Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.Component/Trace, Trojan DNSChanger


  • This topic is locked This topic is locked
18 replies to this topic

#1 J-ROCK

J-ROCK

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 14 January 2009 - 10:49 AM

I started this all wrong so went back to the guide for posting logs, Here is the history:
http://www.bleepingcomputer.com/forums/ind...p;#entry1078506

Here are the DDS logs:

DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by Administrator at 22:53:44.23 on Mon 01/12/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1733 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {2D7F5A45-DB4F-46DB-8D8D-5C59B6257F1C} - No File
BHO: {67743D93-C906-4757-B6B7-8CF7AB566DA5} - No File
BHO: {68912C91-8376-4C55-938A-D61B97106024} - No File
BHO: {73272C09-1DB5-4CC1-8893-41F509E5AE37} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7693C1EC-47CC-4206-ADBB-6B5A1ACA6CAD} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {89C5AA7B-61BF-4B69-9499-1C1A07C628C4} - No File
BHO: {9D75B867-E224-4E02-8D7D-E0D0015F1C71} - No File
BHO: {9E94BC64-B140-45E9-9C47-06FC1E5B5267} - No File
BHO: {A1402DE2-B231-4A70-BB74-B6BA3219D555} - No File
BHO: {AAD91AE5-2EDC-43EB-9680-088C2E812761} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {BA07E221-469D-4233-B0F6-79B22DAEF7CD} - No File
BHO: {BCB3362B-E748-4F13-B2FE-2ECBF9C4BB6F} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [CTStartup] c:\program files\creative\sbaudigy\program\CTEaxSpl.EXE /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [anvshell] anvshell.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [UVS10 Preload] d:\program files\ulead systems\ulead videostudio 10\uvPL.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000007C6-17DF-4438-92A4-DE5537471BA3} - {000007AB-7059-463E-BD44-101A1750D732}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-5-31 3968]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [2001-11-30 209480]
S1 ANVOSDNT;ASUS Keyboard Filter Driver;c:\windows\system32\drivers\anvosdnt.sys [2001-11-30 322859]
S1 DW;DW; [x]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-31 207656]
S1 pjsapdg;pjsapdg;\??\c:\windows\system32\pjsapdg.sys --> c:\windows\system32\pjsapdg.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
S1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2004-5-31 45568]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2003-8-2 10368]
S3 EnumChip;EnumChip;\??\e:\vgartd\enumchip.sys --> e:\vgartd\EnumChip.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-7-30 38496]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-7-31 605512]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-31 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-31 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-31 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-31 40488]
S3 o1394bul;o1394bul;\??\c:\docume~1\jasonm~1\locals~1\temp\o1394bul.sys --> c:\docume~1\jasonm~1\locals~1\temp\o1394bul.sys [?]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-28 206096]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-30 358736]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-7-31 144704]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-01-09 18:54 32 a------- c:\windows\Smenu.INI
2009-01-06 20:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-03 16:05 765,952 a------- c:\windows\system32\xvidcore.dll
2009-01-03 16:05 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-01-03 16:05 77,824 a------- c:\windows\system32\xvid.ax
2009-01-03 16:05 <DIR> --d----- c:\program files\Xvid
2008-12-18 22:26 <DIR> --d----- c:\program files\common files\MainConcept
2008-12-18 22:25 <DIR> --d----- c:\program files\common files\i4j_jres
2008-12-18 22:25 <DIR> --d----- c:\program files\SimpleCenter
2008-12-18 20:52 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-12-18 20:52 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2008-12-18 20:52 60,273 a------- c:\windows\system32\pthreadGC2.dll
2008-12-18 20:51 <DIR> --d----- c:\program files\TVersity Codec Pack
2008-12-18 20:49 <DIR> --d----- c:\program files\TVersity

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:47 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-11-21 16:47 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 16:47 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-02 19:49 3,402 a------- c:\windows\system32\PerfStringBackup.TMP
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
2008-05-11 23:05 81,920 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050520080512\index.dat
2008-05-12 00:44 49,152 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 22:54:08.65 ===============




Thanks,
Jay

Attached Files



BC AdBot (Login to Remove)

 


#2 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 24 January 2009 - 12:09 AM

Looks like my McAfee did an automatic scan and ended up rebooting my machine without me knowing....it actually booted into normal mode so I re-did the DDS script, here is my new log.

