Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
28 replies to this topic

#1 I8myComp

I8myComp

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 04 November 2008 - 12:34 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:58 AM, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.southparkstudios.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160099314636
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160099522448
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...405/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0084761225699750) (0084761225699750mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\ANDREN~1\LOCALS~1\Temp\008476~1.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10024 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 16 November 2008 - 11:50 AM

Hello, I8myComp
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for rootkits with GMER
  • Please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  • Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 November 2008 - 07:36 AM

OTViewIt logfile created on: 11/18/2008 6:32:41 AM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Andre Novack\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.54 Mb Total Physical Memory | 476.62 Mb Available Physical Memory | 49.72% Memory free
2.26 Gb Paging File | 1.60 Gb Available in Paging File | 70.64% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.00 Gb Total Space | 4.70 Gb Free Space | 4.74% Space Free | Partition Type: NTFS
Drive D: | 11.75 Gb Total Space | 1.37 Gb Free Space | 11.67% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 142.88 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDRE-DV2125NR
Current User Name: Andre Novack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
[2005/08/05 22:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehtray.exe
[2006/05/03 23:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[2006/06/16 23:22:46 | 00,794,713 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2004/09/16 16:15:00 | 00,538,112 | ---- | M] (Lavasoft Sweden) -- C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
[2006/03/20 16:34:50 | 00,213,936 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[2007/05/08 14:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[2006/11/03 18:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
[2006/10/18 14:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2008/02/22 09:33:00 | 00,104,960 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
[2007/10/09 16:21:02 | 00,124,280 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
[2006/10/09 10:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe
[2005/08/05 22:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe
[2006/08/24 12:40:00 | 00,143,427 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2008/04/13 18:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe
[2005/08/05 22:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
[2006/05/02 16:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
[2008/04/13 18:12:27 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe
[2005/08/05 22:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehmsas.exe
[2008/04/13 18:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2002/10/03 14:40:14 | 00,334,336 | ---- | M] (Groom-A-Zebu ™ ) -- C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
[2008/07/23 18:52:06 | 00,206,112 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2008/06/21 12:39:08 | 00,792,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2008/07/11 18:48:54 | 00,641,208 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
[2008/07/09 14:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2008/06/20 05:01:18 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
[2008/06/20 05:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2008/07/09 17:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
[2006/03/15 22:00:00 | 00,138,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sndvol32.exe
[2008/11/15 12:58:14 | 07,676,528 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/03/28 13:03:56 | 00,530,944 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
[2008/11/16 18:13:41 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andre Novack\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/02/22 09:33:00 | 00,104,960 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon [Auto | Running])
[2006/06/12 14:27:28 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr [Disabled | Stopped])
[2007/09/06 11:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
[2004/07/15 10:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/09 16:21:02 | 00,124,280 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe -- (Basics Service [Auto | Running])
File not found -- -- (CLTNetCnService [Disabled | Stopped])
[2006/10/09 10:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe -- (ehRecvr [Auto | Running])
[2005/08/05 22:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched [Auto | Running])
[2007/01/03 19:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])
[2006/05/02 16:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
[2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [Disabled | Stopped])
[2007/09/26 12:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2007/08/23 15:40:48 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Disabled | Stopped])
File not found -- -- (McAfeeFramework [Unknown | Stopped])
[2005/08/05 22:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
[2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Disabled | Stopped])
[2006/11/13 13:02:08 | 00,076,544 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe -- (MgiSvr [Auto | Stopped])
[2008/04/13 18:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe -- (MSMQ [Auto | Running])
[2008/04/13 18:12:27 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe -- (MSMQTriggers [Auto | Running])
[2006/08/24 12:40:00 | 00,143,427 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
[2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Disabled | Stopped])
[2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
[2006/10/18 14:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Disabled | Stopped])
[2008/06/21 12:39:08 | 00,792,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2008/07/09 14:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2008/06/20 13:10:22 | 00,361,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
[2008/06/20 05:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2008/06/20 05:01:18 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
[2008/07/09 17:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService [Auto | Running])
[2008/07/23 18:52:06 | 00,206,112 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2008/10/08 14:15:46 | 00,315,264 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\temp\0003311226429764mcinst.exe -- (0003311226429764mcinstcleanup [Auto | Stopped])

