google redirect, taskbar changes appearance + usb internet connection down etc.

**anderle** · 02.02.2011, 09:16

cmd at / delete:

oh, I already had pressed 'Y' in my last attempt
and then a new line of C:\Documents and Settings\Administrator>
had appeared, so I guess the deleting of scheduled tasks went through then, or at least now

vvvvvvvvvvvv

it was in the first run of TDSSKiller that on default it was set to 'skip' for the
2011/02/01 02:54:59.0359 Forged file(mefbxzgm) - User select action: Skip

for the next run I had changed it to 'delete' so it should be gone now

now also I tried again the cdm:
sc config mefbxzgm start= disabled
it leads to the info: 'The specified service does not exist as an installed service

however doing the sc config xpkihsl start= disabled
which I thought we also had successfully removed, now says: 'access is denied'

vvvvvvvvvvvvvv

when running Combofix, before starting it's proper scan, a message box comes saying:
'This machine does not have the 'Microsoft Windows Recovery console' installed. Alternatively, an existing installation of the recovery console may be present but requires updating.
Without it, Combofix shall not attempt to fixing of some of serious infections.
Click 'Yes' to have Combofix download/install it.
NOTE: this requires an active internet connection'

I had pressed 'YES' also for, in the meantime, two prior runs of Combofix.
It had said it downloaded and installed the 'Microsoft Windows Recovery console' during the fist run of Combofix, ending in:

'Congratulations!!! Microsoft Recovery Console was successfully installed.
On each restart of the machine, a black screen will offer you the option to boot into recovery console mode.
For normal use, just ignore theblack screen. windows shall boot normally in 2 seconds
Click 'Yes' to continue scaning for malware'

but: the same message that the 'Microsoft Windows Recovery console' is missing and needs to be installed again popped up in the second, and now again on starting the third run of Combofix!?

doing this third run of Combofix:
after some 10 minutes the screen went black ( I guess just something like an automatic 'screen saver mode' but it had not been working lately )
left it there another 15 minutes
then clicked left on the mouse to make the screen come back,
the Combofix still seemed running ( and the watch of the computer, like during the two earlier scans stopped running )
left it running abother 45 minutes but there was no further change inside the message box of Combofix so I turned off the computer then
so again no Combofix log..

should I have left it scanning even longer?

vvvvvvvvvvvvv

log of the new run of GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-02 15:57:33
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVS-22RST0 rev.04.01G04
Running: l2901tnx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldrpog.sys

---- Kernel code sections - GMER 1.0.15 ----

pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xAC772F00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[268] ntdll.dll!DbgBreakPoint 7C901230 1 Byte [C3]
.text C:\WINDOWS\Explorer.EXE[268] ntdll.dll!DbgUiRemoteBreakin 7C95077B 5 Bytes JMP 7C923DEF C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!DbgBreakPoint 7C901230 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!DbgUiRemoteBreakin 7C95077B 5 Bytes JMP 7C923DEF C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [DISABLED] xpkihsl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@DisplayName Manager Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@Start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpkihsl\Parameters@Se rviceDll C:\WINDOWS\system32\tiusetr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@DisplayName Manager Driver
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@Start 4
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\xpkihsl\Parameters@Servic eDll C:\WINDOWS\system32\tiusetr.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

I tried as you instructed, opened GMER again.
however on opening the scan always immediately starts,
therefore I failed to do the right click to choose to scan only MS files
( once the scan is running the right click does not do anything and there is no 'pause' button neither )

..so sorry, no second GMER log

the computer already is much more responsive and pleasant to use

best greetings,
anderle

**anderle** · 02.02.2011, 21:11

tsss..my computer still seems to collect new malware each time online:
I just did a scan with the malwarebytes and 4 new threats were detected, one which it could not remove, here the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5662

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/3/2011 4:03:40 AM
mbam-log-2011-02-03 (04-03-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 176345
Time elapsed: 33 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\WINDOWS\Temp\nrmo\setup.exe (Spyware.Passwords.XGen) -> 2948 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMServi ce (Spyware.Passwords.XGen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Spyware.Passwords.XGen) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\nrmo\setup.exe (Spyware.Passwords.XGen) -> No action taken.

**Jintan** · 03.02.2011, 02:20

I can tell by this last "at /delete" description the steps did work, so good you did get that completed. Probably the different interpretations of your "pressed 'Y'" info - I was probably looking for "typed Y, pressed Enter".

You may have noticed Gmer runs int's own opening scan, so yes, you would not be able to setup the different scan until that finishes. I have updated my steps to include that info. We will still be needing to run that type of Gmer scan, so this time you will know the best way to complete it.

after some 10 minutes the screen went black ( I guess just something like an automatic 'screen saver mode' but it had not been working lately )

Be sure to disable the screensaver, even if it doesn't work right now. Just change the selected screensaver to None (being sure to press Apply and OK to save the changes).

Still too much hit and miss to get a handle on a solid slam on the infection. There may be new infection downloading, so make sure you keep the use of the system to the bare minimum (on line, or off line actually). The infection may also be some hidden until now, and showing as your work removes what was hiding it.

---------------

The "Spyware.Passwords" designation, unfortunately, suggests data located, and offloaded to some malware location. If you can, go to a different computer and change all login/passwords for all secure sites you use (credit, banking etc.). Just as a preventive measure for right now.

The logs show odd "debugger" settings added to some key system processes, suggesting malware maybe monitoring, and and taking action, using the processes.

We need to act, but I would like that different Gmer scan log view to check. Pleas repeat that, and post the log after.

And one other, slightly dated, look at things.

Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.

**Jintan** · 03.02.2011, 02:22

One other check, for a file we need to verify.

Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

Code:

:filefind
amService.exe

Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

**anderle** · 03.02.2011, 04:29

thank you, this time I could chose only non MS files
the problem choosing was that first the scan starts to run until the warning poppes up:

GMER has found system modification, which might have ben caused by ROOTKIT activity
Do you want to fully scan your computer?
the log window at this moment displays in red:

Service C:\WINDOWS\system32\svchost.exe(***hidden***) (DISABLED)xpkihsl

so far I have always chosen 'Yes' and the scan imediately continued.
this time I chose 'No', than made the right click to choose 'only non MS files' and then clicked on 'scan'

here the result:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-03 10:56:59
Windows 5.1.2600 Service Pack 2
Running: l2901tnx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldrpog.sys

---- Modules - GMER 1.0.15 ----

Module PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) BA918000-BA921000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) B831D000-B85A7000 (2662400 bytes)
Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) B82E4000-B8309000 (151552 bytes)
Module \SystemRoot\system32\DRIVERS\athw.sys (Driver for Atheros Wireless Network Adapter/Atheros Communications, Inc.) B8163000-B82E4000 (1576960 bytes)
Module \SystemRoot\system32\DRIVERS\Rtenicxp.sys (Realtek 10/100/1000 NDIS 5.1 Driver /Realtek Semiconductor Corporation ) B814C000-B8163000 (94208 bytes)
Module \SystemRoot\system32\DRIVERS\risdptsk.sys (RICOH SD Driver/REDC) BAA38000-BAA47000 (61440 bytes)
Module \SystemRoot\system32\DRIVERS\rimmptsk.sys (RICOH SD Driver/REDC) B80F5000-B8106000 (69632 bytes)
Module \SystemRoot\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) B80AE000-B80C2000 (81920 bytes)
Module \SystemRoot\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) B805C000-B80AE000 (335872 bytes)
Module \SystemRoot\System32\Drivers\tosrfcom.sys (Bluetooth RFCOMM Driver/TOSHIBA Corporation) BAA48000-BAA58000 (65536 bytes)
Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) BABD8000-BABDD000 (20480 bytes)
Module \SystemRoot\system32\DRIVERS\tosporte.sys (TOSHIBA Bluetooth Port Emulation Driver/TOSHIBA Corporation) BAAA8000-BAAB3000 (45056 bytes)
Module \SystemRoot\system32\drivers\RtHDMI.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) AFB62000-AFEBF000 (3526656 bytes)
Module \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) AF5FD000-AFA76000 (4689920 bytes)
Module \SystemRoot\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems) AF4E1000-AF5FD000 (1163264 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfusb.sys (Bluetooth USB Miniport Driver/TOSHIBA CORPORATION) B800D000-B8018000 (45056 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfbd.sys (Bluetooth RF Bus Driver/TOSHIBA CORPORATION) AF2A9000-AF2C5000 (114688 bytes)
Module \SystemRoot\system32\DRIVERS\Tosrfhid.sys (Bluetooth HID Driver from TOSHIBA/TOSHIBA Corporation.) AF247000-AF259000 (73728 bytes)
Module \SystemRoot\System32\Drivers\tosrfbnp.sys (Bluetooth RFBNEP Driver/TOSHIBA Corporation) B7FFD000-B8006000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfnds.sys (Bluetooth BNEP Driver/TOSHIBA Corporation.) BAC40000-BAC45000 (20480 bytes)
Module \SystemRoot\System32\ati2dvag.dll (ATI Radeon WindowsNT Display Driver/ATI Technologies Inc.) BF9D4000-BFA19000 (282624 bytes)
Module \SystemRoot\System32\ati2cqag.dll (Central Memory Manager / Queue Server Module/ATI Technologies Inc.) BFA19000-BFA93000 (499712 bytes)
Module \SystemRoot\System32\atikvmag.dll (Virtual Command And Memory Manager/ATI Technologies Inc.) BFA93000-BFAFF000 (442368 bytes)
Module \SystemRoot\System32\atiok3x2.dll (Ring 0 x2 component/ATI Technologies Inc.) BFAFF000-BFB2D000 (188416 bytes)
Module \SystemRoot\System32\ati3duag.dll (ati3duag.dll/ATI Technologies Inc. ) BFB2D000-BFE2A000 (3133440 bytes)
Module \SystemRoot\System32\ativvaxx.dll (Radeon Video Acceleration Universal Driver/ATI Technologies Inc. ) BFE2A000-BFFB0000 (1597440 bytes)
Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BFFB0000-BFFF6000 (286720 bytes)
Module \SystemRoot\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) AC71D000-AC745000 (163840 bytes)
Module \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldrpog.sys (GMER) ABA3E000-ABA56000 (98304 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 276
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library c:\windows\system32\cpwwlpgw.dll (bhsihpqm DLL/xqcygzfnpu Corporation) 0x00E40000
Library C:\WINDOWS\system32\libssl32.dll (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/) 0x10000000
Library C:\WINDOWS\system32\LIBEAY32.dll (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/) 0x02BF0000
Library C:\WINDOWS\system32\ShellExt\AUDIOS~1.DLL (AudioShell/Softpointer Inc) 0x100B0000
Library C:\WINDOWS\system32\TosBtExt.dll (TosBtExt/TOSHIBA) 0x11320000
Library D:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Shell Extension DLL/WinZip Computing, Inc.) 0x16200000
Library C:\Program Files\WinRAR\rarext.dll 0x0BA40000
Library C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (OpenOffice.org) 0x12E40000
Library C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\stlport_vc7145.dll (STLport/STLport Consulting, Inc.) 0x5E470000

Process C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 1020
Library C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 1080
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 1120
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2evxx.dll (ATI External Event Utility DLL Module/ATI Technologies Inc.) 0x10000000

Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 1164
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 1176
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1332
Library C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2edxx.dll (ati2edxx/ATI Technologies, Inc.) 0x00D60000
Library C:\WINDOWS\system32\atipdlxx.dll (ATI Desktop CWDDEDI DLL/ATI Technologies, Inc.) 0x10000000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1348
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1412
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1452
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library c:\windows\system32\cpwwlpgw.dll (bhsihpqm DLL/xqcygzfnpu Corporation) 0x01890000
Library C:\WINDOWS\System32\libssl32.dll (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/) 0x10000000
Library C:\WINDOWS\System32\LIBEAY32.dll (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/) 0x030E0000

Process C:\Documents and Settings\Administrator\Desktop\l2901tnx.exe 1472
Library C:\Documents and Settings\Administrator\Desktop\l2901tnx.exe 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1544
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1584
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) 1588
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1616
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1680
Library C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2edxx.dll (ati2edxx/ATI Technologies, Inc.) 0x010B0000
Library C:\WINDOWS\system32\atipdlxx.dll (ATI Desktop CWDDEDI DLL/ATI Technologies, Inc.) 0x10000000
Library C:\WINDOWS\system32\ati2evxx.dll (ATI External Event Utility DLL Module/ATI Technologies Inc.) 0x00FB0000

Process C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) 1932
Library C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 1952
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\mdimon.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00AA0000
Library C:\WINDOWS\system32\tbtmon.dll (TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtHcrpAPI.dll (TOSHIBA CORPORATION.) 0x00AB0000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00E50000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x00EC0000
Library C:\WINDOWS\system32\tbtmon98Language.dll (TOSHIBA CORPORATION.) 0x00EE0000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00F90000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprin tproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation) 0x00FA0000

Process C:\WINDOWS\TEMP\nrmo\setup.exe 2364
Library C:\WINDOWS\TEMP\nrmo\setup.exe 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TosBtProc/TOSHIBA CORPORATION.) 2588
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TosBtProc/TOSHIBA CORPORATION.) 0x00400000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.dll (tosOBEX/TOSHIBA corporation) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\System32\alg.exe (Application Layer Gateway Service/Microsoft Corporation) 3020
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\RTHDCPL.EXE (Realtek HD Audio Control Panel/Realtek Semiconductor Corp.) 3236
Library C:\WINDOWS\RTHDCPL.EXE (Realtek HD Audio Control Panel/Realtek Semiconductor Corp.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\AGRSMMSG.exe (SoftModem Messaging Applet/Agere Systems) 3256
Library C:\WINDOWS\AGRSMMSG.exe (SoftModem Messaging Applet/Agere Systems) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\ctfmon.exe (CTF Loader/Microsoft Corporation) 3264
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TosBtMng/TOSHIBA CORPORATION.) 3440
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TosBtMng/TOSHIBA CORPORATION.) 0x00400000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosCpsAPI.dll (TosCpsAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngHelp.dll (TosBtMngHelp/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosAvAPI.dll (TosAvAPI/TOSHIBA CORPORATION.) 0x00380000
Library C:\WINDOWS\system32\TosBtSDDB.dll (TosBtSDDB/TOSHIBA CORPORATION.) 0x00390000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngLang.dll (TosBtMngLang/TOSHIBA CORPORATION.) 0x003C0000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003D0000
Library C:\WINDOWS\system32\TosCommAPI.dll 0x00730000
Library C:\WINDOWS\system32\TosLaneAPI.dll (TosLaneApi/TOSHIBA CORPORATION.) 0x00750000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00770000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x007E0000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\BtUsrMod.dll (BtUsrMod DLL/TOSHIBA CORPORATION) 0x00870000
Library C:\WINDOWS\system32\TosHidAPI.dll (TosHidAPI/TOSHIBA CORPORATION.) 0x008B0000
Library C:\WINDOWS\system32\TosGnsAPI.dll (TosGnsAPI/TOSHIBA CORPORATION.) 0x008D0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\OemBtAcpiAPI.dll (TOSHIBA CORPORATION.) 0x01070000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll (TosBtLoad/TOSHIBA) 0x01240000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtAfh.dll 0x01670000

Process C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (hpotdd01/Hewlett-Packard) 3448
Library C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (hpotdd01/Hewlett-Packard) 0x00400000
Library C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpodvd08.dll (hpodvd08/Hewlett-Packard) 0x10000000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxm08.dll (HP CUE Context Manager Objects/Hewlett-Packard Co.) 0x00D80000

Process D:\Programs\WinZip\WZQKPICK.EXE (WinZip Executable/WinZip Computing, Inc.) 3480
Library D:\Programs\WinZip\WZQKPICK.EXE (WinZip Executable/WinZip Computing, Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TosA2dp/TOSHIBA CORPORATION.) 3644
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TosA2dp/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtECCAPI.dll (TosBtECCAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\TosAvdtAPI.dll (TosAvdtAPI/TOSHIBA CORPORATION.) 0x004C0000
Library C:\WINDOWS\system32\TosSndAPI.dll (TosSndAPI/TOSHIBA CORPORATION.) 0x003D0000
Library C:\WINDOWS\system32\TosSndPlug.dll (TosSndPlug/TOSHIBA CORPORATION.) 0x00550000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.2/OpenOffice.org) 3660
Library C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.2/OpenOffice.org) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org 3.2/OpenOffice.org) 3668
Library C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org 3.2/OpenOffice.org) 0x00400000
Library C:\Program Files\OpenOffice.org 3\URE\bin\sal3.dll (OpenOffice.org) 0x10000000
Library C:\Program Files\OpenOffice.org 3\URE\bin\uwinapi.dll (OpenOffice.org) 0x00250000
Library C:\Program Files\OpenOffice.org 3\program\sofficeapp.dll (OpenOffice.org) 0x00280000
Library C:\Program Files\OpenOffice.org 3\program\comphelp4MSC.dll (OpenOffice.org) 0x002F0000
Library C:\Program Files\OpenOffice.org 3\URE\bin\cppuhelper3MSC.dll (OpenOffice.org) 0x01860000
Library C:\Program Files\OpenOffice.org 3\URE\bin\salhelper3MSC.dll (OpenOffice.org) 0x018E0000
Library C:\Program Files\OpenOffice.org 3\URE\bin\cppu3.dll (OpenOffice.org) 0x01900000
Library C:\Program Files\OpenOffice.org 3\URE\bin\stlport_vc7145.dll (STLport/STLport Consulting, Inc.) 0x01940000
Library C:\Program Files\OpenOffice.org 3\program\ucbhelper4MSC.dll (OpenOffice.org) 0x019F0000
Library C:\Program Files\OpenOffice.org 3\program\vos3MSC.dll (OpenOffice.org) 0x01A60000
Library C:\Program Files\OpenOffice.org 3\program\i18nisolang1MSC.dll (OpenOffice.org) 0x01A90000
Library C:\Program Files\OpenOffice.org 3\program\sfxmi.dll (OpenOffice.org) 0x01AB0000
Library C:\Program Files\OpenOffice.org 3\program\fwemi.dll (OpenOffice.org) 0x01DD0000
Library C:\Program Files\OpenOffice.org 3\program\fwimi.dll (OpenOffice.org) 0x01EC0000
Library C:\Program Files\OpenOffice.org 3\program\utlmi.dll (OpenOffice.org) 0x01F30000
Library C:\Program Files\OpenOffice.org 3\program\tlmi.dll (OpenOffice.org) 0x01FC0000
Library C:\Program Files\OpenOffice.org 3\program\basegfxmi.dll (OpenOffice.org) 0x02050000
Library C:\Program Files\OpenOffice.org 3\program\vclmi.dll (OpenOffice.org) 0x02100000
Library C:\Program Files\OpenOffice.org 3\program\sotmi.dll (OpenOffice.org) 0x02410000
Library C:\Program Files\OpenOffice.org 3\program\i18npapermi.dll (OpenOffice.org) 0x02470000
Library C:\Program Files\OpenOffice.org 3\program\i18nutilMSC.dll (OpenOffice.org) 0x02490000
Library C:\Program Files\OpenOffice.org 3\program\icuuc40.dll (IBM ICU Common DLL/IBM Corporation and others) 0x024C0000
Library C:\Program Files\OpenOffice.org 3\program\icudt40.dll (ICU Data DLL/IBM Corporation and others) 0x025C0000
Library C:\Program Files\OpenOffice.org 3\program\tkmi.dll (OpenOffice.org) 0x03320000
Library C:\Program Files\OpenOffice.org 3\program\svlmi.dll (OpenOffice.org) 0x03530000
Library C:\Program Files\OpenOffice.org 3\program\svtmi.dll (OpenOffice.org) 0x03600000
Library C:\Program Files\OpenOffice.org 3\URE\bin\jvmfwk3.dll (OpenOffice.org) 0x038E0000
Library C:\Program Files\OpenOffice.org 3\program\libxml2.dll 0x03910000
Library C:\Program Files\OpenOffice.org 3\program\sbmi.dll (OpenOffice.org) 0x03A20000
Library C:\Program Files\OpenOffice.org 3\program\xcrmi.dll (OpenOffice.org) 0x03B80000
Library C:\Program Files\OpenOffice.org 3\program\saxmi.dll (OpenOffice.org) 0x03C20000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\OpenOffice.org 3\URE\bin\msci_uno.dll (OpenOffice.org) 0x04DB0000
Library C:\Program Files\OpenOffice.org 3\URE\bin\bootstrap.uno.dll (OpenOffice.org) 0x04DD0000
Library C:\Program Files\OpenOffice.org 3\URE\bin\reg3.dll (OpenOffice.org) 0x04E60000
Library C:\Program Files\OpenOffice.org 3\URE\bin\store3.dll (OpenOffice.org) 0x04E90000
Library C:\Program Files\OpenOffice.org 3\program\configmgr2.uno.dll (OpenOffice.org) 0x052C0000
Library C:\Program Files\OpenOffice.org 3\URE\bin\stocservices.uno.dll (OpenOffice.org) 0x05430000
Library C:\Program Files\OpenOffice.org 3\program\sysmgr1.uno.dll (OpenOffice.org) 0x05480000
Library C:\Program Files\OpenOffice.org 3\program\sax.uno.dll (OpenOffice.org) 0x069E0000
Library C:\Program Files\OpenOffice.org 3\program\localebe1.uno.dll (OpenOffice.org) 0x06A20000
Library C:\Program Files\OpenOffice.org 3\program\behelper.uno.dll (OpenOffice.org) 0x06A40000
Library C:\Program Files\OpenOffice.org 3\program\ucb1.dll (OpenOffice.org) 0x07DB0000
Library C:\Program Files\OpenOffice.org 3\program\fwkmi.dll (OpenOffice.org) 0x07E10000
Library C:\Program Files\OpenOffice.org 3\program\ucpfile1.dll (OpenOffice.org) 0x07FC0000
Library C:\Program Files\OpenOffice.org 3\program\oooimprovementmi.dll (OpenOffice.org) 0x08100000
Library C:\Program Files\OpenOffice.org 3\program\oleautobridge.uno.dll (OpenOffice.org) 0x08AE0000
Library C:\Program Files\OpenOffice.org 3\program\emsermi.dll (OpenOffice.org) 0x09E70000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.) 3676
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TosBtHSP/TOSHIBA CORPORATION.) 3700
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TosBtHSP/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtECCAPI.dll (TosBtECCAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00330000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003A0000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x004C0000
Library C:\WINDOWS\system32\TosSndAPI.dll (TosSndAPI/TOSHIBA CORPORATION.) 0x003C0000
Library C:\WINDOWS\system32\TosSndPlug.dll (TosSndPlug/TOSHIBA CORPORATION.) 0x00550000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe (TosAVRC/TOSHIBA CORPORATION.) 3736
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe (TosAVRC/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosAvctAPI.dll (TosAvctAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (tosOBEX/TOSHIBA CORPORATION.) 3784
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (tosOBEX/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x00330000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosNtfs.dll (SPANworks 2000/TOSHIBA Corporation) 0x00350000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x00360000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 3824
Library C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 0x00400000
Library C:\Program Files\Yahoo!\Messenger\yui.dll 0x61420000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Yahoo!\Messenger\resources\en-US\res_msgr.dll (Resource Module/Yahoo! Inc.) 0x65000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems) [MANUAL] AgereSoftModem
Service C:\WINDOWS\system32\DRIVERS\athw.sys (Driver for Atheros Wireless Network Adapter/Atheros Communications, Inc.) [MANUAL] AR5416
Service C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) [AUTO] Ati HotKey Poller
Service C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) [MANUAL] ati2mtag
Service Atierecord
Service C:\ComboFix\catchme.sys [MANUAL] catchme
Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc
Service C:\Program Files\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc.) [AUTO] gupdate
Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) [MANUAL] HDAudBus
Service C:\WINDOWS\system32\DRIVERS\HPZid412.sys (IEEE-1284.4-1999 Driver (Windows 2000)/HP) [MANUAL] HPZid412
Service C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (IEEE-1284.4-1999 Print Class Driver/HP) [MANUAL] HPZipr12
Service C:\WINDOWS\system32\DRIVERS\HPZius12.sys (1284.4<->Usb Datalink Driver (Windows 2000)/HP) [MANUAL] HPZius12
Service C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys (USB Modem/Serial Device Driver/Huawei Technologies Co., Ltd.) [MANUAL] hwdatacard
Service C:\WINDOWS\System32\drivers\xjjppu.sys [BOOT] ihxvmfg
Service C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] IntcAzAudAddService
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service MSDTC Bridge 3.0.0.0
Service C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) [AUTO] o2flash
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [BOOT] PxHelp20
Service C:\WINDOWS\system32\drivers\xgrvsrxhjfn.sys [BOOT] qcagqblgoxdjc
Service C:\WINDOWS\system32\DRIVERS\rimmptsk.sys (RICOH SD Driver/REDC) [AUTO] rimmptsk
Service C:\WINDOWS\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) [AUTO] rimsptsk
Service C:\WINDOWS\system32\DRIVERS\risdptsk.sys (RICOH SD Driver/REDC) [MANUAL] risdptsk
Service C:\WINDOWS\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) [AUTO] rismxdp
Service C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] RTHDMIAzAudService
Service C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys (Realtek 10/100/1000 NDIS 5.1 Driver /Realtek Semiconductor Corporation ) [MANUAL] RTLE8023xp
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [AUTO] Secdrv
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\sffp_sd.sys (Small Form Factor SD Protocol Driver/Microsoft Corporation) [MANUAL] sffp_sd
Service SMSvcHost 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip
Service C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) [AUTO] TOSHIBA Bluetooth Service
Service C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Bluetooth Port Emulation Driver/TOSHIBA Corporation) [MANUAL] tosporte
Service C:\WINDOWS\system32\DRIVERS\tosrfbd.sys (Bluetooth RF Bus Driver/TOSHIBA CORPORATION) [MANUAL] tosrfbd
Service C:\WINDOWS\System32\Drivers\tosrfbnp.sys (Bluetooth RFBNEP Driver/TOSHIBA Corporation) [MANUAL] tosrfbnp
Service C:\WINDOWS\System32\Drivers\tosrfcom.sys (Bluetooth RFCOMM Driver/TOSHIBA Corporation) [SYSTEM] Tosrfcom
Service C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (Bluetooth HID Driver from TOSHIBA/TOSHIBA Corporation.) [MANUAL] Tosrfhid
Service C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (Bluetooth BNEP Driver/TOSHIBA Corporation.) [MANUAL] tosrfnds
Service C:\WINDOWS\system32\drivers\tosrfsnd.sys (Bluetooth Audio Driver (WDM)/TOSHIBA Corporation) [MANUAL] TosRfSnd
Service C:\WINDOWS\system32\DRIVERS\tosrfusb.sys (Bluetooth USB Miniport Driver/TOSHIBA CORPORATION) [MANUAL] tosrfusb
Service Windows Workflow Foundation 3.0.0.0
Service C:\WINDOWS\system32\drivers\lmjbc.sys [DISABLED] wzetfhaj

---- EOF - GMER 1.0.15 ----

vvvvvvvvvvvvvvvvvvvv

about the at / delete and than having to type 'Y' you were correct, I had lacked the knowledge but I had imagined and had tried to type 'Y'

vvvvvvvvvvvvvvvvvvvv

changed screensaver, standby setting asf. to 'never'

vvvvvvvvvvvvvvvvvvvv

I had been paying flight online typing in my credit card information
and had logged into a paypal account shortly before my original post.
It had made me worry.
I had gone once to an internet cafe and logged into my paypal and saw that there had been not any movement which was not mine
I cannot change my credit card nuber though. Do you think that it is necessary to block my credit card? ( would be a pain, since I do need it to pay for flights online very soon again )

public internet cafes here are not regarded all that save neither.
to choose my password for the paypal I had typed random numbers and letters in a word document and than copied and pasted those needed to make up my password one by one into it's field

is this a good way to do it?
if so I will go to an internet cafe and also again change my mail password and save it's password into a word document ( on an SD card ) and copy and paste it on my computer when logging in, instead of typing it
does that make sense?

vvvvvvvvvvvvvvvvvvv

log result of reglooks:

REGLOOKS logfile - version 0.988
Scan started: Thu 02/03/2011 11:18:36.65

--- INFORMATION ---

Manufacturer: Micro-Star International - Model: MSI Notebook GX610
Operating System: Microsoft Windows XP Professional -- 5.1.2600 -- Service Pack 2 --
Install Date: 2/28/2010 1:40:25 PM
Last Boot: 2/3/2011 7:25:58 AM
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-53

Work Station
Bootmode: Normal boot
Total RAM: 2047 MB (free 1422 MB - 69%)

Computername: ANDREAS
Domain: WORKGROUP
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-53

Work Station
Bootmode: Normal boot
Total RAM: 2047 MB (free 1422 MB - 69%)

Computername: ANDREAS
Domain: WORKGROUP
User: Administrator (Administrator account)

Local Disk: C:\ - NTFS - 19 GB (free 4 GB)
Local Disk: D:\ - NTFS - 129 GB (free 25 GB)
CD \ DVD Drive: E:\
Removable Disk: M:\ - FAT32 - 3 GB (free 2 GB)

Bootdevice: \Device\HarddiskVolume1
Systemdrive: C:
Windowsdirectory: C:\WINDOWS
Systemdirectory: C:\WINDOWS\system32

Internet Explorer Version: 6.0.2900.2180

Windows update:

DEP: ONN - DEP is enabled for a limited number of binaries, the kernel, and all Windows-based services

--- System Restore Points ---

No System Restore Points available.

--- SIGCHECK ---

C:\WINDOWS\explorer.exe -- [1032192] -- [10/15/2005 10:37 AM] -- sigcheck OK
C:\WINDOWS\system32\appmgmts.dll -- [167936] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\browser.dll -- [77312] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\comres.dll -- [792064] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\comctl32.dll -- [617472] -- [10/15/2005 10:37 AM] -- sigcheck OK
C:\WINDOWS\system32\cryptsvc.dll -- [60416] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\es.dll -- [243200] -- [10/12/2005 06:55 PM] -- sigcheck OK
C:\WINDOWS\system32\eventlog.dll -- [55808] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\ias.dll NOT found
C:\WINDOWS\system32\imm32.dll -- [110080] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\kernel32.dll -- [983552] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\linkinfo.dll -- [19968] -- [10/12/2005 06:55 PM] -- sigcheck OK
C:\WINDOWS\system32\lpk.dll -- [22016] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\lsass.exe -- [13312] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\mfc40u.dll -- [924432] -- [08/23/2001 06:30 PM] -- sigcheck OK
C:\WINDOWS\system32\msgsvc.dll NOT found
C:\WINDOWS\system32\mshtml.dll -- [3017728] -- [10/12/2005 06:44 PM] -- sigcheck OK
C:\WINDOWS\system32\mspmsnsv.dll -- [27136] -- [10/18/2006 09:47 PM] -- sigcheck OK
C:\WINDOWS\system32\mswsock.dll -- [245248] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\netlogon.dll -- [407040] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\netman.dll -- [197632] -- [10/12/2005 06:55 PM] -- sigcheck OK
C:\WINDOWS\system32\ntkrnlpa.exe -- [2015744] -- [09/28/2005 06:35 PM] -- sigcheck OK
C:\WINDOWS\system32\ntmssvc.dll -- [435200] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\ntoskrnl.exe -- [2136064] -- [09/28/2005 08:02 PM] -- sigcheck OK
C:\WINDOWS\system32\pchsvc.dll NOT found
C:\WINDOWS\system32\powrprof.dll -- [17408] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\qmgr.dll -- [382464] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\rasauto.dll -- [89088] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\regsvc.dll -- [59904] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\rpcss.dll -- [398336] -- [10/12/2005 06:55 PM] -- sigcheck OK
C:\WINDOWS\system32\scecli.dll -- [180224] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\schedsvc.dll -- [190976] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\services.exe -- [108032] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\sfc.dll -- [5120] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\sfcfiles.dll -- sigcheck FAILED
[C:\WINDOWS\system32\sfcfiles.dll] 9103FE3967CC3446A7BDE004ECA0B946 -- [1580544] -- [11/28/2005 06:12 PM]

C:\WINDOWS\system32\spoolsv.exe -- [57856] -- [10/13/2005 11:06 PM] -- sigcheck OK
C:\WINDOWS\system32\srsvc.dll -- [170496] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\ssdpsrv.dll -- [71680] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\svchost.exe -- [14336] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\tapisrv.dll -- [249344] -- [10/13/2005 11:06 PM] -- sigcheck OK
C:\WINDOWS\system32\termsrv.dll -- [295424] -- [10/23/2005 02:47 PM] -- sigcheck OK
C:\WINDOWS\system32\upnphost.dll -- [185344] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\user32.dll -- [577024] -- [10/13/2005 11:06 PM] -- sigcheck OK
C:\WINDOWS\system32\userinit.exe -- [24576] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\wininet.dll -- [660480] -- [10/12/2005 06:44 PM] -- sigcheck OK
C:\WINDOWS\system32\winlogon.exe -- [502272] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\ws2_32.dll -- [82944] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\wscntfy.exe NOT found
C:\WINDOWS\system32\wuauclt.exe -- [124184] -- [06/15/2005 11:43 AM] -- sigcheck OK
C:\WINDOWS\system32\xmlprov.dll -- [129536] -- [08/04/2004 02:56 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\acpiec.sys -- [11648] -- [08/17/2001 01:57 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\aec.sys -- [142464] -- [08/03/2004 10:39 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\asyncmac.sys -- [14336] -- [08/04/2004 01:05 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\atapi.sys -- [95616] -- [02/01/2011 02:57 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\beep.sys -- [4224] -- [08/23/2001 06:30 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\classpnp.sys -- [49664] -- [08/04/2004 01:14 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\disk.sys -- [36352] -- [08/03/2004 10:59 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\iaStor.sys NOT found
C:\WINDOWS\system32\drivers\ip6fw.sys -- [29056] -- [08/04/2004 01:00 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\kbdclass.sys -- [24576] -- [08/03/2004 10:58 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ndis.sys -- [182912] -- [08/04/2004 01:14 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ntfs.sys -- [574592] -- [05/04/2005 10:29 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\tcpip.sys -- [360448] -- [10/14/2005 06:47 PM] -- sigcheck OK

--- SSODL regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: %SystemRoot%\system32\webcheck.dll -- [?]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: C:\WINDOWS\system32\stobject.dll -- [121856] -- [08/04/2004 02:56 AM]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [10/18/2006 09:47 PM]

--- STS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" -- File: %SystemRoot%\system32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" -- File: %SystemRoot%\system32\browseui.dll -- [?]

--- USERINIT regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
File: C:\WINDOWS\system32\userinit.exe -- [24576] -- [08/04/2004 02:56 AM]

--- SHELL regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
File: C:\WINDOWS\explorer.exe -- [1032192] -- [10/15/2005 10:37 AM]

--- SYSTEM regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

--- APPINIT_DLLS regkey ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no AppInit_DLLs regkey found

--- NOTIFY regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
-- File: C:\WINDOWS\system32\Ati2evxx.dll -- [122880] -- [09/29/2007 09:57 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
-- File: avgrsstx.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\WINDOWS\system32\crypt32.dll -- [597504] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\WINDOWS\system32\cryptnet.dll -- [63488] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\WINDOWS\system32\cscdll.dll -- [101888] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\WINDOWS\system32\sclgntfy.dll -- [20992] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\WINDOWS\system32\WlNotify.dll -- [92672] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 02:56 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 02:56 AM]

--- RUN / LOAD regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
"Run"=""

--- SHELLEXECUTEHOOKS regkey ---

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="" -- CLSID not found

--- HKLM AUTORUN regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
no AutoRun regkey found

--- HKCU AUTORUN regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found

--- HKLM\RUN regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
"PHIME2002ASync" -- File: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC -- [?]
"PHIME2002A" -- File: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName -- [?]
"RTHDCPL" -- File: RTHDCPL.EXE -- [?]
"Alcmtr" -- File: ALCMTR.EXE -- [?]
"SCHelper.exe" -- File: C:\Program Files\Spyware Cease\SCHelper.exe -0 -- [?]
"AGRSMMSG" -- File: AGRSMMSG.exe -- [?]
"Malwarebytes' Anti-Malware (reboot)" -- File: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript -- [?]

--- HKLM\RUNONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce]
no runonce values found

--- HKLM\RUNONCEEX regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnceEx]
no runonceex values found

--- HKLM\RUNSERVICES regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunServices]
key not found

--- HKLM\RUNSERVICESONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunServicesOnce]
key not found

--- HKCU\RUN regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
"Free Download Manager" -- File: C:\Program Files\Free Download Manager\fdm.exe -autorun -- [?]
"Messenger (Yahoo!)" -- File: "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet -- [?]
"CTFMON.EXE" -- File C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [08/04/2004 02:56 AM]

--- HKCU\RUNONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce]
no runonce values found

--- HKCU\RUNONCEEX regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEx]
key not found

--- HKCU\RUNSERVICES regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices]
key not found

--- HKCU\RUNSERVICESONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesOnce]
key not found

--- HKU\.DEFAULT\Run regkeys - Default user ---

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Run]
"CTFMON.EXE" -- File C:\WINDOWS\system32\CTFMON.EXE -- [15360] -- [08/04/2004 02:56 AM]
"Free Download Manager" -- File: C:\Program Files\Free Download Manager\fdm.exe -autorun -- [?]
"AMService" -- File -- C:\WINDOWS\TEMP\snje\setup.exe -- [X]

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" -- File C:\WINDOWS\system32\CTFMON.EXE -- [15360] -- [08/04/2004 02:56 AM]
"Free Download Manager" -- File: C:\Program Files\Free Download Manager\fdm.exe -autorun -- [?]
"AMService" -- File -- C:\WINDOWS\TEMP\snje\setup.exe -- [X]

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found

--- HKU\S-1-5-20\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found

--- HKLM\Explorer\Run regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\Run]
key not found

--- HKCU\Explorer\Run regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run]
key not found

--- Image File Execution regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow ser Helper Objects\{281DBD51-6882-73D6-2D72-5160CD6080D2}]
-- File: c:\windows\system32\cpwwlpgw.dll -- [726016] -- [01/24/2011 10:51 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow ser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
-- CLSID not found
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow ser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
-- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [41760] -- [09/15/2010 11:20 AM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow ser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
-- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [79648] -- [09/15/2010 11:20 AM]

--- TOOLBAR regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
no toolbars found

--- HKLM\URLSEARCHHOOKS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
key not found

--- HKCU\URLSEARCHHOOKS regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
no urlsearchhooks found

--- SRCEENSAVER regkey ---

[HKEY_CURRENT_USER\Control Panel\Desktop]
scrnsave.exe value not found

--- ALTERNATESHELL regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
File: C:\WINDOWS\system32\cmd.exe -- [388608] -- [08/04/2004 02:56 AM]

--- SECURITYPROVIDERS regkey ---

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\security providers]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [08/04/2004 02:56 AM]
File: C:\WINDOWS\system32\schannel.dll -- [144896] -- [08/04/2004 02:56 AM]
File: C:\WINDOWS\system32\digest.dll -- [68608] -- [08/04/2004 02:56 AM]
File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [08/04/2004 02:56 AM]

--- Active Setup\Installed Components regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
-- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
-- File: C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
-- filepath not found

--- Services regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp480n 5]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu160 m]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
-- File: system32\drivers\aec.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78u2]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78xx]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AR5416]
-- File: system32\DRIVERS\athw.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3350 p]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_ state]
-- File: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state .exe -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
-- File: system32\DRIVERS\atapi.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati2mta g]
-- File: system32\DRIVERS\ati2mtag.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atierec ord]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\audstub]
-- File: system32\DRIVERS\audstub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate]
-- File: "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwdatac ard]
-- File: system32\DRIVERS\ewusbmdm.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omgmt]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042pr t]
-- File: system32\DRIVERS\i8042prt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc]
-- File: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" -- [741376] -- [10/30/2006 03:33 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ihxvmfg]
-- File: System32\drivers\xjjppu.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetacc s]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ini910u]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp]
-- File: system32\DRIVERS\isapnp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQui ckStarterService]
-- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lvdgwgc b]
-- File: %SystemRoot%\System32\svchost.exe -k netsvcs -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpP ortSharing]
-- File: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -- [122880] -- [10/30/2006 03:34 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\o2flash]
-- File: "C:\Program Files\O2Micro Oz128 Driver\o2flash.exe" -- [65536] -- [02/12/2007 04:43 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci139 4]
-- File: system32\DRIVERS\ohci1394.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose]
-- File: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" -- [89136] -- [07/28/2003 12:28 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qcagqbl goxdjc]
-- File: system32\drivers\xgrvsrxhjfn.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\risdpts k]
-- File: system32\DRIVERS\risdptsk.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RTHDMIA zAudService]
-- File: system32\drivers\RtHDMI.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RTLE802 3xp]
-- File: system32\DRIVERS\Rtenicxp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TOSHIBA Bluetooth Service]
-- File: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- [125048] -- [02/25/2007 09:55 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ultra]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphos t]
-- File: %SystemRoot%\system32\svchost.exe -k LocalService -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp]
-- File: system32\DRIVERS\usbccgp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci]
-- File: system32\DRIVERS\usbehci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub]
-- File: system32\DRIVERS\usbhub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci]
-- File: system32\DRIVERS\usbohci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprin t]
-- File: system32\DRIVERS\usbprint.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbvide o]
-- File: System32\Drivers\usbvideo.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wzetfha j]
-- File: \SystemRoot\system32\drivers\lmjbc.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpkihsl]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{66B180 F7-6739-4114-9E2A-FA21C90FA1CD}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6B271B 4D-B684-48DE-8712-8DBE2D19D583}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7D393F A9-1984-4723-BF2F-4CB10314EC26}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7D751F BF-E351-46CF-BCE8-723579A5E6C1}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{D127D6 14-87C8-4E0E-847A-32207733D00C}]
-- filepath not found

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal
klmdb.sys
PEVSystemStart
procexp90.Sys

--- SAFEBOOT Network SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network
DnsCache
klmdb.sys
PEVSystemStart
procexp90.Sys

--- BOOTEXECUTE regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"= autocheck autochk *\0\0

--- PENDINGFILERENAMEOPERATIONS regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
PendingFileRenameOperations key not found

--- WOW-CMDLINE regkeys ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- NETSVCS regkey ---

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0lvdgwgcb
0WmdmPmSN
0xpkihsl

--- DNS SERVER regkeys ---

no "NameServer" values found

--- HKCU SEARCHSCOPE ---

DefaultScope= {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}

HKEY_CURRENT_USER\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}
URL REG_SZ http://websearch.ask.com/redirect?client=ie&tb=BT5&o=&src=crm&q={searchTerms}&locale=

--- HKLM SEARCHSCOPE ---

--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

--- STARTUP FOLDERS ---

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini -- [84] -- [02/28/2010 01:37 PM]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -- [659] -- [02/01/2011 01:28 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk -- [715] -- [03/01/2010 02:21 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -- [84] -- [02/28/2010 01:37 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -- [605] -- [01/25/2011 06:15 PM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [02/28/2010 01:37 PM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [02/28/2010 01:37 PM]

--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job -- [896] -- [02/03/2011 02:48 AM]
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job -- [900] -- [02/03/2011 03:48 AM]

Scan completed: Thu 02/03/2011 11:20:38.59
FINISHED

vvvvvvvvvvvvvvvvvv

systemlook find:

SystemLook 04.09.10 by jpshortstuff
Log created at 11:26 on 03/02/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "amService.exe"
No files found.

-= EOF =-

vvvvvvvvvvvvvvvvvv

note: I have been using my notebook too much again, thought offline use was not dangerous.
thank you for the reminder to keep use to a bare minimum

**anderle** · 03.02.2011, 16:43

something I discovered I wanted to tell:

when running scan I saw that it scans a lot of files at: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5

is that content browsed with the Internet Explorer?
if so, surprising, because I almost exclusively used firefox and looking at the thumbnails of the contents of these folders, which are over about 150 mb of 11.000 files, I do not recognize any of the content, I think I never had browsed these sites

**Jintan** · 04.02.2011, 02:41

A bit naive using the type of scan check to track down debuggers in processes, but it sure provided a nice array of what we will be taking out once some files are available. Quite a few MS programs also use IE, which can account for some of why IE generates temp files. There are other issues as well, but let's address all that once the infection is shown the door.

There are some essential system files we need to replace, but you only having Service Pack 2 makes things tougher, should no clean copies exist on your system. Once we have those copies, we can move on all this garbage the purse thief malware coders created.

Run jpshortstuff's SystemLook again, using this script this time:

Code:

:filefind
wscntfy.exe
sfcfiles.dll
msgsvc.dll

Post that log after the scan is completed please.

On the chance no usable copies exist there, you should also ask (via email perhaps) family friends who still have XP SP2 for copies of those files. They should find them in the C:\WINDOWS\system32 folder:

C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sfcfiles.dll
C:\WINDOWS\system32\msgsvc.dll

XP Sevice Pack 2 though, so make sure they understand. If someone has them, see if they can send them to you as email attachments. Then let me know in your next reply please.

**anderle** · 04.02.2011, 06:04

ha, still going strong, thank's!

ok, here is the new SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:53 on 04/02/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a---- 1580544 bytes [11:12 28/11/2005] [11:12 28/11/2005] 9103FE3967CC3446A7BDE004ECA0B946

Searching for "msgsvc.dll"
No files found.

-= EOF =-

about the files I need:
cannot think of anyone to send them to me right now,
however I do have a Rar archive with the files to make a bootable CD to reinstall XP,
but I suspect that only can be used to reinstall the OS but wouldn't provide the files?

**anderle** · 04.02.2011, 14:22

just received the three files!
have not pasted them to their correct location yet, wait for your instructions

**Jintan** · 05.02.2011, 02:17

Good news. Let's see what we can change. A mention that this next fairly aggressive removal/change step is not without risk, however, you do have a recent ERUNT backup you made, and steps already done were also not without risk.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

KillAll::

Save this to your desktop as CFScript.txt (save it to the same location ComboFix's file is). Leave that for the moment.

---------------------

Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens place a check in the following box:

Automatically disable any rootkits found

Then copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Code:

Begin copying here:
Drivers to delete:
lvdgwgcb
xpkihsl
qcagqblgoxdjc
wzetfhaj
ihxvmfg
Files to move:
c:\wscntfy.exe | C:\WINDOWS\system32\wscntfy.exe
c:\sfcfiles.dll | C:\WINDOWS\system32\sfcfiles.dll
c:\msgsvc.dll | C:\WINDOWS\system32\msgsvc.dll
Files to delete:
c:\windows\system32\cpwwlpgw.dll
C:\WINDOWS\System32\drivers\xjjppu.sys
c:\windows\system32\drivers\lmjbc.sys
c:\windows\system32\drivers\xgrvsrxhjfn.sys
C:\WINDOWS\system32\tiusetr.dll
Folders to delete:  
C:\Program Files\Spyware Cease
C:\WINDOWS\TEMP\snje
C:\WINDOWS\TEMP\nrmo
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | SCHelper.exe
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{281DBD51-6882-73D6-2D72-5160CD6080D2}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Registry values to replace with dummy: 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Your system may reboot twice to complete the repairs. After the reboot a text will open - just close that at that time. The log can also be found at C:\avenger.txt.

----------

Then locate and left click/hold on the CFScript.txt file you made earlier, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Post that and the Avenger log please.

Thema: google redirect, taskbar changes appearance + usb internet connection down etc.

Themen-Optionen

AW: google redirect, taskbar changes appearance + usb internet connection down etc.

AW: google redirect, taskbar changes appearance + usb internet connection down etc.

Re: AW: google redirect, taskbar changes appearance + usb internet connection down et

Re: google redirect, taskbar changes appearance + usb internet connection down etc.

AW: Re: google redirect, taskbar changes appearance + usb internet connection down et

AW: google redirect, taskbar changes appearance + usb internet connection down etc.

Re: AW: google redirect, taskbar changes appearance + usb internet connection down et

AW: google redirect, taskbar changes appearance + usb internet connection down etc.

AW: google redirect, taskbar changes appearance + usb internet connection down etc.

Re: AW: google redirect, taskbar changes appearance + usb internet connection down et

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

Windows Vista windows vista: google redirect, etc

Google/Search redirect Virus

google redirect problem

Redirect bei google

Redirect bei google mit IE7

Berechtigungen