The McAfee Scan found some viruses and cleaned them. I updated and ran MBAM and Super Anti-spyware and there were no viruses found......I still have not rebooted.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Jason McDonald at 21:06:06.08 on Fri 01/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1166 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Jason McDonald\Desktop\Winifixer remover\Blue Screen fixer\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uWindow Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
uSearch Bar = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
BHO: {2D7F5A45-DB4F-46DB-8D8D-5C59B6257F1C} - No File
BHO: {67743D93-C906-4757-B6B7-8CF7AB566DA5} - No File
BHO: {68912C91-8376-4C55-938A-D61B97106024} - No File
BHO: {73272C09-1DB5-4CC1-8893-41F509E5AE37} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7693C1EC-47CC-4206-ADBB-6B5A1ACA6CAD} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {89C5AA7B-61BF-4B69-9499-1C1A07C628C4} - No File
BHO: {9D75B867-E224-4E02-8D7D-E0D0015F1C71} - No File
BHO: {9E94BC64-B140-45E9-9C47-06FC1E5B5267} - No File
BHO: {A1402DE2-B231-4A70-BB74-B6BA3219D555} - No File
BHO: {AAD91AE5-2EDC-43EB-9680-088C2E812761} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {BA07E221-469D-4233-B0F6-79B22DAEF7CD} - No File
BHO: {BCB3362B-E748-4F13-B2FE-2ECBF9C4BB6F} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TaskTray] c:\program files\creative\sbaudigy\taskbar\CTLTray.exe
uRun: [Taskbar] c:\program files\creative\sbaudigy\taskbar\CTLTask.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [WebCamRT.exe]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [CTStartup] c:\program files\creative\sbaudigy\program\CTEaxSpl.EXE /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [anvshell] anvshell.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [UVS10 Preload] d:\program files\ulead systems\ulead videostudio 10\uvPL.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\documents and settings\jason mcdonald\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
uPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 ANVOSDNT;ASUS Keyboard Filter Driver;c:\windows\system32\drivers\anvosdnt.sys [2001-11-30 322859]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-5-31 3968]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-31 207656]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2004-5-31 45568]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-7-31 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-31 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-31 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-31 34152]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-31 40488]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-28 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-30 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-7-31 144704]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [2001-11-30 209480]
S1 DW;DW; [x]
S1 pjsapdg;pjsapdg;\??\c:\windows\system32\pjsapdg.sys --> c:\windows\system32\pjsapdg.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2003-8-2 10368]
S3 EnumChip;EnumChip;\??\e:\vgartd\enumchip.sys --> e:\vgartd\EnumChip.sys [?]
S3 o1394bul;o1394bul;\??\c:\docume~1\jasonm~1\locals~1\temp\o1394bul.sys --> c:\docume~1\jasonm~1\locals~1\temp\o1394bul.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-01-09 18:54 32 a------- c:\windows\Smenu.INI
2009-01-03 16:05 765,952 a------- c:\windows\system32\xvidcore.dll
2009-01-03 16:05 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-01-03 16:05 77,824 a------- c:\windows\system32\xvid.ax
2009-01-03 16:05 <DIR> --d----- c:\program files\Xvid

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-02 19:49 3,402 a------- c:\windows\system32\PerfStringBackup.TMP
2006-05-17 14:43 37 ac------ c:\docume~1\jasonm~1\applic~1\tvmcwrd.dll
2006-05-17 14:43 32 ac------ c:\docume~1\jasonm~1\applic~1\tvmuknwrd.dll
2002-09-11 09:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
2008-05-11 23:05 81,920 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050520080512\index.dat
2008-05-12 00:44 49,152 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 21:06:52.52 ===============

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 24 January 2009 - 11:42 PM

Hello, J-ROCK
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 January 2009 - 10:31 AM

Billy,

Thanks for getting to me.
Here are my logs, Not sure if you wanted them as attachments or posted but here they are. Thanks again.
J-ROCK

OTViewIt logfile created on: 1/25/2009 9:35:13 AM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Jason McDonald\Desktop\Winifixer remover\Blue Screen fixer\Billy
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 58.93% Memory free
2.60 Gb Paging File | 1.94 Gb Available in Paging File | 74.67% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 41.23 Gb Free Space | 42.22% Space Free | Partition Type: NTFS
Drive D: | 135.22 Gb Total Space | 125.24 Gb Free Space | 92.62% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 31.49 Gb Total Space | 31.43 Gb Free Space | 99.80% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: J-ROCK
Current User Name: Jason McDonald
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006/03/21 22:48:55 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2006/03/21 22:48:55 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE
[2008/11/20 08:45:06 | 00,206,096 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2008/10/10 16:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2008/07/09 14:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2008/06/20 05:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2005/01/31 08:45:20 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe
[2001/11/28 20:07:14 | 00,655,360 | ---- | M] (Roxio) -- C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
[2003/10/06 14:57:32 | 00,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2002/12/10 16:54:04 | 00,127,022 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
[2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2008/07/11 16:48:54 | 00,641,208 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
[2005/03/17 14:25:54 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[2006/03/28 15:48:54 | 00,622,592 | R--- | M] () -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
[2008/03/21 10:22:14 | 00,094,208 | ---- | M] (Universal Electronics Inc.) -- C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
[2001/06/29 01:00:00 | 00,163,840 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
[2006/04/06 21:11:02 | 00,339,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
[2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
[2006/03/01 16:06:22 | 00,069,632 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
[2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2008/09/16 10:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
[2008/06/20 13:10:22 | 00,361,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
[2008/06/20 13:10:24 | 00,259,912 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
[2009/01/23 19:19:50 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[2009/01/25 09:32:02 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason McDonald\Desktop\Winifixer remover\Blue Screen fixer\Billy\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2006/03/21 22:48:55 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2006/03/17 14:37:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
[2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2001/08/18 07:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC [On_Demand | Stopped])
[2008/11/20 08:45:06 | 00,206,096 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2008/10/10 16:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2008/06/20 13:10:22 | 00,361,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Running])
[2008/07/09 14:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2008/06/20 05:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2008/09/16 10:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
[2003/05/02 14:19:00 | 00,069,632 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/01/31 08:45:20 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
[2008/09/12 10:47:28 | 00,315,264 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\Temp\0211251232868157mcinst.exe -- (0211251232868157mcinstcleanup [Auto | Stopped])

========== Driver Services ==========

[2004/08/04 01:10:10 | 00,048,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\61883.sys -- (61883 [On_Demand | Stopped])
[2004/08/04 00:59:20 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2001/10/15 15:55:42 | 00,209,480 | ---- | M] (ASUSTeK) -- C:\WINDOWS\system32\drivers\anvioctl.sys -- (ANVIOCTL [System | Stopped])
[2001/11/26 21:38:51 | 00,322,859 | ---- | M] (ASUS) -- C:\WINDOWS\system32\drivers\anvosdnt.sys -- (ANVOSDNT [System | Running])
[2004/05/18 12:49:59 | 00,017,024 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
[1997/12/22 21:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
[2006/03/21 22:56:22 | 01,522,688 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2004/08/04 01:10:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc [On_Demand | Stopped])
[2007/01/31 08:33:46 | 00,005,632 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avgarkt.sys -- (AVG Anti-Rootkit [Boot | Running])
[2007/01/18 07:00:28 | 00,003,968 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\AvgArCln.sys -- (AvgArCln [System | Running])
[2004/10/15 12:50:20 | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Running])
[2008/11/21 16:47:48 | 00,009,336 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
[2008/11/21 16:47:48 | 00,009,464 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2001/11/28 20:07:15 | 00,233,728 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_XP [System | Running])
[2004/02/23 15:16:10 | 00,645,360 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2004/02/23 15:11:46 | 00,366,352 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2003/10/14 11:17:56 | 00,332,800 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped])
[2003/10/08 10:08:12 | 00,006,096 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2003/10/08 10:09:10 | 00,130,288 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2002/06/24 11:31:30 | 00,045,568 | R--- | M] (D-Link Corporation ) -- C:\WINDOWS\system32\drivers\DLKRTS.SYS -- (DLKRTS [On_Demand | Running])
[2001/11/29 15:19:46 | 00,180,936 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\dumant.sys -- (DumaNT [Auto | Running])
[2001/11/28 20:07:15 | 00,018,406 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Stopped])
[2002/05/24 10:52:58 | 00,010,368 | ---- | M] (Digit@lway Co., Ltd.) -- C:\WINDOWS\system32\drivers\dwusbdnt.sys -- (dwusbdnt [On_Demand | Stopped])
[2005/01/01 20:07:05 | 00,009,728 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
[2003/10/13 17:42:12 | 00,145,488 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2004/08/04 01:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2005/03/07 10:52:48 | 00,014,408 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2004/02/24 12:17:10 | 00,904,784 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2003/10/21 17:23:44 | 00,148,432 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k [On_Demand | Stopped])
[2008/06/27 06:08:40 | 00,079,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2008/06/27 06:08:40 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2008/06/27 06:08:40 | 00,207,656 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2008/06/20 05:41:38 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
[2008/06/27 06:08:40 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
[2001/11/28 20:07:15 | 00,019,222 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Running])
[2008/06/02 14:55:42 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2004/08/04 01:09:58 | 00,051,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV [On_Demand | Stopped])
[2004/08/04 00:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2004/08/04 00:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv4 [On_Demand | Stopped])
[2003/10/08 10:06:50 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2003/03/05 15:07:46 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\pfmodnt.sys -- (PfModNT [Auto | Running])
[2001/08/10 06:00:00 | 00,003,252 | ---- | M] () -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS -- (PQNTDrv [System | Running])
[2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/11/28 20:07:15 | 00,079,926 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K [System | Running])
[2008/11/21 16:47:48 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2002/06/10 13:20:50 | 00,039,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvcd.sys -- (QCDonner [On_Demand | Stopped])
[2006/02/16 15:51:08 | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (sasenum [On_Demand | Running])
[2008/06/10 16:48:11 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (saskutil [System | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2005/01/14 11:14:07 | 00,047,616 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running])
[2004/10/28 05:47:59 | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running])
[2004/12/03 05:20:41 | 00,020,544 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfsync02.sys -- (sfsync02 [Boot | Running])
[2001/11/28 20:07:15 | 00,205,440 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
[2001/05/04 15:24:52 | 00,003,033 | ---- | M] (VIA Technologies. Inc.) -- C:\WINDOWS\system32\drivers\VIAPFD.SYS -- (VIAPFD [System | Running])
[2001/08/18 07:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])
[2008/06/10 16:48:20 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
"SearchMigratedDefaultName"=Live Search
"SearchMigratedDefaultURL"=http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"AutoSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Data"=
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = <local>

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = <local>

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = <local>

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
"Local Page"=C:\WINDOWS\System32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
"SearchMigratedDefaultName"=Live Search
"SearchMigratedDefaultURL"=http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Internet Explorer\Search]
"AutoSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Data"=
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\Software\Microsoft\Internet Explorer\SearchURL]
""=http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = <local>

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{2D7F5A45-DB4F-46DB-8D8D-5C59B6257F1C} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{67743D93-C906-4757-B6B7-8CF7AB566DA5} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{68912C91-8376-4C55-938A-D61B97106024} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{73272C09-1DB5-4CC1-8893-41F509E5AE37} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{7693C1EC-47CC-4206-ADBB-6B5A1ACA6CAD} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (HKLM) -- C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
{89C5AA7B-61BF-4B69-9499-1C1A07C628C4} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9D75B867-E224-4E02-8D7D-E0D0015F1C71} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9E94BC64-B140-45E9-9C47-06FC1E5B5267} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{A1402DE2-B231-4A70-BB74-B6BA3219D555} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{AAD91AE5-2EDC-43EB-9680-088C2E812761} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
{BA07E221-469D-4233-B0F6-79B22DAEF7CD} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{BCB3362B-E748-4F13-B2FE-2ECBF9C4BB6F} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" (Roxio)
"anvshell"=anvshell.exe (AsusTeK Computer Inc.)
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay (ATI Technologies Inc.)
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN ()
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun (Brother Industries, Ltd.)
"CTHelper"=CTHELPER.EXE (Creative Technology Ltd)
"CTStartup"=C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run (Creative Technology Ltd.)
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE (Microsoft Corporation)
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"LVCOMS"=C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE (Logitech Inc.)
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
"MSPY2002"=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC ()
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"nwiz"=nwiz.exe /install (NVIDIA Corporation)
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"PHIME2002A"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"sclauncher"=C:\Program Files\SimpleCenter\bin\win\sclauncher.exe (Universal Electronics Inc.)
"SetDefPrt"=C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe (Brother Industories, Ltd.)
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"UpdReg"=C:\WINDOWS\Updreg.exe (Creative Technology Ltd.)
"UVS10 Preload"=D:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe (Ulead Systems, Inc.)
"WinampAgent"=C:\Program Files\Winamp\winampa.exe ()
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (NVIDIA Corporation)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"Taskbar"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe (Creative Technology Ltd)
"TaskTray"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe (Creative Technology Ltd.)
"WebCamRT.exe"= File not found

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"Taskbar"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe (Creative Technology Ltd)
"TaskTray"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe (Creative Technology Ltd.)

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (NVIDIA Corporation)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"Taskbar"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe (Creative Technology Ltd)
"TaskTray"=C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe (Creative Technology Ltd.)
"WebCamRT.exe"= File not found

========== (O4) RunOnce Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent (Malwarebytes Corporation)

========== (O4) Startup Folders ==========

[1999/11/04 14:06:48 | 00,113,664 | ---- | M] (Adobe Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[2004/08/22 17:38:22 | 00,169,472 | ---- | M] (Logitech) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
[2006/03/24 23:21:17 | 00,225,280 | ---- | M] () -- C:\Documents and Settings\Jason McDonald\Start Menu\Programs\Startup\PowerReg Scheduler.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
""=

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"CDRAutoRun"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"CDRAutoRun"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=_ [binary data]
""=

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
""=

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 03:06:52 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 03:06:52 | 10,095,808 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{000007C6-17DF-4438-92A4-DE5537471BA3} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{000007C6-17DF-4438-92A4-DE5537471BA3} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{000007C6-17DF-4438-92A4-DE5537471BA3} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{000007C6-17DF-4438-92A4-DE5537471BA3} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer

[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}: http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cab -- McAfee.com Operating System Class
{731918D2-517A-47E2-886A-3BC1380C591D}: http://webpdp.gator.com/v3/download/pdpplu...094_hd3ptdm.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_08
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/get/flash...ent/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{1ACB368E-614D-424E-8000-DFA63BF14AD6} (Servers: | Description: 1394 Net Adapter)
{752C74CA-5155-4919-A128-939C680AAFE1} (Servers: | Description: )
{C3857CEC-2C02-49CF-B122-36A9C140FB79} (Servers: | Description: D-Link DFE-538TX 10/100 Adapter)
{F5CD43E4-DEFD-4E47-9289-8327EE31A0AB} (Servers: | Description: 1394 Net Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2002/05/22 20:37:51 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.CAM []
[2002/05/22 17:18:18 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.CAM -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2007/10/25 22:34:01 | 08,460,288 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\Open\command]
""=resycled\boot.com c:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2007/10/25 22:34:01 | 08,460,288 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\Open\command]
""=D:\resycled\boot.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell]
""=Autorun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2007/10/25 22:34:01 | 08,460,288 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\Shell\Open\command]
""=G:\resycled\boot.com -- File not found

========== Files/Folders - Created Within 30 Days ==========

[16 C:\WINDOWS\*.tmp files]
[2009/01/25 02:22:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/01/23 20:01:59 | 00,368,831 | ---- | C] () -- C:\Documents and Settings\Jason McDonald\Desktop\dds.scr
[2009/01/09 18:54:08 | 00,000,032 | ---- | C] () -- C:\WINDOWS\Smenu.INI
[2009/01/08 21:32:45 | 00,016,384 | ---- | C] () -- C:\Documents and Settings\Jason McDonald\Desktop\Huntly Slim.xls
[2009/01/08 07:59:41 | 00,789,728 | ---- | C] () -- C:\Documents and Settings\Jason McDonald\Desktop\Folders.psd
[2009/01/03 16:05:01 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/03 16:05:01 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/03 16:05:01 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\xvid.ax
[2009/01/03 16:05:00 | 00,000,000 | ---D | C] -- C:\Program Files\Xvid
[2009/01/03 15:14:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jason McDonald\Application Data\DivX

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[16 C:\WINDOWS\*.tmp files]
[2009/01/24 07:41:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/01/23 21:24:56 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-00000008-00001102-00000004-00511102}.CDF
[2009/01/23 19:22:42 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/23 02:14:19 | 00,011,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/23 02:12:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/23 02:12:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/09 18:54:10 | 00,000,032 | ---- | M] () -- C:\WINDOWS\Smenu.INI
[2009/01/09 11:29:16 | 00,368,831 | ---- | M] () -- C:\Documents and Settings\Jason McDonald\Desktop\dds.scr
[2009/01/09 09:54:48 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
[2009/01/09 09:54:48 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
[2009/01/09 09:54:48 | 00,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
[2009/01/09 09:54:48 | 00,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-00000008-00001102-00000004-00511102}.rfx
[2009/01/09 09:54:48 | 00,002,064 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/01/09 09:54:48 | 00,002,064 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/01/09 09:54:48 | 00,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000004-00511102}.dat
[2009/01/09 09:54:48 | 00,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-00000008-00001102-00000004-00511102}.dat
[2009/01/09 09:54:37 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-00000008-00001102-00000004-00511102}.BAK
[2009/01/08 23:13:30 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Jason McDonald\Desktop\Microsoft Office Outlook 2003 (2).lnk
[2009/01/08 21:32:45 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\Jason McDonald\Desktop\Huntly Slim.xls
[2009/01/08 07:59:41 | 00,789,728 | ---- | M] () -- C:\Documents and Settings\Jason McDonald\Desktop\Folders.psd
[2009/01/05 23:56:10 | 80,530,6368 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/01/01 15:54:30 | 00,001,125 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/01/01 01:00:19 | 00,000,374 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
< End of report >











OTViewIt Extras logfile created on: 1/25/2009 9:35:13 AM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Jason McDonald\Desktop\Winifixer remover\Blue Screen fixer\Billy
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 58.93% Memory free
2.60 Gb Paging File | 1.94 Gb Available in Paging File | 74.67% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 41.23 Gb Free Space | 42.22% Space Free | Partition Type: NTFS
Drive D: | 135.22 Gb Total Space | 125.24 Gb Free Space | 92.62% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 31.49 Gb Total Space | 31.43 Gb Free Space | 99.80% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: J-ROCK
Current User Name: Jason McDonald
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\WINDOWS\system32\P2P Networking\P2P Networking.exe:*:Disabled:P2P Networking
File not found -- C:\Program Files\Microsoft Hardware\Game Voice\GameVoice.exe:*:Enabled:Game Voice
File not found -- D:\UT2004\System\UT2004.exe:*:Enabled:UT2004
File not found -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\Kazaa Lite K++\KazaaLite.kpp:*:Enabled:KazaaLite
File not found -- C:\Program Files\LucasArts\Star Wars Battlefront II\GameData\BattlefrontII.exe:*:Enabled:BattlefrontII
[2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2005/10/31 10:56:00 | 00,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2005/05/06 19:47:08 | 02,224,128 | ---- | M] (www.BitLord.com) -- D:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord
File not found -- C:\d.exe:*:Enabled:enable
File not found -- D:\Program Files\LucasArts\Star Wars Battlefront\GameData\Battlefront.exe:*:Enabled:Battlefront
File not found -- C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server
[2008/03/21 10:22:14 | 00,166,912 | ---- | M] (Universal Electronics, Inc.) -- C:\Program Files\SimpleCenter\SimpleCenter.exe:*:Enabled:SimpleCenter Media Manager and Server
[2008/07/18 08:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [New.net Name Space Provider] -- C:\Program Files\NewDotNet\newdotnet7_22.dll File not found

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/06/03 02:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/25 15:29:55 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/11/14 12:25:26 | 00,150,032 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}"=ATI Control Panel
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{224F7A6E-1D66-46B6-888A-D115E5AC20F6}"=MPIO Manager 2
"{3248F0A8-6813-11D6-A77B-00B0D0150080}"=J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0150100}"=J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{34566374-6C4D-419F-A9E0-8B21CA905FD8}"=ATI Catalyst Control Center
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{71C97545-E547-4A8B-B0C8-61FF853270AC}"=PaperPort
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{8851E12C-0EF9-11D4-A788-009027ABA5D0}"=Easy CD Creator 5 Platinum
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}"=Logitech Desktop Messenger
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{96E423BB-36B6-4EAD-B4A9-39C5109DD1B3}"=eDrawings 2007
"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}"=Brother MFL-Pro Suite
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B4FEA924-630D-11D4-B78E-005004566E4D}"=ViewSonic Monitor Drivers
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}"=SUPERAntiSpyware Free Edition
"{E188D820-1218-4E28-8BCA-91134C3664C2}"=Ulead VideoStudio 10
"{E2B71D23-52F0-49AD-AC56-6DAB4CF9443C}"=Sound Blaster Audigy Web 2K/XP
"{E39C74DF-58FD-4E52-9888-2CC59DFB0B34}"=PowerQuest PartitionMagic Pro 7.0
"390"=Alt Win
"571"=RON Display
"652"=Context Display
"656"=URL Display
"894"=Search Aid
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Photoshop 7.0"=Adobe Photoshop 7.0
"All ATI Software"=ATI - Software Uninstall Utility
"AnarkClient"=Anark Client 1.0
"AnyDVD"=AnyDVD
"AsusNv"=ASUS Display Drivers
"ATI Display Driver"=ATI Display Driver
"AVGantiRootkit"=AVG Anti-Rootkit Free
"BitLord"=BitLord 1.1
"CAL"=Canon Camera Access Library
"CameraWindowDVC5"=Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6"=Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC"=Canon Camera Window MC 6 for ZoomBrowser EX
"Canon Digital Camera USB WIA Driver"=Canon Digital Camera USB WIA Driver
"Canon G.726 WMP-Decoder"=Canon G.726 WMP-Decoder
"Canon Utilities RAW Image Converter"=Canon Utilities RAW Image Converter
"CodInstl"=Intel A/V Codecs V2.0
"ContextSidebar"=Context Display
"CSCLIB"=Canon Camera Support Core Library
"DVD Shrink_is1"=DVD Shrink 3.2
"EAX Unified"=EAX Unified
"eMedia Codec"=eMedia Codec 4.0
"EOS Utility"=Canon Utilities EOS Utility
"ffdshow_is1"=ffdshow [rev 1723] [2007-12-24]
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft NetShow Tools 2.0"=Windows Media Tools 4.1
"MirrorUnder"=Alt Win
"MovieEditTask"=Canon MovieEdit Task for ZoomBrowser EX
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSI Live Update Series"=MSI Live Update Series
"NeroMultiInstaller!UninstallKey"=Nero Suite
"NeroVision!UninstallKey"=Nero Digital
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"NVIDIAStereo"=NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
"P2P Networking"=P2P Networking
"PhotoRecord"=Canon PhotoRecord
"PhotoStitch"=Canon Utilities PhotoStitch
"RAW Image Task"=Canon RAW Image Task for ZoomBrowser EX
"RemoteCapture"=Canon Utilities RemoteCapture 2.1
"RemoteCaptureTask"=Canon RemoteCapture Task for ZoomBrowser EX
"RonSidebar"=RON Display
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"SimpleCenter 4.2.0.67"=SimpleCenter 4.2.0.67
"SlowBlast!"=SlowBlast!
"Sound Blaster Audigy"=Sound Blaster Audigy
"SpiderSidebar"=Search Aid
"ST6UNST #1"=SlowGold
"TEFView_is1"=TEFView 2.62
"ThePlaya"=The Playa
"UrlSidebar"=URL Display
"VLC media player"=VideoLAN VLC media player 0.8.6h
"Winamp"=Winamp (remove only)
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 2
"WinRAR archiver"=WinRAR archiver
"WinZip"=WinZip
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1"=Xvid 1.1.3 final uninstall
"ZoomBrowser EX"=Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/7/2009 11:39:56 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/7/2009 11:39:56 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2009 11:40:00 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2009 11:40:00 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:15 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/9/2009 11:32:15 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:23 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:23 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:34:10 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/9/2009 11:34:10 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ Application Events ]
Error - 1/7/2009 11:39:56 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/7/2009 11:39:56 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2009 11:40:00 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2009 11:40:00 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:15 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/9/2009 11:32:15 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:23 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:32:23 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/9/2009 11:34:10 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/9/2009 11:34:10 PM | Computer Name = J-ROCK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 12/28/2008 11:39:23 PM | Computer Name = J-ROCK | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 12/29/2008 10:26:26 AM | Computer Name = J-ROCK | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/29/2008 10:28:21 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ANVIOCTL

Error - 12/29/2008 4:38:54 PM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 12/31/2008 11:04:00 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%3228369022

Error - 12/31/2008 11:04:22 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ANVIOCTL

Error - 12/31/2008 11:10:34 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%3228369022

Error - 12/31/2008 11:10:59 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ANVIOCTL

Error - 1/3/2009 10:52:48 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%3228369022

Error - 1/3/2009 10:53:27 AM | Computer Name = J-ROCK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ANVIOCTL


< End of report >









GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-25 10:27:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1266F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB11619CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB1161A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1161978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB116198C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB1161A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB1161AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB1161B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB1161AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB1161A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB1161B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB1161A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1161950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1161964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB11619DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB1161B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB1161AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB1161ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB1161A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB1161B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB1161B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB11619B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB11619A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB1161AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1161A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB1161B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB1161A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB11619F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP B11619F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP B1161A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B103 7 Bytes JMP B1161AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BD4D 5 Bytes JMP B11619A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP B1161A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EBB9 7 Bytes JMP B1161B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 7 Bytes JMP B1161B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP B11619CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP B1161A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP B1161A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D06 5 Bytes JMP B1161954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP B11619E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP B1161ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FB78 7 Bytes JMP B1161AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581E82 7 Bytes JMP B1161990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 80584740 5 Bytes JMP B1161A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C806 5 Bytes JMP B1161968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590E16 5 Bytes JMP B1161B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP B1161AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP B1161A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0AA4 5 Bytes JMP B116197C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C403 2 Bytes JMP B11619BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread + 3 8062C406 2 Bytes [ B3, 30 ]
PAGE ntoskrnl.exe!ZwRestoreKey 8064C042 5 Bytes JMP B1161B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C317 7 Bytes JMP B1161B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CBE4 7 Bytes JMP B1161AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D029 7 Bytes JMP B1161A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D51E 5 Bytes JMP B1161B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0073
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F7E
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0062
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE009F
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE008E
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE0F32
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE00CB
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FE0F21
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FE0F63
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FE00B0
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009C0047
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009C0098
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009C002C
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009C007D
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\services.exe[456] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009C006C
.text C:\WINDOWS\system32\services.exe[456] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\services.exe[456] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0101006E
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01010F83
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0101005D
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01010F9E
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01010FC0
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 010100B0
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01010093
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01010F3C
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 010100D5
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 010100E6
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01010FAF
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01010F68
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0101002C
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01010F4D
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00FF0073
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[468] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\lsass.exe[468] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[468] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00970F80
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00970075
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00970F9B
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00970FB6
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00970047
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00970F48
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00970090
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00970F12
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009700AB
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009700C6
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00970058
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00970FE5
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00970F65
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00970036
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00970F23
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00960051
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00960FD4
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00960036
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0096001B
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0096007D
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\svchost.exe[624] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00960062
.text C:\WINDOWS\system32\svchost.exe[624] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[624] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AE0087
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AE0F88
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AE0F99
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AE0FB6
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AE0047
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AE0F5A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AE00A2
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AE0F13
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AE0F24
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00AE00C7
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00AE0058
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00AE0FE5
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00AE0F77
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00AE001B
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00AE0F49
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AD0FC3
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AD0F97
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AD0014
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AD0054
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AD0FA8
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AD002F
.text C:\WINDOWS\system32\svchost.exe[688] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[688] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00AB0000
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01D70FEF
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01D700C7
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01D700AC
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01D7009B
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01D7008A
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01D70054
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01D70FAD
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01D700F5
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01D70132
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01D70117
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01D70F7E
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01D7006F
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01D70FDE
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01D700D8
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01D70039
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01D70014
.text C:\WINDOWS\System32\svchost.exe[724] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01D70106
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01CE0040
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01CE007D
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01CE001B
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01CE000A
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01CE0FCA
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01CE006C
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01CE0FEF
.text C:\WINDOWS\System32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01CE0051
.text C:\WINDOWS\System32\svchost.exe[724] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 018F0FEF
.text C:\WINDOWS\System32\svchost.exe[724] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 018F0FDE
.text C:\WINDOWS\System32\svchost.exe[724] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 018D0FEF
.text C:\WINDOWS\System32\svchost.exe[724] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 018D0000
.text C:\WINDOWS\System32\svchost.exe[724] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 018D001B
.text C:\WINDOWS\System32\svchost.exe[724] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 018D002C
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00750078
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00750067
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00750040
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00750F83
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00750FAF
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007500A9
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00750F61
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00750F3C
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007500D5
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007500E6
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00750F94
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00750FDB
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00750F72
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00750FCA
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00750011
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007500BA
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00740025
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00740FA5
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00740FD4
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740062
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00740051
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740FEF
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00740040
.text C:\WINDOWS\System32\svchost.exe[768] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720000
.text C:\WINDOWS\System32\svchost.exe[768] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00720011
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BE00A7
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BE008C
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BE005B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BE0F7C
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BE00CE
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BE0F57
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BE00F0
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BE010B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BE0036
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BE0025
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BE00DF
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BD002C
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BD0F8A
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BD001B
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BD0047
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\System32\svchost.exe[876] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[876] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 00BA001E
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 00BA0039
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02390000
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02390F7A
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0239006F
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02390F8B
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02390FA8
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02390FB9
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02390F58
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02390F69
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 023900D6
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 023900BB
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 023900F1
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02390040
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02390FE5
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0239008A
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02390025
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02390FD4
.text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02390F47
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02380025
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02380073
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02380FD4
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02380000
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02380062
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02380051
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02380FEF
.text C:\WINDOWS\Explorer.EXE[1156] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02380040
.text C:\WINDOWS\Explorer.EXE[1156] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 02360000
.text C:\WINDOWS\Explorer.EXE[1156] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 02360FEF
.text C:\WINDOWS\Explorer.EXE[1156] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 02360FDE
.text C:\WINDOWS\Explorer.EXE[1156] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 02360025
.text C:\WINDOWS\Explorer.EXE[1156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 023A0FE5
.text C:\WINDOWS\Explorer.EXE[1156] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 023A000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1508] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00970000
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009700A7
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00970FB2
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00970FC3
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00970FD4
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00970065
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00970F81
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009700D3
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00970109
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009700EE
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00970124
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00970076
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00970025
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009700B8
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0097004A
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00970FEF
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00970F70
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00960FC3
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00960F97
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0096000A
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00960FD4
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00960054
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00960FA8
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00960FE5
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0096002F

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????&???????????????c?????????????sm????e?e?e??McAfee SiteAdvisor Service?4?4??????????????????Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.???Provides a TCP/IP-based printing service that uses the Line Printer protocol.????????????G??????"c:\program files\common files\mcafee\mna\mcnasvc.exe"???H???????????????????t??????????????????Provides low-level support for McAfee SiteAdvisor????????????Q???R??? ???????4???????4??????????J-??????????e;??C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe?????????????????????????n?????? ????hr????Scans specified locations on this computer for viruses and other threats. The service runs for scheduled scans and manual scans.?e???????????H???L??McAfee Proxy Service?v???????????e??????????McAfee Network Agent?e??????????????LocalSystem??m??LocalSystem??????????????r??????",????d????????????n?????????????S?????
Reg HKLM\SYSTEM\CurrentControlSet\services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxdxrxhcwo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxdxrxhcwo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxdxrxhcwo.dll
Reg HKLM\SYSTEM\ControlSet004\services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxkvnldgod.sys
Reg HKLM\SYSTEM\ControlSet004\services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxdxrxhcwo.dll

---- EOF - GMER 1.0.14 ----

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 25 January 2009 - 04:47 PM

Hello, J-ROCK
You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case KaZaA, LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

We need to back up your registry
  • Please download ERUNT and save it to your desktop.
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D7F5A45-DB4F-46DB-8D8D-5C59B6257F1C}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67743D93-C906-4757-B6B7-8CF7AB566DA5}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68912C91-8376-4C55-938A-D61B97106024}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73272C09-1DB5-4CC1-8893-41F509E5AE37}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7693C1EC-47CC-4206-ADBB-6B5A1ACA6CAD}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89C5AA7B-61BF-4B69-9499-1C1A07C628C4}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D75B867-E224-4E02-8D7D-E0D0015F1C71}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E94BC64-B140-45E9-9C47-06FC1E5B5267}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1402DE2-B231-4A70-BB74-B6BA3219D555}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAD91AE5-2EDC-43EB-9680-088C2E812761}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA07E221-469D-4233-B0F6-79B22DAEF7CD}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BCB3362B-E748-4F13-B2FE-2ECBF9C4BB6F}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WebCamRT.exe"=-
    [HKEY_USERS\S-1-5-21-162025716-3852255402-4189850523-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoDriveTypeAutoRun"=-
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "PendingFileRenameOperations"=-
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msqpdxserv.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msqpdxserv.sys]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "390"=-
    "571"=-
    "652"=-
    "656"=-
    "894"=-
    :files
    C:\resycled
    D:\resycled
    G:\resycled
    C:\WINDOWS\*.tmp
    C:\WINDOWS\Smenu.INI
    C:\Program Files\NewDotNet
    :services
    MRxDAV
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of newdotnet7_22.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    For instructions with screen shots, see the "Using LSP-Fix Tutorial".

    Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 11...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
    • Select your Language: "Multi-Language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
    • Follow the on screen instructions to install the latest Java version.
    I would like us to use ESET (NOD32)'s Online Scanner
    • Please go to ESET OnlineScan (NOD32)
    • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
    • Now click Start
    • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
    • Click Start[list]
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • ESET OnlineScan's Log
  • A New OTVIewIt Main.txt
  • A New OTViewIt Extra.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 January 2009 - 06:48 PM

Billy,

O.K. I am stuck in reboot cycle again...

Not sure if you read the other posts here"
http://www.bleepingcomputer.com/forums/t/192515/stop-0x0000008e-blue-screen/

Also, here was the latest comment from an earlier post:
Looks like my McAfee did an automatic scan and ended up rebooting my machine without me knowing....it actually booted into normal mode so I re-did the DDS script, here is my new log.

The McAfee Scan found some viruses and cleaned them. I updated and ran MBAM and Super Anti-spyware and there were no viruses found......I still have not rebooted.



I backed up the registry file then ran OTMoveit. It ran fine then asked to reboot, I did and it's stuck cycling in reboot never getting into windows. It goe to the black screen with the large "microsoft WindowsXP" in the center and the bars going across then the screen goes black and it reboots.

Jay

#7 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 January 2009 - 07:26 PM

O.K...I hit F8 at boot up and picked the "Last known configuration that worked " option and I am back into windows..

I think my issue is more related to my defrag rather than the virus but, this is your area of expertise so I'll wait for your advise.

Here is the OTMoveit log....

Attached Files



#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 25 January 2009 - 07:28 PM

Before it shows the screen, just after it reboots, press the F8 key. One of the options will be "Disable Automatic Restart on System Failure."

This time, windows will give you a STOP error message (Blue Screen of Death). Write down the error code for me please :thumbsup: It should be in the form 0x0000007E, where the zeros and 7e are numbers 0-9 and digits A-F.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 25 January 2009 - 07:29 PM

Hello, J-ROCK
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 January 2009 - 08:28 PM

O.K.
I didn't do the "Disable Automatic Restart on System Failure." yet...I will wait until you tell me it is time.

Here is the Combofix log:




Thanks,
J-Rock

Attached Files



#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 26 January 2009 - 04:26 PM

Hello, J-ROCK
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    driver::
    DW
    EnumChip
    o1394bul
    folder::
    c:\documents and settings\All Users\Application Data\qjepaxqz
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 26 January 2009 - 06:34 PM

I followed your instructions.

I got this error about a dozen times throughout.

In the Blue header of the pop up window it was "regt.cfexe"
The application failed to initialize properly (0xc0000005) Click OK to terminate the application.

I had to click a dozen times at around "Stage 50" for the program to continue...it would go a bit then the pop up would appear.

It did seam to run and here is the log that was open at then end of the reboot - Combofit log2.txt.

I also attached the c:\combofix log.txt - not sure if they are the same or not.

J-ROCK

Attached Files



#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 26 January 2009 - 06:44 PM

Hello, J-ROCK
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 27 January 2009 - 01:02 AM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3802 (20090126)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b5c27e12c7bb9b42b8d0bc0e043c84a5
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-27 05:37:44
# local_time=2009-01-27 12:37:44 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=379412
# found=2
# scan_time=3972
C:\WINDOWS\iLycos\ss_webdevaz_setup.exe Win32/Adware.SideSearch application (deleted) 00000000000000000000000000000000
C:\WINDOWS\iLycos\ss_webdevaz_setup.exe ╗NSIS ╗ř ­.dll Win32/Adware.SideSearch application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:26 PM

Posted 27 January 2009 - 07:43 PM

Hello, J-ROCK
Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users