AM | Attr =	]

DirectX -> %SystemRoot%\System32\DirectX ->  [Folder | Modified Date = 3/21/2008 10:58:40 AM | Attr =	]

dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 3/28/2008 10:05:40 PM | Attr = RHS]

drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 4/5/2008 3:01:16 PM | Attr =	]

FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 1608128 bytes | Modified Date = 3/28/2008 7:59:37 PM | Attr =	]

Lang -> %SystemRoot%\System32\Lang ->  [Folder | Modified Date = 3/28/2008 7:59:50 PM | Attr =	]

MRT.INI -> %SystemRoot%\System32\MRT.INI ->  [Ver =  | Size = 52010 bytes | Modified Date = 3/22/2008 10:31:32 AM | Attr =	]

mui -> %SystemRoot%\System32\mui ->  [Folder | Modified Date = 3/29/2008 7:32:31 AM | Attr =	]

NvApps.xml -> %SystemRoot%\System32\NvApps.xml ->  [Ver =  | Size = 0 bytes | Modified Date = 3/25/2008 9:08:53 AM | Attr =	]

oobe -> %SystemRoot%\System32\oobe ->  [Folder | Modified Date = 4/6/2008 11:30:35 AM | Attr =	]

perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 83208 bytes | Modified Date = 3/29/2008 7:33:16 AM | Attr =	]

perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 451694 bytes | Modified Date = 3/29/2008 7:33:16 AM | Attr =	]

PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 522568 bytes | Modified Date = 3/29/2008 7:33:16 AM | Attr =	]

ReinstallBackups -> %SystemRoot%\System32\ReinstallBackups ->  [Folder | Modified Date = 3/21/2008 10:47:56 AM | Attr =	]

RTCOM -> %SystemRoot%\System32\RTCOM ->  [Folder | Modified Date = 3/28/2008 7:57:50 PM | Attr =	]

spool -> %SystemRoot%\System32\spool ->  [Folder | Modified Date = 3/28/2008 10:05:43 PM | Attr =	]

URTTemp -> %SystemRoot%\System32\URTTemp ->  [Folder | Modified Date = 3/29/2008 7:38:47 AM | Attr =	]

wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 4/5/2008 11:18:45 AM | Attr =	]

wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 1170 bytes | Modified Date = 4/6/2008 11:20:24 AM | Attr =	]

assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 3/29/2008 8:44:20 PM | Attr = R S]

ativpsrm.bin -> %SystemRoot%\ativpsrm.bin ->  [Ver =  | Size = 0 bytes | Modified Date = 3/20/2008 7:36:19 PM | Attr =	]

bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 4/6/2008 11:19:52 AM | Attr =   S]

Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 4/4/2008 6:59:00 AM | Attr =	]

Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 3/28/2008 10:29:59 PM | Attr =   S]

ehome -> %SystemRoot%\ehome ->  [Folder | Modified Date = 4/6/2008 11:29:42 AM | Attr =	]

Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 3/26/2008 12:16:49 PM | Attr = R S]

Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 4/6/2008 11:29:42 AM | Attr =	]

inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 3/28/2008 10:05:50 PM | Attr =  H ]

Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 4/5/2008 3:01:46 PM | Attr =  HS]

Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 3/29/2008 8:44:23 PM | Attr =	]

Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 4/5/2008 10:01:52 AM | Attr =	]

mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe ->  [Ver = 1, 0, 0, 1 | Size = 50688 bytes | Modified Date = 4/6/2008 11:20:43 AM | Attr =	]

nview -> %SystemRoot%\nview ->  [Folder | Modified Date = 3/21/2008 10:50:59 AM | Attr =	]

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 4/6/2008 11:35:43 AM | Attr =	]

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 3/26/2008 12:02:07 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 3/26/2008 12:02:07 PM | Attr =  H ]

Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 4/5/2008 11:18:45 AM | Attr =	]

security -> %SystemRoot%\security ->  [Folder | Modified Date = 3/29/2008 3:08:56 AM | Attr =	]

system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 4/5/2008 9:36:01 PM | Attr =	]

system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 4/6/2008 11:18:30 AM | Attr =	]

@Alternate Data Stream - 68911 bytes -> %SystemRoot%\system32:drvshell

Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 4/6/2008 11:20:49 AM | Attr =	]