========== Driver Services ==========

[2006/05/08 18:10:44 | 00,347,648 | ---- | M] (D-Link Corporation) -- C:\WINDOWS\system32\drivers\A5AGU.sys -- (A5AGU [On_Demand | Stopped])
[2006/11/10 14:05:00 | 00,018,688 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc [On_Demand | Running])
[2001/08/17 22:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Boot | Running])
[2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])
[2006/06/19 00:37:34 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8 [System | Running])
[2007/07/02 14:08:08 | 00,015,616 | ---- | M] (ArcSoft, Inc.) -- C:\WINDOWS\system32\drivers\ArcSoftVirtualCapture.sys -- (ARCSOFTVIRTUALCAPTURE [On_Demand | Running])
[2001/08/17 22:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])
[2001/08/17 22:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2006/04/28 11:12:00 | 00,429,184 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX [On_Demand | Running])
[2001/08/17 22:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2001/08/17 22:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2005/09/19 15:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr [System | Running])
[2005/09/19 15:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb [On_Demand | Stopped])
[2006/03/01 17:54:48 | 00,003,456 | ---- | M] () -- C:\SWSetup\SP38062\winphlash\FLASH1.sys -- (Flash1 [On_Demand | Stopped])
[2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2006/10/11 22:23:12 | 00,029,184 | ---- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\goprot51.sys -- (GoProto [On_Demand | Stopped])
[2005/09/19 15:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey [On_Demand | Running])
[2006/08/24 14:05:32 | 00,594,432 | ---- | M] (Conexant Systems Inc.) -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService [On_Demand | Running])
[2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2006/08/29 08:11:08 | 00,208,384 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
[2006/08/29 08:12:28 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/10/13 03:07:12 | 00,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Disabled | Stopped])
[2008/04/13 12:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2007/01/19 05:57:29 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
[2006/06/19 08:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2008/04/13 12:39:44 | 00,092,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC [On_Demand | Running])
[2001/08/17 22:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2006/08/24 12:40:00 | 03,661,184 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2006/01/27 09:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata [Boot | Running])
[2006/03/03 09:31:02 | 00,034,176 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
[2006/03/03 09:31:04 | 00,013,056 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
[2006/03/06 08:49:36 | 00,011,136 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu [On_Demand | Running])
[2006/03/15 22:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2006/09/27 15:53:22 | 00,036,560 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2001/08/17 22:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2001/08/17 22:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2001/08/17 22:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2005/11/16 21:28:32 | 00,028,928 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
[2005/12/22 18:02:22 | 00,051,840 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk [On_Demand | Running])
[2005/11/01 19:08:00 | 00,308,992 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp [On_Demand | Running])
[2008/05/08 08:02:52 | 00,203,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST [On_Demand | Running])
[2004/08/04 00:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Stopped])
[2007/01/20 01:11:07 | 00,031,644 | ---- | M] (PowerISO Computing, Inc.) -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu [System | Running])
[2008/04/13 12:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2008/04/13 12:40:47 | 00,011,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sffdisk.sys -- (sffdisk [On_Demand | Stopped])
[2008/04/13 12:40:47 | 00,011,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sffp_sd.sys -- (sffp_sd [On_Demand | Stopped])
[2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])
[2001/08/17 11:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2001/08/17 23:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2008/03/26 03:53:36 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [Boot | Running])
[2001/08/17 23:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 23:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001/08/17 23:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001/08/17 23:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2006/06/16 22:40:56 | 00,193,120 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2001/08/17 22:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])
[2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
[2008/04/13 12:46:20 | 00,121,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbvideo.sys -- (usbvideo [On_Demand | Running])
[2006/08/29 08:10:56 | 00,728,576 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/13 12:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
File not found -- -- (X4HSX32 [Unknown | Running])
[2008/06/27 06:08:40 | 00,207,656 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2008/06/20 05:41:38 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
[2008/06/02 14:55:42 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2008/06/27 06:08:40 | 00,079,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2008/06/27 06:08:40 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2008/06/27 06:08:40 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
File not found -- -- (SAVOnAccess Filter [Unknown | Running])
File not found -- -- (SAVOnAccess Control [Unknown | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.southparkstudios.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

[HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\PE_C_ALL USERS\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.southparkstudios.com/

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (267901 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 136136.net
127.0.0.1 www.136136.net
9277 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (HKLM) -- C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" (Lavasoft Sweden)
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" (Maxtor Corporation)
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe ()
"ehTray"=C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler (Macrovision Corporation)
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (Macrovision Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (Macrovision Corporation)
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey File not found
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
"MsmqIntCert"=regsvr32 /s mqrt.dll (Microsoft Corporation)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"RecGuard"=C:\Windows\SMINST\RecGuard.exe ()
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized ()
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"Uniblue SpeedUpMyPC"=C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s (Uniblue Software)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (Microsoft Corporation)

[HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized ()
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"Uniblue SpeedUpMyPC"=C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s (Uniblue Software)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========

File not found -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
[2002/02/14 16:13:22 | 00,323,584 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
File not found -- C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoCDBurning"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.mss -- File not found
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.the -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2007/07/23 00:02:06 | 10,290,008 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2007/07/23 00:02:06 | 10,290,008 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2007/07/23 00:02:06 | 10,290,008 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\PE_C_ALL USERS\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2007/07/23 00:02:06 | 10,290,008 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2007/07/23 00:02:06 | 10,290,008 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}: Button: AIM -- %ProgramFiles%\AIM\aim.exe [2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 13:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [Sun Java Console] -> [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> %ProgramFiles%\AIM\aim.exe [AIM] -> [2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [Sun Java Console] -> [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> %ProgramFiles%\AIM\aim.exe [AIM] -> [2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [Sun Java Console] -> [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> %ProgramFiles%\AIM\aim.exe [AIM] -> [2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [Sun Java Console] -> [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> %ProgramFiles%\AIM\aim.exe [AIM] -> [2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
46 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
45 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
47 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}: http://go.microsoft.com/fwlink/?linkid=58813 -- Office Genuine Advantage Validation Tool
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1160099314636 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1160099522448 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_09
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}: http://download.mcafee.com/molbin/iss-loc/...405/mcfscan.cab -- McFreeScan Class

========== (O17) DNS Name Servers ==========

{2926CA84-F9E8-4443-B293-B7FA0D253E6E} (Servers: | Description: 1394 Net Adapter)
{3079BC0C-6615-4229-B14C-407F0BBA199F} (Servers: | Description: 1394 Net Adapter)
{777F13F8-4E2D-4CEF-AF9B-2CC7C32D6650} (Servers: | Description: NVIDIA nForce Networking Controller)
{BB9FACE3-0CDD-4360-9108-E9085B629DA4} (Servers: | Description: 1394 Net Adapter)
{F0C9CDCE-B6A9-4A9D-9110-F6FFF5A5EC49} (Servers: | Description: )
{FC0775D0-B53B-470F-8E82-9C97FE78D873} (Servers: | Description: Broadcom 802.11b/g WLAN)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" (HKLM) -- C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2001/07/27 22:07:38 | 00,000,000 | -HS- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ]

Autorun.inf [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ]
[2004/04/30 14:01:14 | 00,000,053 | -HS- | M] () -- D:\Autorun.inf -- [ FAT32 ]

autorun.exe [MZ | ]
[2002/02/12 04:23:58 | 00,397,312 | R--- | M] () -- G:\autorun.exe -- [ CDFS ]

autorun.inf [[AutoRun] | open=autorun.exe | icon=eyeQ.ico | ]
[2001/12/06 19:31:32 | 00,000,042 | R--- | M] () -- G:\autorun.inf -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2397a90a-fbc8-11dc-8ffb-0016d31193af}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2397a90a-fbc8-11dc-8ffb-0016d31193af}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2397a90a-fbc8-11dc-8ffb-0016d31193af}\Shell\AutoRun\command]
""=G:\autorun.exe -- [2002/02/12 04:23:58 | 00,397,312 | R--- | M] ()


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c3842047-a5c2-11dd-903d-0014a5e6112d}\Shell\AutoRun\command]
""=F:\autorun.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2008/11/18 06:29:07 | 00,063,906 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\topic178021.html
[2008/11/17 22:04:48 | 00,031,973 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\For Andre.docx
[2008/11/16 18:14:09 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\gmer.zip
[2008/11/16 18:13:44 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andre Novack\Desktop\OTViewIt.exe
[2008/11/13 21:18:39 | 07,997,520 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\03 What You Want.m4p
[2008/11/11 14:16:13 | 00,018,944 | ---- | C] () -- C:\Documents and Settings\Andre Novack\My Documents\Andre's Finances.xls
[2008/11/11 10:32:33 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\Spybot - Search & Destroy.lnk
[2008/11/04 11:22:07 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Andre Novack\Desktop\HijackThis.lnk
[2008/11/04 11:22:07 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/03 23:46:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Sophos
[2008/11/03 23:37:48 | 00,000,000 | ---D | C] -- C:\Sophos Threat Detection Test SA
[2008/11/03 02:12:09 | 00,009,257 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2008/11/03 02:11:34 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2008/11/03 02:11:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2008/11/03 02:09:19 | 00,079,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2008/11/03 02:09:19 | 00,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2008/11/03 02:09:19 | 00,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2008/11/03 02:09:16 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2008/11/03 02:09:01 | 00,000,354 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2008/11/03 02:09:00 | 00,000,346 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2008/11/03 02:08:47 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2008/11/03 02:08:46 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2008/11/03 02:08:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2008/11/03 02:08:34 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2008/11/03 01:51:43 | 00,034,152 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2008/11/03 01:29:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2008/11/03 00:06:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/10/31 01:51:38 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Andre Novack\My Documents\Wizard of Oz.doc
[2008/10/23 20:38:55 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008/10/23 20:14:44 | 00,000,959 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Pirates of the Caribbean Online.lnk
[2008/10/19 21:55:12 | 00,000,000 | ---D | C] -- C:\QUARANTINE
[2008/10/19 21:32:03 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2008/10/19 21:28:53 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender

========== Files - Modified Within 30 Days ==========

[10 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/11/18 06:29:08 | 00,063,906 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\topic178021.html
[2008/11/18 02:07:26 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2008/11/17 22:05:11 | 00,031,973 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\For Andre.docx
[2008/11/17 22:03:00 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2008/11/17 21:58:43 | 00,009,257 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2008/11/16 18:14:08 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\gmer.zip
[2008/11/16 18:13:41 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andre Novack\Desktop\OTViewIt.exe
[2008/11/16 01:01:07 | 00,000,354 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2008/11/13 22:05:38 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/13 21:37:48 | 07,997,520 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\03 What You Want.m4p
[2008/11/13 16:27:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/11/12 20:14:32 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[2008/11/11 18:11:39 | 00,018,944 | ---- | M] () -- C:\Documents and Settings\Andre Novack\My Documents\Andre's Finances.xls
[2008/11/11 10:32:33 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\Spybot - Search & Destroy.lnk
[2008/11/09 21:28:41 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008/11/04 11:22:07 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Desktop\HijackThis.lnk
[2008/11/04 11:15:30 | 00,391,638 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/04 11:15:30 | 00,056,124 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/04 11:15:29 | 00,453,442 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/03 19:52:59 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/11/03 02:11:34 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2008/11/03 02:09:01 | 00,000,346 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2008/11/03 01:14:34 | 00,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/03 01:14:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/03 01:14:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/03 01:14:25 | 10,051,70688 | -HS- | M] () -- C:\hiberfil.sys
[2008/10/31 02:07:16 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Andre Novack\My Documents\Wizard of Oz.doc
[2008/10/30 17:50:33 | 00,098,816 | ---- | M] () -- C:\Documents and Settings\Andre Novack\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/23 20:14:44 | 00,000,959 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Pirates of the Caribbean Online.lnk
[2008/10/21 09:15:25 | 00,002,645 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Drive Manager.lnk
< End of report >








OTViewIt Extras logfile created on: 11/18/2008 6:32:41 AM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Andre Novack\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.54 Mb Total Physical Memory | 476.62 Mb Available Physical Memory | 49.72% Memory free
2.26 Gb Paging File | 1.60 Gb Available in Paging File | 70.64% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.00 Gb Total Space | 4.70 Gb Free Space | 4.74% Space Free | Partition Type: NTFS
Drive D: | 11.75 Gb Total Space | 1.37 Gb Free Space | 11.67% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 142.88 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDRE-DV2125NR
Current User Name: Andre Novack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 18:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing
""=
File not found -- C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 18:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing
File not found -- C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
[2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2006/08/01 13:35:36 | 00,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
File not found -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
[2007/09/07 17:01:54 | 00,043,008 | ---- | M] () -- C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
File not found -- C:\Program Files\Atari-Infogrames\Scrabble v2.0\Scrabble v2.0.exe:*:Disabled:Scrabble v2
File not found -- C:\Program Files\Infogrames\Yahtzee\Yahtzee.exe:*:Disabled:Yahtzee English
File not found -- C:\Program Files\Infogrames\Civilization III\Civilization3.exe:*:Enabled:Civilization3
File not found -- C:\Program Files\Infogrames\Civilization III\Civ3Edit.exe:*:Enabled:Civ3Edit
[2007/09/26 12:41:58 | 15,997,240 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\myTunes Redux\mDNSResponder.exe:*:Enabled:mDNSResponder
File not found -- C:\Program Files\Infogrames\Rollercoaster Tycoon 2 Wacky Worlds\rct2.exe:*:Enabled:rct2
[2008/03/06 09:40:06 | 00,689,456 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client
File not found -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2008/05/30 14:54:14 | 21,718,312 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\PE_C_ALL USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 03:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 03:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 03:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/06/20 18:26:46 | 00,221,184 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/06/03 01:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/25 14:29:55 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/07/23 12:21:20 | 00,120,608 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/05/30 14:54:14 | 01,942,864 | R--- | M] (Skype Technologies) C:\Program Files\Common Files\Skype\Skype4COM.dll (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 23:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}"=Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}"=Wireless Home Network Setup
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}"=HPPhotoSmartPhotobookWebPack1
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}"=CP_CalendarTemplates1
"{2157961D-0507-44A8-BCF2-1EE2D439E8DF}"=Civilization III Complete Edition
"{21657574-BD54-48A2-9450-EB03B2C7FC29}"=Sonic MyDVD Plus
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}"=CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}"=Destinations
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}"=Quicken 2006
"{2A548002-9042-4083-A270-B67473DE1073}"=SkinsHP1
"{2BB67266-D1A3-4CCC-8EB2-16770AB1FB76}"=ArcSoft WebCam Companion 2
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}"=J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{34BFB099-07B2-4E95-A673-7362D60866A2}"=PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}"=HP Quick Launch Buttons 6.10 A2
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}"=Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{36B98FCD-557C-48B0-98B8-60F8435D8492}"=Microsoft Office Word 2003 Redaction Add-in
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}"=OptionalContentQFolder
"{3EBD3749-304E-4A4C-9575-C00E5F015217}"=Apple Mobile Device Support
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}"=NetWaiting
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}"=RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}"=BufferChm
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}"=Microsoft Works
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}"=HP Wireless Assistant 2.00 G2
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}"=HP QuickPlay 2.3
"{47D2103B-FD51-4017-9C20-DD408B17D726}"=Office 2003 Trial Assistant
"{48B0F38D-1913-44F3-99AA-D4C55A2B038E}"=Drive Manager
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}"=CP_Panorama1Config
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}"=Cards_Calendar_OrderGift_DoMorePlugout
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}"=cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}"=CP_Package_Variety1
"{52FBAE98-D389-4281-8C14-21B4046CCB4E}"=SonicAC3Encoder
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}"=FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}"=cp_PosterPrintConfig
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype 3.8
"{63A3856B-5C0E-4BC1-B508-629AE74B6BBA}"=HP User Guides 0027
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}"=Sonic Express Labeler
"{6815FCDD-401D-481E-BA88-31B4754C2B46}"=Macromedia Flash Player 8
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}"=Microsoft Office Converter Pack
"{719842F9-FF69-4BA6-A6FE-52244575E0B3}"=ArcSoft VideoImpression 2
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}"=CP_Package_Basic1
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}"=Sonic_PrimoSDK
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}"=The Sims 2 Open For Business
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}"=cp_UpdateProjectsConfig
"{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}"=Macromedia Shockwave Player
"{869C3062-4745-4949-B6C9-98AF24D89030}"=PhotoGallery
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}"=The Sims 2
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{91120409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Standard Edition 2003
"{91170409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office FrontPage 2003
"{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}"=
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}"=QuickTime
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}"=CueTour
"{A06275F4-324B-4E85-95E6-87B2CD729401}"=Windows Defender
"{A5D65411-8E73-4C85-AD80-9FE8B7391CF9}"=Rome Total War - patch 1.3
"{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}"=Rome - Total War™
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}"=HP Help and Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A70500000002}"=Adobe Reader 7.0.7
"{B045B608-4A47-4C77-9EAD-06C394503306}"=iTunes
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}"=CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Sonic Copy Module
"{B16AF568-A644-483C-A6DA-5028CD019C8C}"=SonicMPEGEncoder
"{B33CD700-6738-11D4-87FE-0080C6F974A2}"=eyeQ
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B57F2FF0-5A25-4332-B503-4592B370C02F}"=CP_Package_Variety3
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}"=HP Photosmart Essential 2.5
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}"=cp_OnlineProjectsConfig
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}"=HP Update
"{CA634931-0CC3-4067-ABCC-7182E1DC23B7}"=HP Button Manager
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}"=LightScribe System Software 1.10.13.1
"{D31612BB-C6D7-4142-96AE-16DB062354CF}"=HP Webcam Users Guide
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}"=HpSdpAppCoreApp
"{DB7E00C9-6DEF-489A-8112-D8F81614F45A}"=Vongo
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}"=VideoToolkit01
"{F3812D83-86D2-4445-A841-3E0BA4F9A11C}"=Merriam-Webster 3.0
"{FAB046D7-C187-4648-A1A9-FC875F7E3FCE}"=ArcSoft Magic-i 3
"{FB09F05F-85C6-4205-B28D-5BF071D276C3}"=muvee autoProducer 5.0
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}"=InstantShareDevices
"53F13DB4D9611FD63BE580F06F0729BF236ABE68"=Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player
"AOL Instant Messenger"=AOL Instant Messenger
"BitTorrent"=BitTorrent 5.0.9
"Civilization III"=Civilization III
"CNXT_HDAUDIO"=Conexant HD Audio
"CNXT_MODEM_HDAUDIO_wis30B5m"=HDAUDIO Soft Data Fax Modem with SmartCP
"Disney Pirates of the Caribbean Online"=Disney Pirates of the Caribbean Online
"EPSON Printer and Utilities"=EPSON Printer Software
"EuroTalk Talk Now Plus!"=EuroTalk Talk Now Plus!
"FrRefEng"=French Spelling Settings
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 6.0
"HP Photo & Imaging"=HP Photosmart Premier Software 6.0
"HP Photosmart Essential"=HP Photosmart Essential 2.5
"HP Rhapsody"=HP Rhapsody
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Image Composer"=Microsoft Image Composer 1.5
"InstallShield_{2157961D-0507-44A8-BCF2-1EE2D439E8DF}"=Civilization III Complete Edition
"InstallShield_{48B0F38D-1913-44F3-99AA-D4C55A2B038E}"=Drive Manager
"InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}"=Rome - Total War™
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Money2006b"=Microsoft Money 2006
"Mozilla Firefox (2.0.0.18)"=Mozilla Firefox (2.0.0.18)
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"Picasa2"=Picasa 2
"PokerStars"=PokerStars
"PowerISO"=PowerISO
"RegistryBooster 2_is1"=Uniblue RegistryBooster 2
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"SpeedUpMyPC_is1"=Uniblue SpeedUpMyPC 3
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"The Proxomitron - Universal Web Filter_is1"=The Proxomitron Ver. Naoko-4.4
"Viewpoint Manager"=Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer"=Viewpoint Media Player
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMCSetup"=Windows Media Connect
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III"=Warcraft III: All Products

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1130547012-1227193852-2877026809-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III"=Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/18/2008 5:04:18 AM | Computer Name = ANDRE-DV2125NR | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Update
for Outlook 2003 (KB953432): OUTLOOK' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 11/18/2008 5:11:48 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 11/18/2008 5:12:03 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/18/2008 5:12:03 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 11/18/2008 5:12:03 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/18/2008 5:17:03 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 11/18/2008 5:17:18 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/18/2008 5:17:18 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 11/18/2008 5:17:18 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/18/2008 5:22:19 AM | Computer Name = ANDRE-DV2125NR | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

[ System Events ]
Error - 11/18/2008 5:01:47 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB921598).

Error - 11/18/2008 5:02:07 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office PowerPoint 2003 (KB948988).

Error - 11/18/2008 5:02:28 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Update for Microsoft Office Outlook 2003 Junk Email Filter
(KB957257).

Error - 11/18/2008 5:02:50 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office Outlook 2003 (KB945432).

Error - 11/18/2008 5:03:08 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB953404).

Error - 11/18/2008 5:03:24 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office Publisher 2003 (KB950213).

Error - 11/18/2008 5:03:44 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office Word 2003 (KB954464).

Error - 11/18/2008 5:04:03 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Office 2003 (KB954478).

Error - 11/18/2008 5:06:17 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Update for Microsoft Office Outlook 2003 (KB953432).

Error - 11/18/2008 7:58:33 AM | Computer Name = ANDRE-DV2125NR | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

#4 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 November 2008 - 08:19 AM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-18 07:14:27
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spft.sys ZwCreateKey [0xF72870E0]
SSDT spft.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spft.sys ZwEnumerateValueKey [0xF72A6030]
SSDT spft.sys ZwOpenKey [0xF72870C0]
SSDT spft.sys ZwQueryKey [0xF72A6108]
SSDT spft.sys ZwQueryValueKey [0xF72A5F88]
SSDT spft.sys ZwSetValueKey [0xF72A619A]

INT 0x73 ? 86249BF8
INT 0x82 ? 861D9BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE9FB9D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE9FB97D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE9FB996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE9FBA83]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE9FBAAF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE9FBA12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE9FBB49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE9FB950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE9FB964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE9FB9E6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE9FBAF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE9FBA99]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE9FBB71]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE9FBB5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE9FB9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE9FB9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE9FBA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE9FBB33]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE9FBA28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE9FB9FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP EE9FBA00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP EE9FB9D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP EE9FBA16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP EE9FBA2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP EE9FB9EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP EE9FB954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP EE9FB968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP EE9FB9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP EE9FB99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP EE9FB981 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP EE9FB9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP EE9FBA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP EE9FBB37 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP EE9FBAF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP EE9FBA9D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP EE9FBA87 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP EE9FBAB3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP EE9FBB61 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP EE9FBB75 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP EE9FBB4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spft.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F59748AC 5 Bytes JMP 860391D8
.text am3epckx.SYS F57CA384 1 Byte [ 20 ]
.text am3epckx.SYS F57CA386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text am3epckx.SYS F57CA3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text am3epckx.SYS F57CA3C4 3 Bytes [ 00, 00, 00 ]
.text am3epckx.SYS F57CA3C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015E000A
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015E00B3
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015E00A2
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015E0087
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015E0FCA
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015E0051
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015E00FA
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015E00E9
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015E0F8D
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015E0126
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 015E0137
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 015E006C
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 015E0FEF
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 015E00CE
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 015E0040
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 015E0025
.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015E0115
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F00025
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F00051
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F00000
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F00FB9
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 10, 89 ]
.text C:\WINDOWS\Explorer.EXE[208] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F00040
.text C:\WINDOWS\Explorer.EXE[208] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F10000
.text C:\WINDOWS\Explorer.EXE[208] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F10011
.text C:\WINDOWS\Explorer.EXE[208] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F10FD1
.text C:\WINDOWS\Explorer.EXE[208] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F10022
.text C:\WINDOWS\Explorer.EXE[208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00A7
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0096
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D3
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F30
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A004A
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F6B
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00B8
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F7C
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F8D
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290F9E
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040067
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F72
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0004004C
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F83
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0004009A
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040089
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400C6
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400B5
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000400D7
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00040F37
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F75
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F86
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F22
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F3F
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00A0
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F07
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BE00B1
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BE0F50
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BE007B
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FC004A
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\lsass.exe[1052] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FC0F9E
.text C:\WINDOWS\system32\lsass.exe[1052] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F59
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE004E
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F74
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F9B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0084
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0073
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00C1
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00B0
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FE00D2
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FE0F48
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FE009F
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02460047
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02460F91
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0246002C
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02460011
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02460058
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02460000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02460FC0
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 66, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02460FDB
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F86
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F97
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0FA8
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F5A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F6B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00F3
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00E2
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CB010E
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CB0FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CB0096
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CB00BD
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CE0065
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CE0054
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EE, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0000
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AA0000
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AA0054
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AA0F5F
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AA0F70
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AA0F8D
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AA0FA8
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AA0F33
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AA006F
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AA00C2
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AA00B1
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02AA00D3
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02AA002F
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02AA0FE5
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02AA0F44
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02AA0FB9
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02AA0FD4
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02AA0096
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02A80036
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02A80058
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02A80FE5
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02A8001B
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02A80F9B
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02A80000
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02A80FB6
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C8, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02A80047
.text C:\WINDOWS\System32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EC0FE5
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02A90FEF
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02A9000A
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02A90FDE
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02A90FCD
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20091
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20FA6
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20FC3
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20076
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20051
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20F5A
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A200A2
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200E9
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A200D8
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A20104
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A20F81
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A200BD
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10F9B
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10058
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A10FB6
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C1, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1460] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\svchost.exe[1460] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80075
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80064
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F8A
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80047
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F48
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F59
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800C6
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C800AB
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C800EB
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C80090
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C80F37
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009F0014
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009F0062
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009F0FCD
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A0002C
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A00047
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2060] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006B
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F76
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005A
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A003D
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F34
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0086
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AB
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F12
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EED
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F9B
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F5B
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A002C
.text C:\WINDOWS\system32\dllhost.exe[2684] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F23
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A007D
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0051
.text C:\WINDOWS\system32\dllhost.exe[2684] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[2684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F66
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10051
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C1002F
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10F9E
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F2E
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F02
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F13
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C10EF1
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C10F8D
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C10076
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[2896] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C10087
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C00028
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C0006F
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C0005E
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C00043
.text C:\WINDOWS\system32\svchost.exe[2896] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C00FBC
.text C:\WINDOWS\system32\svchost.exe[2896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F75
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F86
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F97
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0054
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F49
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0085
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00B6
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F27
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BC0F02
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BC0039
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BC0F64
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BC001E
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[2956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BC0F38
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BB0054
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BB0039
.text C:\WINDOWS\system32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BB001E

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] spft.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] spft.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] spft.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] spft.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] spft.sys
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\am3epckx.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] spft.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 862481F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 85D361F8

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\usbohci \Device\USBPDO-0 8603A1F8
Device \Driver\usbehci \Device\USBPDO-1 85FEF1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8624A1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8624A1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8624A1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8624A1F8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\sptd \Device\2076081402 spft.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 861DA1F8
Device \Driver\PCI_PNP7652 \Device\00000058 spft.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 861DA1F8
Device \Driver\Cdrom \Device\CdRom0 85FE31F8
Device \Driver\Cdrom \Device\CdRom1 85FE31F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 861DA1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{777F13F8-4E2D-4CEF-AF9B-2CC7C32D6650} 852D41F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 852D41F8
Device \Driver\NetBT \Device\NetbiosSmb 852D41F8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBFDO-0 8603A1F8
Device \Driver\usbehci \Device\USBFDO-1 85FEF1F8
Device \Driver\nvata \Device\NvAta0 862491F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 852A31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 852A31F8
Device \Driver\Ftdisk \Device\FtControl 861DA1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FC0775D0-B53B-470F-8E82-9C97FE78D873} 852D41F8
Device \Driver\nvata \Device\0000008c 862491F8
Device \Driver\am3epckx \Device\Scsi\am3epckx1Port3Path0Target0Lun0 85FC21F8
Device \Driver\am3epckx \Device\Scsi\am3epckx1 85FC21F8
Device \FileSystem\Fastfat \Fat 85D361F8

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 85262500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0x61 0x0F 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0xC1 0x6C 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x14 0xA7 0x4A 0xE5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0x61 0x0F 0x23 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0xC1 0x6C 0x5C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x14 0xA7 0x4A 0xE5 ...

---- EOF - GMER 1.0.14 ----

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 18 November 2008 - 08:23 PM

Hello, I8myComp
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
  • Follow the on screen instructions to install the latest Java version.
We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3

Edited by Billy O'Neal, 18 November 2008 - 08:24 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 04:21 PM

Hey Billy,

The OTMoveIt3 did not work when I entered "[EmptyTemp]".

Also, I can't get ESET to work, it gives me error messages something like "Update Error (200)".

I've also noticed my computer doesn't want to let any other online scanner work.
My Microsoft Update gets diverted to MSN.com. I read something online that suggested something is screwing with DNS.
My MS updated doesn't work, neither does McAfee or Windows Defender (even though I reinstalled all of it and updated it etc just a couple weeks ago).
I've run SpyBot, AdAware and McAfee and they found nothing. I ran Malawarebytes and it found a registry key "Adware.Trymedia" which it quarantined.

As always, thanks for all your help!


Here is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:26 PM, on 11/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.southparkstudios.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160099314636
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160099522448
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...405/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11124 bytes

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 20 November 2008 - 06:55 PM

Hello, I8myComp
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

My Microsoft Update gets diverted to MSN.com. I read something online that suggested something is screwing with DNS.

If it was a DNS problem it would be directed to a completely unrelated page. Your logs also do not indicate modified DNS settings. The only thing that could be hijacked for DNS now would be your router box. You may wish to try resetting that.. though I don't think that's the issue here.

I'm sorry about the OTMI3 thing.. I made a mistake in the script...

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
We need to run a system scan with Dr. Web CureIt
  • Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Complete Scan"
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
  • OTMoveIt3's Log
  • Dr.Web's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 21 November 2008 - 12:34 AM

========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_c7x5bKkcHyJ6rg7 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_MbeDzuqoIdaX0qd scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_xPgcE3ftAuQw1Ed scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_aD5pftvLYyvbd9w scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_aqEbrFGtudDaYR7 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_odgSvFyB1y85VLF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_UBPTS2lEgO0G5Cc scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3b8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_6snq6PaPbpKVBCJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_LDXsZ7selxyZ5O8 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_z8THSJc8Tl0aOob scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP0000004A50416FCB7E9EAD43 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFVB.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11202008_232520

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\mcafee_c7x5bKkcHyJ6rg7 not found!
File C:\WINDOWS\temp\mcafee_MbeDzuqoIdaX0qd not found!
File C:\WINDOWS\temp\mcafee_xPgcE3ftAuQw1Ed not found!
File C:\WINDOWS\temp\mcmsc_aD5pftvLYyvbd9w not found!
File C:\WINDOWS\temp\mcmsc_aqEbrFGtudDaYR7 not found!
File C:\WINDOWS\temp\mcmsc_odgSvFyB1y85VLF not found!
File C:\WINDOWS\temp\mcmsc_UBPTS2lEgO0G5Cc not found!
File C:\WINDOWS\temp\Perflib_Perfdata_3b8.dat not found!
C:\WINDOWS\temp\sqlite_6snq6PaPbpKVBCJ moved successfully.
C:\WINDOWS\temp\sqlite_LDXsZ7selxyZ5O8 moved successfully.
C:\WINDOWS\temp\sqlite_z8THSJc8Tl0aOob moved successfully.
File C:\WINDOWS\temp\TMP0000004A50416FCB7E9EAD43 not found!
File C:\WINDOWS\temp\WFVB.tmp not found!
C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andre Novack\Local Settings\Application Data\Mozilla\Firefox\Profiles\s6se0fiv.default\XUL.mfl moved successfully.

#9 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 21 November 2008 - 08:24 AM

orangeflowercur.exe\data015;C:\Documents and Settings\Andre Novack\My Documents\Other My Documents\Monies\orangeflowercur.exe;Adware.Ezula;;
orangeflowercur.exe\data016;C:\Documents and Settings\Andre Novack\My Documents\Other My Documents\Monies\orangeflowercur.exe;Adware.IGetNet;;
orangeflowercur.exe;C:\Documents and Settings\Andre Novack\My Documents\Other My Documents\Monies;Archive contains infected objects;Moved.;
ArcSendMailDll.dll;C:\Program Files\ArcSoft\WebCam Companion 2;Trojan.PWS.Akak.origin;Incurable.Moved.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
musicnow1.exe\data008;C:\SWSetup\AOLMN\SP31524.exe\\musicnow1.exe;Trojan.Click.2093;;
\musicnow1.exe;C:\SWSetup\AOLMN\SP31524.exe\;Archive contains infected objects;;
SP31524.exe;C:\SWSetup\AOLMN;Archive contains infected objects;Moved.;
data030\data002;C:\SWSetup\HPGame\games\cakemania-setup.exe\data030;Adware.SpywareStorm;;
data030;C:\SWSetup\HPGame\games\cakemania-setup.exe;Archive contains infected objects;;
cakemania-setup.exe;C:\SWSetup\HPGame\games;Archive contains infected objects;Moved.;

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 21 November 2008 - 07:22 PM

Hello, I8myComp
Alright.. how are things running now?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 22 November 2008 - 03:26 AM

Hey Billy,

As always, I appreciate all the help so far, I really do.

Some sites that weren't working before are working again.

However, my attempts to access Microsoft's updates are still being thwarted, redirected to MSN.com.

I don't know if it makes any difference, but my neighbor lets us hop on his wireless, so I don't have access to his router etc.

But I'm not quite sure why I can't update Windows or Windows Defender. My McAfee has an update error and says I have to reinstall McAfee Virus Scan Plus.

Any ideas?

Thanks,

Andre

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 22 November 2008 - 06:03 PM

How are you getting to windows update?

Is it via a web link? Any malformed url to microsoft servers will be redirected to microsoft.com and/or msn.com. This isn't malware, it's the default behavior of MS servers....

Try this link:
http://update.microsoft.com

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 22 November 2008 - 08:03 PM

That link still brings me to MSN.com. So it when it tries to auto update it fails, and I can't get to the update website. I can get to the main site but not beyond that toward the updates. And also McAfee fails its updates as well and displays warnings that I'm not protected (my subscription is fine though).

So Windows, Windows Defender, McAfee won't update.

ESET still has an errors if I try to use the online scan.

Any ideas?

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:38 AM

Posted 22 November 2008 - 08:07 PM

Hello, I8myComp
This will create a log.txt on your desktop. Please post the contents of that.

We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    nslookup update.microsoft.com > "%userprofile%\Desktop\log.txt"
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
Billy3

Edited by Billy O'Neal, 22 November 2008 - 08:08 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 I8myComp

I8myComp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 23 November 2008 - 11:24 PM

Server: UnKnown
Address: 192.168.0.1

Name: update.microsoft.com.hsd1.mn.comcast.net
Address: 99.198.101.12




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users