Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer sick for the first time - Virtumondo, Win32Agent


  • This topic is locked This topic is locked
11 replies to this topic

#1 terry999

terry999

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 22 December 2008 - 05:16 PM

Hi all,

As you can see I am a newbie here. I don't have much to offer to the board as my computer skills are very limited, but I would very much appreciate some help.

My computer has become infected for the first time.

The symptoms so far are:

Multiple windows opening up offering anti-virus software
A program called videosoft setup trying to install constantly
My McAfee and windows update settings changing on their own
Firefox and IE trying to use a proxy server
IE windows opening when I'm using firefox

So far I've tried (in normal and safe mode):
CCleaner
Spybot Search & Destroy
MalWareBytes' Anti-Malware
Vundofix.exe
VirtumundoBeGone.exe

I have listed the Online KasperSky and RSIT logs below and would be grateful of any advice.

My only other question is that if I was to perform a clean install would attaching my USB hardrive and copying over my music and documents cause the USB drive to become infected, hence re-infecting the fresh install?

Thanks in advance and Happy Christmas!

Terry


Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 22, 2008 17:03:33
Records in database: 1500983
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 214434
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:20:31


File name / Threat name / Threats count
spoolsv.exe\dll.dll/spoolsv.exe\dll.dll Infected: Rootkit.Win32.TDSS.cfj 1
C:\Documents and Settings\Terry\Local Settings\Temp\tmp98.tmp Infected: Rootkit.Win32.TDSS.cfj 1
C:\Documents and Settings\Terry\Local Settings\Temp\tmp99.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Program Files\Mozilla Firefox\components\iamfamous.dll Infected: Trojan.Win32.Agent.avjo 1
C:\WINDOWS\system32\userinit.exe Infected: Trojan-Downloader.Win32.Agent.auff 1

The selected area was scanned.


Logfile of random's system information tool 1.05 (written by random/random)
Run by Terry at 2008-12-22 21:55:58
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 65 GB (43%) free of 150 GB
Total RAM: 2046 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:00, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\ElsaWin\bin\LcSvrAdm.exe
C:\ElsaWin\bin\LcSvrDba.exe
C:\ElsaWin\bin\LcSvrHis.exe
C:\ElsaWin\bin\LcSvrPas.exe
C:\ElsaWin\bin\LcSvrSaz.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\ElsaWin\bin\VSgate.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\ElsaWin\bin\LcSvrAuf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Terry\LOCALS~1\Temp\ie19E.tmp
C:\Documents and Settings\Terry\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Terry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatwashomepage.com/?q=http://w...w.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AnvTrgrWarningBHO Class - {95E9BCC0-2E84-4500-8A9C-0B7A96769124} - C:\Program Files\AnvTrgrsoftware\AnvTrgrWarning.dll (file missing)
O2 - BHO: {ac7352fa-f43b-ad39-1914-29db04f3823c} - {c3283f40-bd92-4191-93da-b34faf2537ca} - C:\WINDOWS\system32\dugvwd.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AnvTrgr] "C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Nike+ Utility.lnk = C:\Program Files\Nike+ Utility\Nike+ Utility.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.iexplorersecurity.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.iexplorersecurity.com/redirect.php (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://www.childcareevouchers.com/dana/dow...wnloadCitrixCab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212753056562
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.childcareevouchers.com/dana-cac...perSetupSP1.cab
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - C:\ElsaWin\bin\wiProt.dll
O20 - AppInit_DLLs: dugvwd.dll
O22 - SharedTaskScheduler: bussebuschke - {2ecca339-c274-40e3-a582-ef4c0e917639} - C:\WINDOWS\system32\ijofmsu.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\tintinyproxyy\tinyproxy.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - C:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - C:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - C:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: ELSA APOSpro Server (LcSvrSaz) - Volkswagen AG - C:\ElsaWin\bin\LcSvrSaz.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\tintinyproxyy\tinyproxy.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: ELSA Vaudis Service (VSGate) - Volkswagen AG - C:\ElsaWin\bin\VSgate.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 12164 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\ypfmvmst.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-06-09 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}]
AnvTrgrWarningBHO Class - C:\Program Files\AnvTrgrsoftware\AnvTrgrWarning.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3283f40-bd92-4191-93da-b34faf2537ca}]
C:\WINDOWS\system32\dugvwd.dll [2008-12-22 131584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-04-18 552960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-04-01 5562368]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-04-25 139264]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-04-01 86016]
"DLBTCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll []
"CTHelper"=C:\WINDOWS\SYSTEM32\CTHELPER.EXE [2003-10-06 24576]
"Easy-PrintToolBox"=C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600]
"NSLauncher"=C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe [2007-10-01 3104768]
"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2008-07-11 641208]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2007-10-30 2595616]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2007-10-30 909208]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2007-10-30 140568]
"BluetoothAuthenticationAgent"=C:\WINDOWS\SYSTEM32\bthprops.cpl [2008-04-14 110592]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"AnvTrgr"=C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo PopUpBlocker]
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe [2005-04-22 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2008-06-09 214560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2006-12-14 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2006-05-08 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-09 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Nike+ Utility.lnk - C:\Program Files\Nike+ Utility\Nike+ Utility.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="dugvwd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
bussebuschke - {2ecca339-c274-40e3-a582-ef4c0e917639} - C:\WINDOWS\system32\ijofmsu.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Valve\Steam\Steam.exe"="C:\Program Files\Valve\Steam\Steam.exe:*:Disabled:Steam"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\Program Files\GhostSurf\GhostSurf.exe"="C:\Program Files\GhostSurf\GhostSurf.exe:*:Disabled:Architecture launch vehicle"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe"="C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe:*:Enabled:AnvTrgr"
"C:\Program Files\tintinyproxyy\tinyproxy.exe"="C:\Program Files\tintinyproxyy\tinyproxy.exe:*:Enabled:tinyproxy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9541cf62-0d6f-11da-a1e9-d728f3c42585}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a52942-8ccd-11dd-aa81-0014bf797589}]
shell\AutoRun\command - F:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2008-12-22 21:55:58 ----D---- C:\rsit
2008-12-22 19:07:43 ----RSHD---- C:\resycled
2008-12-22 17:36:29 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-22 17:30:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-22 16:38:13 ----D---- C:\Program Files\tintinyproxyy
2008-12-22 16:23:46 ----SHD---- C:\WINDOWS\system32\EE080C984C25D3E0
2008-12-22 15:54:17 ----D---- C:\Program Files\Trend Micro
2008-12-22 15:52:58 ----A---- C:\WINDOWS\system32\stu2.exe
2008-12-22 15:22:01 ----A---- C:\WINDOWS\system32\VundoFixSVC.exe
2008-12-22 15:06:46 ----D---- C:\VundoFix Backups
2008-12-22 15:06:46 ----A---- C:\VundoFix.txt
2008-12-22 10:54:00 ----D---- C:\Documents and Settings\Terry\Application Data\Malwarebytes
2008-12-22 10:53:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-22 10:53:54 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-22 09:25:56 ----A---- C:\WINDOWS\system32\dugvwd.dll
2008-12-22 09:25:50 ----A---- C:\WINDOWS\system32\tsqmkcvq.dll
2008-12-22 09:23:29 ----A---- C:\WINDOWS\system32\3369b396-.txt
2008-12-18 21:22:05 ----D---- C:\WINDOWS\system32\IOSUBSYS
2008-12-17 21:16:17 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-14 20:17:33 ----D---- C:\Program Files\iPod
2008-12-14 20:17:30 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 00:35:23 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 00:35:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 00:32:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 00:32:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 00:31:56 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-08 10:13:27 ----D---- C:\Program Files\BookSmart

======List of files/folders modified in the last 1 months======

2008-12-22 21:48:00 ----D---- C:\WINDOWS\Temp
2008-12-22 21:48:00 ----D---- C:\Program Files\Mozilla Firefox
2008-12-22 19:07:45 ----D---- C:\WINDOWS\system32\drivers
2008-12-22 18:53:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-22 18:53:02 ----D---- C:\WINDOWS
2008-12-22 18:49:05 ----D---- C:\WINDOWS\system32
2008-12-22 17:29:56 ----A---- C:\WINDOWS\wininit.ini
2008-12-22 17:11:39 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 17:09:13 ----RD---- C:\Program Files
2008-12-22 16:08:54 ----SHD---- C:\WINDOWS\Installer
2008-12-22 16:08:30 ----SHD---- C:\Config.Msi
2008-12-22 16:08:30 ----D---- C:\Program Files\Raxco
2008-12-22 15:52:57 ----A---- C:\WINDOWS\system32\userinit.exe
2008-12-22 14:30:55 ----D---- C:\Program Files\BitTorrent
2008-12-22 14:28:21 ----D---- C:\Program Files\Google
2008-12-22 14:28:10 ----D---- C:\WINDOWS\Prefetch
2008-12-22 12:57:53 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-22 11:15:13 ----SHD---- C:\RECYCLER
2008-12-22 11:11:25 ----D---- C:\Documents and Settings
2008-12-22 09:17:33 ----SD---- C:\WINDOWS\Tasks
2008-12-18 21:22:05 ----HD---- C:\WINDOWS\inf
2008-12-18 14:08:32 ----D---- C:\i386
2008-12-17 21:16:20 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-17 21:16:06 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-14 20:17:57 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-14 20:17:56 ----D---- C:\Program Files\iTunes
2008-12-14 20:17:33 ----D---- C:\Program Files\Common Files\Apple
2008-12-14 20:16:30 ----D---- C:\Program Files\QuickTime
2008-12-14 20:01:05 ----D---- C:\Program Files\Apple Software Update
2008-12-12 17:01:00 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 13:04:07 ----D---- C:\WINDOWS\Debug
2008-12-09 23:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-29 12:11:26 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-06-27 207656]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-06-02 120136]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-11-08 17217]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-01-16 17801]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 PStrip;PStrip; C:\WINDOWS\system32\drivers\PStrip.sys [2004-11-09 21968]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-04-13 44384]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2004-02-23 645360]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2004-02-23 366352]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2003-10-08 6096]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2003-10-08 130288]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-16 34760]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2003-10-13 145488]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\System32\drivers\ha10kx2k.sys [2004-02-24 904784]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-06-27 79240]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-06-27 35240]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-04-01 3454656]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2003-10-08 178672]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-03-20 47360]
R3 USB_RNDIS;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver v2; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 45504]
S1 navigator;navigator; C:\WINDOWS\fd.dll []
S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
S3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BTHMODEM;Bluetooth Serial Communications Driver; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2008-04-13 37888]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys [2004-03-24 4272]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\System32\drivers\ctdvda2k.sys [2003-10-14 332800]
S3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 ggsemc;Sony Ericsson USB Flash Driver; C:\WINDOWS\system32\DRIVERS\ggsemc.sys [2006-07-11 8704]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\System32\drivers\hap16v2k.sys [2003-10-21 148432]
S3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
S3 jatmlano;jatmlano; \??\C:\DOCUME~1\Cathy\LOCALS~1\Temp\jatmlano.sys []
S3 k750bus;Sony Ericsson 750 driver (WDM); C:\WINDOWS\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\k750mdfl.sys [2005-02-11 6576]
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; C:\WINDOWS\system32\DRIVERS\k750mdm.sys [2005-02-11 89872]
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers; C:\WINDOWS\system32\DRIVERS\k750mgmt.sys [2005-02-11 81728]
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers; C:\WINDOWS\system32\DRIVERS\k750obex.sys [2005-02-11 79488]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2008-06-20 34152]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2008-06-27 40488]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2008-05-07 17536]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2008-05-07 20864]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent; C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic; C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver; \??\C:\DOCUME~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPMPR5.SYS []
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver; \??\C:\DOCUME~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPNDIS5.SYS []
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE27bus.sys [2006-04-28 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys [2006-04-28 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE27mdm.sys [2006-04-28 97184]
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys [2006-04-28 88688]
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS); C:\WINDOWS\system32\DRIVERS\se27nd5.sys [2006-04-28 18704]
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\SE27obex.sys [2006-04-28 86560]
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM); C:\WINDOWS\system32\DRIVERS\se27unic.sys [2006-04-28 90800]
S3 Ser2pl;Prolific Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2004-06-28 42752]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-03-31 180096]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2008-06-06 8064]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbbus;LGE Mobile Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys []
S3 UsbDiag;LGE Mobile USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys []
S3 USBModem;LGE Mobile USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys []
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2008-04-13 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2008-05-07 8064]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-06-14 104576]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys []
S3 WmFilter;Logitech Gaming HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 22240]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 5600]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2007-10-30 427288]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 IAANTMon;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-04-25 86142]
R2 LcSvrAdm;ELSA Administration Service; C:\ElsaWin\bin\LcSvrAdm.exe [2006-11-24 147456]
R2 LcSvrDba;ELSA DBA Server; C:\ElsaWin\bin\LcSvrDba.exe [2006-11-24 233472]
R2 LcSvrHis;ELSA Historie Server; C:\ElsaWin\bin\LcSvrHis.exe [2006-11-24 217088]
R2 LcSvrPAS;ELSA PASS Server; C:\ElsaWin\bin\LcSvrPas.exe [2006-11-24 368640]
R2 LcSvrSaz;ELSA APOSpro Server; C:\ElsaWin\bin\LcSvrSaz.exe [2006-11-24 233472]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-10-10 792696]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-07-18 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2008-07-09 358736]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2008-06-20 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-04-01 127043]
R2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 492720]
R2 VSGate;ELSA Vaudis Service; C:\ElsaWin\bin\VSgate.exe [2006-11-24 81920]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service; C:\ElsaWin\bin\LcSvrAuf.exe [2006-11-24 1306624]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-09 884360]
S2 Acronis Scheduler2 Service (AcrSch2Svc) ;Acronis Scheduler2 Service (AcrSch2Svc) ; C:\Program Files\tintinyproxyy\tinyproxy.exe [2008-12-22 8960]
S2 Machine Debug Manager (MDM) ;Machine Debug Manager (MDM) ; C:\Program Files\tintinyproxyy\tinyproxy.exe [2008-12-22 8960]
S2 WUSB54GSv2SVC;WUSB54GSv2SVC; C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-04-19 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 dlbt_device;dlbt_device; C:\WINDOWS\system32\dlbtcoms.exe [2005-03-03 466944]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2008-06-20 361800]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-04-27 53337]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-04-27 49241]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-02-08 212480]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-04-27 69718]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2006-05-08 69632]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2008-09-16 605512]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2008-12-22 21:56:33

======Uninstall list======

-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->Dummy
-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis True Image Home-->MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Creative Suite 2-->C:\PROGRA~1\INSTAL~1\{0134A~1\setup.exe /relaunched/rootloc=e:\adobe creative suite 2.0/lang=0409
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop Lightroom 2-->MsiExec.exe /I{531BC138-F1F7-496B-879C-F039ECEF438D}
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader Korean Fonts-->MsiExec.exe /I{AC76BA86-7AD7-5670-0000-7E8A45000001}
Adobe Stock Photos 1.0-->MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AntivirusTrigger 2.1-->C:\Program Files\AnvTrgrsoftware\uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ashampoo WinOptimizer Platinum Suite 2-->"C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum Suite 2\Uninstall\WOPS2_Uninstall.exe"
Audacity 1.2.3-->"C:\Program Files\Audacity\unins000.exe"
AvantGo Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A90DCEC1-22DE-11D4-B8A9-0050DAB648C6}\setup.exe" -l0x9 CP
A-Z Video Converter Ultimate 8.14-->"C:\Program Files\A-Z\A-Z Video Converter Ultimate\unins000.exe"
BookSmart™ 1.9.9 1.9.9-->C:\Program Files\BookSmart\uninstall.exe
Browser Toolbar-->"C:\Program Files\WebMediaViewer\browseu.exe"
Canon iP4300 User Registration-->C:\Program Files\Canon\IJEREG\iP4300\UNINST.EXE
Canon iP4300-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300 /L0x0009
Canon Setup Utility 2.3-->"C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.3\uninst.ini
Canon Utilities Easy-LayoutPrint-->C:\Program Files\Canon\Easy-LayoutPrint\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox-->C:\WINDOWS\BJPSUNST.EXE
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
Classic PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
ConvertXtoDVD 3.2.0.52-->"C:\Program Files\VSO\ConvertX\3\unins000.exe"
Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Photo AIO Printer 922-->C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBTUNST.EXE -NOLICENSE
DFX for Windows Media Player-->C:\Program Files\DFX\uninstall_WMP.exe
Diagnosaurus-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F462B1-8606-4890-A4CC-BEFE59693B86}\Setup.exe" -l0x9 anything
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Platinum 4.1.0.2 by Team RES-->"C:\Program Files\DVDFab Platinum 3\unins000.exe"
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
ElsaWin-->C:\ElsaWin\bin\uninstall.exe
EVEREST Ultimate Edition v4.60-->"C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
FoxyTunes for Firefox-->"C:\Program Files\Mozilla Firefox\firefox.exe" -chrome chrome://foxytunes/content/extras/uninstallExtension.xul
G15A922EN-->MsiExec.exe /X{FDF0F423-F81F-4EA7-ABD1-AACBB60F3644}
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GPS TrackMaker®-->MsiExec.exe /X{79ED0EE7-098C-465F-A853-B17F6FC6CDD8}
GPSU version 4.20-->"C:\Program Files\GPS Utility\unins000.exe"
Half-Life® 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® PRO Network Connections Software v9.2.4.11-->C:\Program Files\Intel\DMIX\uninst\DxSetup.exe /x /qr /le C:\DOCUME~1\Owner\LOCALS~1\Temp\PROSetDX\DMIX\\DxUninst.log
Intel® PROSafe for Wired Connections-->MsiExec.exe /I{36BD0774-6CD6-4FF9-A148-83CA09AC123E}
Intel® PROSafe for Wired Connections-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Linksys Wireless-G USB Network Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
MailNavigator v.1.10-->"C:\Documents and Settings\Terry\My Documents\Downloads\mnavi110\MailNavigator\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
MetaFrame Presentation Server Web Client (Minimal Installation)-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wficac.inf,DefaultUninstall
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP4 Video Converter 3-->C:\Program Files\ImTOO\MP4 Video Converter 3\Uninstall.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero Suite-->C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Nike+ Utility-->MsiExec.exe /X{309C137D-66B4-491B-9D21-F03892DAFD93}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{C3F19A5F-35A8-4FDB-A6ED-0F4CE398DA48}
Nokia Flashing Cable Driver-->MsiExec.exe /X{2A0A6470-FD0F-4F45-9B11-85F3167DB943}
Nokia Map Loader-->MsiExec.exe /I{03528A01-7E5E-4C5F-94DF-1D8012E969EF}
Nokia NSeries Application Installer 6.82.17-->msiexec /qn /x {903F2FE9-1751-4894-9D10-702F3AA0D6D5}
Nokia NSeries Application Installer-->MsiExec.exe /I{903F2FE9-1751-4894-9D10-702F3AA0D6D5}
Nokia NSeries Content Copier 6.82.17-->msiexec /qn /x {BBC12E6C-C32F-470A-BF15-5A8C21066D1A}
Nokia NSeries Content Copier-->MsiExec.exe /X{BBC12E6C-C32F-470A-BF15-5A8C21066D1A}
Nokia NSeries Multimedia Player 6.82.17-->msiexec /qn /x {C701040C-9CBD-4321-9CA3-8305E3EA26B6}
Nokia NSeries Multimedia Player-->MsiExec.exe /I{C701040C-9CBD-4321-9CA3-8305E3EA26B6}
Nokia NSeries System Utilities 6.82.17-->msiexec /qn /x {B0CC883F-D14A-4EBA-9355-4D23B223CF05}
Nokia NSeries System Utilities-->MsiExec.exe /X{B0CC883F-D14A-4EBA-9355-4D23B223CF05}
Nokia Software Launcher-->MsiExec.exe /I{41BBDC08-ACFF-48C2-BD81-CA154C841351}
Nokia Software Updater-->MsiExec.exe /X{17BD85F9-3B88-4C85-BB47-4AB8DD68F8BB}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Online Alert Manager-->"C:\Program Files\WebMediaViewer\qttasku.exe"
OpenMG AAC Add-on Module 1.0.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} UNINSTALL
OpenMG Limited Patch 4.5-06-05-12-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.5-06-05-12-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.5.01-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{3633BA28-67CE-4AC8-A677-3406CA84C3D8} UNINSTALL
PC Connectivity Solution-->MsiExec.exe /I{6094AB91-4CC8-498E-9DFF-134CC0B159DE}
Picture Package Music Transfer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE2121C6-C94D-4A73-8EA4-6943F33EE335}\setup.exe" -l0x9 /removeonly /cont -removeonly
PL-2303 USB-to-Serial-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
PowerDVD 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerStrip 3 (remove only)-->C:\Program Files\PowerStrip\uninstal.exe
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Recover My Files-->"C:\Program Files\GetData\Recover My Files\unins000.exe"
Secure-D-->MsiExec.exe /X{81907F71-5EAD-49AD-84B5-1B5CD170A884}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
SonicStage 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Sony Ericsson DRM Packager 1.21-->C:\Program Files\Sony Ericsson\DRM Packager\uninst.exe
Sony Ericsson PC Suite-->MsiExec.exe /I{D44778FA-4CA2-48E4-835E-DD872CA96971}
Sony Picture Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spb Diary-->C:\Program Files\Microsoft ActiveSync\Spb Diary\Uninstall.exe Spb Diary
Spb Pocket Plus-->C:\Program Files\Microsoft ActiveSync\Spb Pocket Plus\Uninstall.exe Spb Pocket Plus
Spb Weather-->C:\Program Files\Microsoft ActiveSync\Spb Weather\Uninstall.exe Spb Weather
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam™-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Suite Specific-->MsiExec.exe /I{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}
SUPER © Version 2008.bld.30 (Mar 22, 2008)-->C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
TCPMP-->C:\Program Files\Microsoft ActiveSync\TCPMP\Uninstall.exe TCPMP
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update Service-->C:\Program Files\Sony Ericsson\Update Service\uninst.exe
VideoLAN VLC media player 0.8.2-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix - KB894476-->"C:\WINDOWS\$NtUninstallKB894476$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.40-2-->"C:\Program Files\WinHTTrack\unins000.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec-->"C:\Program Files\XviD\UninstXviD.exe"
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"

======Security center information======

AV: McAfee VirusScan (disabled)
FW: McAfee Personal Firewall

System event log

Computer Name: CATHY_TEL
Event Code: 7035
Message: The PD91Engine service was successfully sent a start control.

Record Number: 87101
Source Name: Service Control Manager
Time Written: 20081128204431.000000+000
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: CATHY_TEL
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 87100
Source Name: Service Control Manager
Time Written: 20081128204431.000000+000
Event Type: information
User:

Computer Name: CATHY_TEL
Event Code: 7036
Message: The ELSA Auftragsverwaltungs Service service entered the running state.

Record Number: 87099
Source Name: Service Control Manager
Time Written: 20081128204431.000000+000
Event Type: information
User:

Computer Name: CATHY_TEL
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.

Record Number: 87098
Source Name: Service Control Manager
Time Written: 20081128204430.000000+000
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: CATHY_TEL
Event Code: 7035
Message: The ELSA Auftragsverwaltungs Service service was successfully sent a start control.

Record Number: 87097
Source Name: Service Control Manager
Time Written: 20081128204430.000000+000
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: CATHY_TEL
Event Code: 7
Message: Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

Record Number: 11649
Source Name: crypt32
Time Written: 20080520064359.000000+060
Event Type: information
User:

Computer Name: CATHY_TEL
Event Code: 0
Message:
Record Number: 11648
Source Name: iPod Service
Time Written: 20080520064228.000000+060
Event Type: information
User:

Computer Name: CATHY_TEL
Event Code: 5000
Message: McShield service started.

Engine version : 5200.2160

DAT version : 5297.0000



Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 11647
Source Name: McLogEvent
Time Written: 20080520064211.000000+060
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: CATHY_TEL
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 11646
Source Name: SecurityCenter
Time Written: 20080520064204.000000+060
Event Type: information
User:

Computer Name: CATHY_TEL
Event Code: 0
Message:
Record Number: 11645
Source Name: iPod Service
Time Written: 20080519161347.000000+060
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\PROGRAM FILES\PC CONNECTIVITY SOLUTION\;%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;C:\PROGRAM FILES\INTEL\DMIX;C:\PROGRAM FILES\COMMON FILES\TELECA SHARED;C:\PROGRAM FILES\COMMON FILES\ADOBE\AGL;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 23 December 2008 - 05:39 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


A clean install won't help, but we should be able to clean this up without having to resort to a complete format.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.



===========


If you lose your connection after running Combofix, follow these steps to restore it.


Run Hijackthis, located here: C:\Program Files\Trend Micro\HijackThis\Terry.exe

Click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>




Reboot your computer and your connection will be restored.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 terry999

terry999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 24 December 2008 - 03:44 PM

Hello Sam,

Thank you very much for the reply, I am away from my home computer but will be back on the 26th Dec and will post the log straight away.

Wishing you a very happy Christmas.

Kind regards,

Terry

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 25 December 2008 - 06:43 PM

Sounds good! I'll be around. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 terry999

terry999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 26 December 2008 - 07:17 AM

Hi Sam,

I've run the ComboFix program and the log file is below. When powering up the machine today I noticed the following:

A lot of HD activity.
An install agreement for "videosoft setup" appeared upon starting windows - which I declined
Mcafee repeatedly came up with the following notices: Generic!atr, Generic.dx, DNSChanger.o, prcviewer, C:autorun.inf - all listed as "repaired"
I found a directory C:\resycled

Since running ComboFix and logging on to post this log file, none of the above has happened again (so far)

Kind regards,

Terry


ComboFix 08-12-25.04 - Terry 2008-12-26 11:56:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1631 [GMT 0:00]
Running from: c:\documents and settings\Terry\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Terry\Application Data\inst.exe
c:\program files\tintinyproxyy\tinyproxy.exe
C:\resycled
c:\resycled\boot.com
c:\windows\system32\drivers\msqpdxserv.sys

----- BITS: Possible infected sites -----

hxxp://b9n.org
c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACRONIS_SCHEDULER2_SERVICE_(ACRSCH2SVC)_
-------\Legacy_HELP_AND_SUPPORT_(HELPSVC)_
-------\Legacy_MACHINE_DEBUG_MANAGER_(MDM)_
-------\Legacy_MCAFEE_NETWORK_AGENT_(MCNASVC)_
-------\Service_Acronis Scheduler2 Service (AcrSch2Svc)
-------\Service_Help and Support (helpsvc)
-------\Service_Machine Debug Manager (MDM)
-------\Service_McAfee Network Agent (McNASvc)


((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Lavasoft
2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-23 14:23 . 2008-12-23 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 10:30 . 2008-12-23 10:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 10:30 . 2008-12-23 10:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 21:55 . 2008-12-22 21:56 <DIR> d-------- C:\rsit
2008-12-22 16:38 . 2008-12-26 11:59 <DIR> d-------- c:\program files\tintinyproxyy
2008-12-22 16:23 . 2008-12-23 12:22 <DIR> d--hs---- c:\windows\system32\EE080C984C25D3E0
2008-12-22 15:54 . 2008-12-22 15:54 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 15:53 . 2008-12-22 15:53 55,296 --a------ c:\windows\system32\delme1.old
2008-12-22 15:52 . 2008-04-14 00:12 26,112 --a------ c:\windows\system32\stu2.exe
2008-12-22 15:22 . 2008-12-22 15:22 24,576 --a------ c:\windows\system32\VundoFixSVC.exe
2008-12-22 15:06 . 2008-12-22 16:14 <DIR> d-------- C:\VundoFix Backups
2008-12-22 11:12 . 2008-12-22 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-22 11:11 . 2005-07-14 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-12-22 11:11 . 2005-07-14 14:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-22 11:11 . 2005-07-14 14:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-22 11:11 . 2007-05-14 11:18 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-22 11:11 . 2008-12-22 11:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 10:54 . 2008-12-22 10:54 <DIR> d-------- c:\documents and settings\Terry\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:53 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 21:22 . 2008-12-18 21:22 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\program files\iPod
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 21:47 . 2008-12-12 21:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-08 10:14 . 2008-12-11 23:09 <DIR> d-------- c:\documents and settings\Terry\.blurb
2008-12-08 10:13 . 2008-12-08 20:52 <DIR> d-------- c:\program files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 13:08 --------- d-----w c:\program files\Java
2008-12-22 16:08 --------- d-----w c:\program files\Raxco
2008-12-22 14:30 --------- d-----w c:\program files\BitTorrent
2008-12-22 14:28 --------- d-----w c:\program files\Google
2008-12-14 20:17 --------- d-----w c:\program files\iTunes
2008-12-14 20:17 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 20:16 --------- d-----w c:\program files\QuickTime
2008-12-14 20:01 --------- d-----w c:\program files\Apple Software Update
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-19 16:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-19 16:13 --------- d-----w c:\program files\McAfee
2008-11-07 14:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-11-06 14:31 --------- d-----w c:\program files\Diagnose-BK
2008-11-06 12:10 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 11:38 --------- d-----w c:\documents and settings\Terry\Application Data\U3
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-08-31 15:33 28,496 ----a-w c:\documents and settings\Terry\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 13:42 47,360 ----a-w c:\documents and settings\Terry\Application Data\pcouffin.sys
2007-05-06 14:11 87,608 ----a-w c:\documents and settings\Terry\Application Data\ezpinst.exe
2005-10-26 14:48 27,328 ----a-w c:\documents and settings\Cathy\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-10-01 3104768]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dugvwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"MSACM.CEGSM"= mobilev.acm
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2005-04-22 07:45 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-09 21:32 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-12-14 00:06 495616 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-05-08 04:17 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 21:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 15:16 1495040 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-11-06 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-11-06 233472]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-11-06 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-11-06 368640]
R2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [2008-11-06 233472]
R2 PStrip;PStrip;c:\windows\system32\drivers\PStrip.sys [2004-11-09 21968]
R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSgate.exe [2008-11-06 81920]
R2 WUSB54GSv2SVC;WUSB54GSv2SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe" [2006-01-16 41025]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-11-06 1306624]
S2 EE080C984C25D3E0;EE080C984C25D3E0;\??\c:\windows\system32\EE080C984C25D3E0\EE080C984C25D3E0 []
S3 jatmlano;jatmlano;\??\c:\docume~1\Cathy\LOCALS~1\Temp\jatmlano.sys []
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-10-08 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-08 8320]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPMPR5.SYS []
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPNDIS5.SYS [2008-06-19 16000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9541cf62-0d6f-11da-a1e9-d728f3c42585}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a52942-8ccd-11dd-aa81-0014bf797589}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-04-08 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-26 c:\windows\Tasks\ypfmvmst.job
- c:\windows\SYSTEM32\rundll32.exe [2008-04-14 00:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ashampoo PopUpBlocker - c:\progra~1\Ashampoo\ASHAMP~1\PopUpKiller.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.whatwashomepage.com/?q=http://www.whatwashomepage.com/?q=http://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll
FF - ProfilePath - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 12:01:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EE080C984C25D3E0]
"ImagePath"="\??\c:\windows\system32\EE080C984C25D3E0\EE080C984C25D3E0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxmeycdewu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2008-12-26 12:04:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-26 12:04:14

Pre-Run: 67,706,789,888 bytes free
Post-Run: 67,672,674,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2008-12-17 21:16:27

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 26 December 2008 - 10:51 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
msqpdxserv.sys
EE080C984C25D3E0
jatmlano

Folder::
C:\VundoFix Backups
c:\program files\tintinyproxyy

File::
c:\windows\system32\VundoFixSVC.exe
c:\windows\system32\delme1.old
c:\windows\system32\stu2.exe

Dirlook::
c:\windows\system32\EE080C984C25D3E0
c:\program files\tintinyproxyy
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



===============



Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 terry999

terry999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 27 December 2008 - 06:00 AM

Dear Sam,

The two new log files are done. I haven't noticed the computer doing anything "unusual" while running the two programs.

Cheers,

Terry



ComboFix 08-12-25.04 - Terry 2008-12-27 7:12:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1517 [GMT 0:00]
Running from: c:\documents and settings\Terry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Terry\Desktop\cfscript
* Created a new restore point

FILE ::
c:\windows\system32\delme1.old
c:\windows\system32\stu2.exe
c:\windows\system32\VundoFixSVC.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\tintinyproxyy
C:\VundoFix Backups
c:\vundofix backups\NCTAVIFile.dll.bad
c:\vundofix backups\NCTQuickTimeFile.dll.bad
c:\vundofix backups\NCTRMFile.dll.bad
c:\vundofix backups\NCTVideoCoreM.dll.bad
c:\windows\system32\delme1.old
c:\windows\system32\stu2.exe
c:\windows\system32\VundoFixSVC.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EE080C984C25D3E0
-------\Legacy_JATMLANO
-------\Service_EE080C984C25D3E0
-------\Service_jatmlano
-------\Service_msqpdxserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Lavasoft
2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-23 14:23 . 2008-12-23 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 10:30 . 2008-12-23 10:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 10:30 . 2008-12-23 10:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 21:55 . 2008-12-22 21:56 <DIR> d-------- C:\rsit
2008-12-22 16:23 . 2008-12-23 12:22 <DIR> d--hs---- c:\windows\system32\EE080C984C25D3E0
2008-12-22 15:54 . 2008-12-22 15:54 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 11:12 . 2008-12-22 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-22 11:11 . 2005-07-14 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-12-22 11:11 . 2005-07-14 14:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-22 11:11 . 2005-07-14 14:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-22 11:11 . 2007-05-14 11:18 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-22 11:11 . 2008-12-22 11:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 10:54 . 2008-12-22 10:54 <DIR> d-------- c:\documents and settings\Terry\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:53 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 21:22 . 2008-12-18 21:22 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\program files\iPod
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 21:47 . 2008-12-12 21:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-08 10:14 . 2008-12-11 23:09 <DIR> d-------- c:\documents and settings\Terry\.blurb
2008-12-08 10:13 . 2008-12-08 20:52 <DIR> d-------- c:\program files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 13:08 --------- d-----w c:\program files\Java
2008-12-22 16:08 --------- d-----w c:\program files\Raxco
2008-12-22 14:30 --------- d-----w c:\program files\BitTorrent
2008-12-22 14:28 --------- d-----w c:\program files\Google
2008-12-14 20:17 --------- d-----w c:\program files\iTunes
2008-12-14 20:17 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 20:16 --------- d-----w c:\program files\QuickTime
2008-12-14 20:01 --------- d-----w c:\program files\Apple Software Update
2008-11-19 16:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-19 16:13 --------- d-----w c:\program files\McAfee
2008-11-07 14:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-11-06 14:31 --------- d-----w c:\program files\Diagnose-BK
2008-11-06 12:10 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 11:38 --------- d-----w c:\documents and settings\Terry\Application Data\U3
2008-08-31 15:33 28,496 ----a-w c:\documents and settings\Terry\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 13:42 47,360 ----a-w c:\documents and settings\Terry\Application Data\pcouffin.sys
2007-05-06 14:11 87,608 ----a-w c:\documents and settings\Terry\Application Data\ezpinst.exe
2005-10-26 14:48 27,328 ----a-w c:\documents and settings\Cathy\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w c:\windows\system32\Smab0.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\tintinyproxyy ----


---- Directory of c:\windows\system32\EE080C984C25D3E0 ----



((((((((((((((((((((((((((((( snapshot@2008-12-26_12.03.40.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-26 10:58:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-27 07:10:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-26 10:58:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 07:10:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 07:19:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-10-01 3104768]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dugvwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"MSACM.CEGSM"= mobilev.acm
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2005-04-22 07:45 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-09 21:32 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-12-14 00:06 495616 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-05-08 04:17 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 21:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 15:16 1495040 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-11-06 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-11-06 233472]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-11-06 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-11-06 368640]
R2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [2008-11-06 233472]
R2 PStrip;PStrip;c:\windows\system32\drivers\PStrip.sys [2004-11-09 21968]
R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSgate.exe [2008-11-06 81920]
R2 WUSB54GSv2SVC;WUSB54GSv2SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe" [2006-01-16 41025]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-11-06 1306624]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-10-08 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-08 8320]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPMPR5.SYS []
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPNDIS5.SYS [2008-06-19 16000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9541cf62-0d6f-11da-a1e9-d728f3c42585}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a52942-8ccd-11dd-aa81-0014bf797589}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-04-08 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-27 c:\windows\Tasks\ypfmvmst.job
- c:\windows\SYSTEM32\rundll32.exe [2008-04-14 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.whatwashomepage.com/?q=http://www.whatwashomepage.com/?q=http://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll
FF - ProfilePath - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 07:19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2008-12-27 7:21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 07:21:47
ComboFix2.txt 2008-12-26 12:04:23

Pre-Run: 67,717,541,888 bytes free
Post-Run: 67,646,152,704 bytes free

269 --- E O F --- 2008-12-17 21:16:27





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-27 10:47:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spvy.sys ZwCreateKey [0xB9EAB0E0]
SSDT spvy.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spvy.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spvy.sys ZwOpenKey [0xB9EAB0C0]
SSDT spvy.sys ZwQueryKey [0xB9EC9108]
SSDT spvy.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spvy.sys ZwSetValueKey [0xB9EC919A]

INT 0x62 ? 8AA9FBF8
INT 0x63 ? 8AB0FBF8
INT 0x84 ? 89F72F00
INT 0x94 ? 89F72F00
INT 0xA4 ? 89F72F00
INT 0xB4 ? 89F72F00

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAC7BD9D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAC7BD97D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAC7BD996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAC7BDA12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAC7BD950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAC7BD964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAC7BD9E6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAC7BD9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAC7BD9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAC7BDA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAC7BDA28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAC7BD9FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AC7BDA00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AC7BD9D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AC7BDA16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AC7BDA2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AC7BD9EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP AC7BD954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP AC7BD968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AC7BD9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP AC7BD99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP AC7BD981 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AC7BD9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP AC7BDA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spvy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B84408AC 5 Bytes JMP 89F724E0

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F75
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F86
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F97
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00FA8
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F49
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00091
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F13
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F38
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D000C7
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D00F5A
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D0001B
.text C:\WINDOWS\system32\svchost.exe[484] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D000B6
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CF001E
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CF0FDE
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CF0FA8
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[484] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CF002F
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F5B
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F76
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070050
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070033
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F34
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007007C
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700CD
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B2
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700DE
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007006B
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070097
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F7E
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40FA3
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F4007D
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FC0
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F35
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F5C
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400A2
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F09
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F40EF8
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40058
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F40F6D
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\lsass.exe[708] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F40F24
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F30F6F
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30FDB
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30F8A
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F30FA5
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 13, 89 ]
.text C:\WINDOWS\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F3002C
.text C:\WINDOWS\system32\lsass.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F6B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10056
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10045
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10F7C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F2B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F46
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100B0
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D1009F
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D100C1
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D10F8D
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D10071
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D1008E
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D00051
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D0009B
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D0002C
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F0, 88 ]
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D0006C
.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F92
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0087
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF006C
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0051
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0036
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F66
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F77
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF00FF
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00E4
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CF0110
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CF00A2
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CF00C9
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CE0FAF
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CE0F9E
.text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 029A0FEF
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 029A0047
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 029A0036
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 029A0F68
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 029A0F83
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 029A0FB9
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 029A0073
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029A0F37
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 029A0EEE
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029A0EFF
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 029A0EDD
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 029A0F9E
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 029A000A
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 029A0062
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 029A0FCA
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 029A001B
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 029A0F10
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02900033
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02900F91
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02900022
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02900011
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02900FAC
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02900000
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02900FBD
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ B0, 8A ]
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02900044
.text C:\WINDOWS\System32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02820FE5
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02830FE5
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02830000
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 02830027
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 02830FD4
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F5E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F79
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065005D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650040
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0065007A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F32
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650EF2
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F17
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00650ED7
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00650F43
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0065002F
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00650095
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00640FAF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00640051
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00640F94
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 84, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800FA5
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800FB6
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080008E
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0080007D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000D2
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800108
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA + 2 7C80236D 3 Bytes [ EB, FF, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800F4A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 008000B5
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008000ED
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0036
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F0F97
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F0025
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0014
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F0FA8
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007F0FB9
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9F, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F50
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F61
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F72
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50F8D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50014
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F0E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50060
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50ED8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50071
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B50EC7
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B5002F
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B50F35
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B50EF3
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B40076
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B40065
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00880000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00880F80
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00880075
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00880F91
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00880FA2
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0088003D
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00880090
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00880F48
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008800D0
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00880F37
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008800E1
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0088004E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00880FDB
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00880F6F
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00880022
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00880011
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008800B5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00870FD4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0087004A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00870FEF
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00870025
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00870F97
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00870FA8
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ A7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00870FC3
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00850FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1744] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01BC0FEF
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01BC006C
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01BC0F77
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01BC0F94
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01BC0051
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01BC0FAF
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01BC0F35
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01BC0087
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01BC00C4
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01BC00A9
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01BC00DF
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01BC0036
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01BC000A
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01BC0F5C
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01BC001B
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01BC0FCA
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01BC0098
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0129003D
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01290073
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0129002C
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0129001B
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01290FAC
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01290000
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0129004E
.text C:\WINDOWS\Explorer.EXE[2032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01290FD1
.text C:\WINDOWS\Explorer.EXE[2032] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\Explorer.EXE[2032] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\Explorer.EXE[2032] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2032] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00B60FB7
.text C:\WINDOWS\Explorer.EXE[2032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F81
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0047
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B009D
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F30
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F1F
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0076
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[3772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00AE
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\wuauclt.exe[3772] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C000A

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spvy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spvy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spvy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spvy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spvy.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AB0E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 89F80500

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A039500
Device \Driver\usbuhci \Device\USBPDO-1 8A039500
Device \Driver\usbuhci \Device\USBPDO-2 8A039500
Device \Driver\usbehci \Device\USBPDO-3 8A024500
Device \Driver\usbuhci \Device\USBPDO-4 8A039500

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AB101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8AB101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\Cdrom \Device\CdRom0 89F271F8
Device \Driver\iastor \Device\Ide\iaStor0 8AB0F1F8
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 8AB0F1F8
Device \Driver\Cdrom \Device\CdRom1 89F271F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AB101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\NetBT \Device\NetBt_Wins_Export 88C11500
Device \Driver\NetBT \Device\NetbiosSmb 88C11500

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A039500
Device \Driver\usbuhci \Device\USBFDO-1 8A039500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88BD8500
Device \Driver\usbuhci \Device\USBFDO-2 8A039500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88BD8500
Device \Driver\usbuhci \Device\USBFDO-3 8A039500
Device \Driver\usbehci \Device\USBFDO-4 8A024500
Device \Driver\Ftdisk \Device\FtControl 8AB101F8
Device \FileSystem\Fastfat \Fat 89F80500

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 88A2F500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b00c493
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b00c493@080028a9c3ea 0x77 0xFD 0xD6 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0x5F 0x64 0x26 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00025b00c493
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00025b00c493@080028a9c3ea 0x77 0xFD 0xD6 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x14 0x5F 0x64 0x26 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0x7D 0x8A 0x81 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

---- EOF - GMER 1.0.14 ----

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 27 December 2008 - 11:45 AM

Once more and we should be good.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
c:\windows\system32\EE080C984C25D3E0

File::
c:\windows\Tasks\ypfmvmst.job
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



How is your computer behaving now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 terry999

terry999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 28 December 2008 - 09:38 AM

Hi Sam,

Things seem much better!

I am on night shifts at the moment so not had much time to use the computer. I've tried using IE and firefox for about an hour now and no obvious problems - pop-ups or programs trying to install.

Your help has been very much appreciated :thumbsup:

My McAfee year updates finish soon. I was thinking of buying Kaspersky 2009 this time round. Do you have any personal preference on security software?

One last question I promise; I've not attached my external HD for a couple of months so I think this is unaffected. But I've attached a couple of camera memory cards recently. The malware/virus that you have found, is it likely to have transferred to these cards?

Thanks again for your time with this.

Kind regards,

Terry


ComboFix 08-12-25.04 - Terry 2008-12-28 6:46:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1577 [GMT 0:00]
Running from: c:\documents and settings\Terry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Terry\Desktop\cfscript
* Created a new restore point

FILE ::
c:\windows\Tasks\ypfmvmst.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\EE080C984C25D3E0
c:\windows\Tasks\ypfmvmst.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-27 07:25 . 2008-12-27 07:25 <DIR> d-------- C:\gmer
2008-12-27 07:25 . 2008-12-27 07:29 345 --a------ c:\windows\gmer.ini
2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Lavasoft
2008-12-23 14:23 . 2008-12-23 14:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-23 14:23 . 2008-12-23 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 10:30 . 2008-12-23 10:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 10:30 . 2008-12-23 10:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 21:55 . 2008-12-22 21:56 <DIR> d-------- C:\rsit
2008-12-22 15:54 . 2008-12-22 15:54 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 11:12 . 2008-12-22 11:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-22 11:11 . 2005-07-14 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-12-22 11:11 . 2005-07-14 14:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-22 11:11 . 2005-07-14 14:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-22 11:11 . 2007-05-14 11:18 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-22 11:11 . 2008-12-22 11:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 10:54 . 2008-12-22 10:54 <DIR> d-------- c:\documents and settings\Terry\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:53 . 2008-12-22 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:53 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:53 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 21:22 . 2008-12-18 21:22 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\program files\iPod
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 21:47 . 2008-12-12 21:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-08 10:14 . 2008-12-11 23:09 <DIR> d-------- c:\documents and settings\Terry\.blurb
2008-12-08 10:13 . 2008-12-08 20:52 <DIR> d-------- c:\program files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 13:08 --------- d-----w c:\program files\Java
2008-12-22 16:08 --------- d-----w c:\program files\Raxco
2008-12-22 14:30 --------- d-----w c:\program files\BitTorrent
2008-12-22 14:28 --------- d-----w c:\program files\Google
2008-12-14 20:17 --------- d-----w c:\program files\iTunes
2008-12-14 20:17 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 20:16 --------- d-----w c:\program files\QuickTime
2008-12-14 20:01 --------- d-----w c:\program files\Apple Software Update
2008-11-19 16:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-19 16:13 --------- d-----w c:\program files\McAfee
2008-11-07 14:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-11-06 14:31 --------- d-----w c:\program files\Diagnose-BK
2008-11-06 12:10 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 11:38 --------- d-----w c:\documents and settings\Terry\Application Data\U3
2008-08-31 15:33 28,496 ----a-w c:\documents and settings\Terry\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 13:42 47,360 ----a-w c:\documents and settings\Terry\Application Data\pcouffin.sys
2007-05-06 14:11 87,608 ----a-w c:\documents and settings\Terry\Application Data\ezpinst.exe
2005-10-26 14:48 27,328 ----a-w c:\documents and settings\Cathy\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-26_12.03.40.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 07:25:43 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 21:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-12-26 10:58:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-28 06:43:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-26 10:58:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-28 06:43:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 07:25:43 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-28 06:53:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-10-01 3104768]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dugvwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"MSACM.CEGSM"= mobilev.acm
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2005-04-22 07:45 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-09 21:32 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-12-14 00:06 495616 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-05-08 04:17 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 21:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 15:16 1495040 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-11-06 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-11-06 233472]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-11-06 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-11-06 368640]
R2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [2008-11-06 233472]
R2 PStrip;PStrip;c:\windows\system32\drivers\PStrip.sys [2004-11-09 21968]
R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSgate.exe [2008-11-06 81920]
R2 WUSB54GSv2SVC;WUSB54GSv2SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe" [2006-01-16 41025]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-11-06 1306624]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-10-08 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-08 8320]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPMPR5.SYS []
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\c:\docume~1\Terry\MYDOCU~1\DOWNLO~1\ROUTER~1\WAG54G~1\UPGRAD~1\SCPNDIS5.SYS [2008-06-19 16000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9541cf62-0d6f-11da-a1e9-d728f3c42585}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a52942-8ccd-11dd-aa81-0014bf797589}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-04-08 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.whatwashomepage.com/?q=http://www.whatwashomepage.com/?q=http://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll
FF - ProfilePath - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\ad276asb.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 07:05:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-28 7:07:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 07:07:24
ComboFix2.txt 2008-12-27 07:21:52
ComboFix3.txt 2008-12-26 12:04:23

Pre-Run: 67,716,550,656 bytes free
Post-Run: 67,643,863,040 bytes free

254 --- E O F --- 2008-12-17 21:16:27

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 28 December 2008 - 10:36 AM

I've used Mcafee, but never Kaspersky so I can't compare the two from personal experience. But I've always heard better things from Kaspersky. And I know it's online scan does a fairly thorough job.

While it is possible for your secondary drives to be infected, I didn't see any signs of that in your logs. You should be ok.


Just a few last things and you should be good to go! :)


Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 terry999

terry999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 30 December 2008 - 01:30 PM

Hi Sam,

Been using the computer most of the day with no problems :thumbsup:

I did a quick scan with Malwarebytes and it showed one infected key to do with that "videosoft setup" program. It said it had successfully removed the item. I've had no pop up trying to install the program.

Thank you very much for your help. I've sent a donation as without your help I would probably have ended up doing a full re-install.

Kind regards,

Terry

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:26 PM

Posted 30 December 2008 - 06:05 PM

I'm glad I could help you out! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users