Web -> %SystemRoot%\Web ->  [Folder | Modified Date = 4/6/2008 11:30:40 AM | Attr = R  ]

win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 998 bytes | Modified Date = 4/5/2008 9:36:01 PM | Attr =	]

WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 3/29/2008 7:33:08 AM | Attr =	]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 4/6/2008 11:19:57 AM | Attr =  H ]

eHomeLog-0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-0.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 1/9/2005 9:20:09 PM | Attr =  H ]

eHomeLog-1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-1.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 1/9/2005 9:20:38 PM | Attr =  H ]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5348 bytes | Modified Date = 3/30/2008 5:22:00 PM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5348 bytes | Modified Date = 3/30/2008 5:21:48 PM | Attr =	]

opa12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  | Size = 8424 bytes | Modified Date = 9/9/2007 1:55:47 PM | Attr =	]

mspi11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\PI\mspi11.dat ->  [Ver =  | Size = 4 bytes | Modified Date = 10/30/2007 7:41:07 PM | Attr =	]

mspod11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\POD\mspod11.dat ->  [Ver =  | Size = 4 bytes | Modified Date = 10/30/2007 7:41:07 PM | Attr =	]

wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/21/2006 8:40:23 PM | Attr =	]

wklntsk1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk1.dat ->  [Ver =  | Size = 166245 bytes | Modified Date = 6/21/2006 8:40:55 PM | Attr =	]

AIM_PH.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\AIM_PH.dat ->  [Ver =  | Size = 293 bytes | Modified Date = 4/5/2008 8:57:28 AM | Attr =	]

34 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp -> 

Perflib_Perfdata_dd4.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_dd4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 4/5/2008 3:04:42 PM | Attr =	]

8 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 



< End of report >

  • 0

#9
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [Processes - Non-Microsoft Only]
    YN -> 17pholmes1001186.exe -> %SystemRoot%\17PHolmes1001186.exe
    [Registry - Non-Microsoft Only]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> AutoInclude -> %SystemRoot%\Temp\DIL11.tmp [C:\WINDOWS\TEMP\DIL11.tmp]
    YY -> runner1 -> %SystemRoot%\mrofinu1001186.exe [C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310]
    [Files/Folders - Created Within 30 days]
    NY -> 678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3
    NY -> mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe
    [Files/Folders - Modified Within 30 days]
    NY -> 678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3
    NY -> mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run OTScanit again, post the new log along with a fresh HJT please.

Harry
  • 0

#10
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I'm not sure if OTMoveIt2 froze or not but I can't see anything and it's white. Should I end it's process or should I try to wait it out?
  • 0

Advertisements


#11
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
wait a bit :)
  • 0

#12
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Folling the instructions above, use this script, just the contents of the box, not the word code:
[kill explorer]
YN -> 17pholmes1001186.exe -> %SystemRoot%\17PHolmes1001186.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> AutoInclude -> %SystemRoot%\Temp\DIL11.tmp [C:\WINDOWS\TEMP\DIL11.tmp]
YY -> runner1 -> %SystemRoot%\mrofinu1001186.exe [C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310]
[Files/Folders - Created Within 30 days]
NY -> 678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3
NY -> mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe
[Files/Folders - Modified Within 30 days]
NY -> 678586b3954c511ae87d04ecc2f9ddc3 -> %SystemDrive%\678586b3954c511ae87d04ecc2f9ddc3
NY -> mrofinu1001186.exe -> %SystemRoot%\mrofinu1001186.exe
[start explorer]

  • 0

#13
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
NOTE
this user is communicating via IRC with me, some information is missing from this thread.
Instructions posted here are for this user only!


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#14
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
I need to see a bit of information:
To get safeboot.txt:
  • Click Start>Run
  • Copy the lines in the box below, and paste it in the run box that opens:

    regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"

  • Click “Ok”
  • Double click the My Computer icon, then your C drive
  • In there, you will see a file called safeboot.txt. Double click to open it.
  • Copy and paste the text into a reply please.

Harry
  • 0

#15
INNEEDOFHELPPLEASE

INNEEDOFHELPPLEASE

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

here ya go
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP