Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP Pro "the application or dll....is not a valid windows image"


  • This topic is locked This topic is locked
8 replies to this topic

#1 aredeem

aredeem

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 March 2009 - 08:27 PM

"The application or DLL C:\WINDOWS\system32\hizofoku.dll is not a valid Windows image. Please check this against your installation diskette." I have run various programs, adaware, spybot search and delete, malawarebyte, and nothing seems to work. I see it when various executables run. In this case it was jqsnotify.exe Thank you!


DDS (Ver_09-03-16.01) - NTFSx86
Run by rocky at 21:10:41.64 on Sun 03/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2662 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\rocky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t network client\NetSP.exe" -show
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {4694D261-D91B-4B74-8AE6-6C0222BA7F20} = 9.0.2.1,9.0.3.1
TCP: {CEE1844C-E088-4D61-9831-F744BB612C51} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\vabotezu.dll rpkqgv.dll , ,c:\windows\system32\hizofoku.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\vabotezu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rocky\applic~1\mozilla\firefox\profiles\1a57gi9m.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/i/514
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2004-4-29 19328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-11 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-11 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-11 144704]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2009-1-4 23200]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2006-5-19 180864]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-1-2 93696]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-11 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-11 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-11 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-11 40488]
S2 gupdate1c988db9baaf03a;Google Update Service (gupdate1c988db9baaf03a);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2008-12-10 24636]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2009-1-2 13952]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-11 34152]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-16 11:08 <DIR> --d----- c:\program files\iPod
2009-03-16 11:08 <DIR> --d----- c:\program files\iTunes
2009-03-16 11:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 11:07 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 13:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-02 13:25 <DIR> --d----- c:\docume~1\rocky\applic~1\McAfee
2009-03-01 12:33 552 a------- c:\windows\system32\d3d8caps.dat
2009-03-01 11:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-01 11:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-01 11:34 <DIR> --d----- c:\docume~1\rocky\applic~1\SUPERAntiSpyware.com
2009-03-01 11:33 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-01 11:30 <DIR> --d----- c:\docume~1\rocky\applic~1\Malwarebytes
2009-03-01 11:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-01 11:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 11:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 11:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-01 02:44 153 a------- c:\windows\wininit.ini
2009-02-28 17:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-15 19:39 21,200 a------- c:\docume~1\rocky\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-02 22:39 40,960 a------- c:\windows\uneng.exe
2009-01-02 19:55 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 19:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 19:16 319,488 a------- c:\windows\HideWin.exe
2009-01-02 16:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2001-09-10 10:00 139,264 a------- c:\windows\inf\i386\Rtscan.dll
2001-09-10 09:10 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2001-08-17 19:43 32,768 a------- c:\windows\inf\i386\Wiamicro.dll
2001-08-03 19:29 13,824 a------- c:\windows\inf\i386\usbscan.sys
2001-06-29 09:10 163,840 a------- c:\windows\inf\i386\viceo.dll
0000-00-00 00:00 0 a--sh--- c:\windows\system32\hizofoku.dll
0000-00-00 00:00 0 a--sh--- c:\windows\system32\kitasawe.dll
0000-00-00 00:00 0 a--sh--- c:\windows\system32\zuheyisi.dll

============= FINISH: 21:12:56.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 23 March 2009 - 10:19 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 aredeem

aredeem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 March 2009 - 09:59 AM

Thank you Sam. Here is the output from the OTListIt2 Report

=================================================================================================
OTListIt logfile created on: 3/24/2009 10:28:41 AM - Run 2
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\rocky\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.56 Gb Total Space | 657.96 Gb Free Space | 94.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 232.83 Gb Total Space | 145.29 Gb Free Space | 62.40% Space Free | Partition Type: FAT32

Computer Name: RDHOMEY
Current User Name: rocky
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/07/09 12:11:44 | 00,561,152 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/01/02 19:37:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/07 00:21:51 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/10/10 17:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/07/18 09:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/07/09 15:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2008/06/20 06:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2008/08/19 19:28:26 | 16,850,944 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/08/14 01:04:42 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/07/11 17:48:54 | 00,641,208 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/03/12 20:56:58 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/07/09 18:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2007/12/03 15:21:24 | 00,869,672 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2006/11/03 19:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2007/01/13 09:00:00 | 00,323,584 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetCfgSv.EXE
PRC - [2009/03/12 20:56:52 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/09/16 11:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2007/01/13 09:00:00 | 00,208,896 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetClient.exe
PRC - [2008/04/13 20:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:23 | 00,677,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mstsc.exe
PRC - [2009/02/19 21:43:11 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/24 10:23:28 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/12/10 01:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\apache\bin\httpd.exe -- (Apache2.2 [On_Demand | Stopped])
SRV - [2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/09 12:11:44 | 00,561,152 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/07/08 22:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/01/31 15:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [On_Demand | Stopped])
SRV - [2007/10/24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/01/09 09:49:07 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2009/02/07 00:21:51 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c988db9baaf03a [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/12 20:56:52 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/01/02 19:37:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
SRV - [2008/10/10 17:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/07/18 09:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2008/06/20 14:10:22 | 00,361,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2008/07/09 15:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2008/06/20 06:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2008/09/16 11:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2008/07/09 18:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2007/12/03 15:21:24 | 00,869,672 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Auto | Running])
SRV - [2007/01/13 09:00:00 | 00,323,584 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetCfgSv.EXE -- (NetCfgSvr [Auto | Running])
SRV - [2007/12/13 20:10:56 | 00,447,784 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/10/23 10:47:34 | 00,315,264 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\Temp\0037171237839869mcinst.exe -- (0037171237839869mcinstcleanup [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/05/19 10:46:14 | 00,180,864 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\agnfilt.sys -- (agnfilt [On_Demand | Running])
DRV - [2004/04/29 18:19:18 | 00,019,328 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\agnwifi.sys -- (agnwifi [Auto | Running])
DRV - [2008/07/09 13:45:12 | 03,231,744 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2008/05/21 08:53:36 | 00,093,696 | ---- | M] (ATI Research Inc.) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService [On_Demand | Running])
DRV - [2003/04/04 13:48:06 | 00,013,952 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\avpnnic.sys -- (avpnnic [On_Demand | Running])
DRV - [2008/02/27 13:49:00 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt [System | Running])
DRV - [2000/07/24 02:01:00 | 00,019,537 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar [Auto | Stopped])
DRV - [2009/01/15 12:19:36 | 00,023,848 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2003/11/17 16:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2003/11/17 16:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2008/08/19 18:27:58 | 04,805,632 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2003/04/09 14:48:08 | 00,011,043 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2008/06/27 07:08:40 | 00,079,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2008/06/27 07:08:40 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2008/06/27 07:08:40 | 00,207,656 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2008/06/20 06:41:38 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
DRV - [2008/06/27 07:08:40 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2008/06/02 15:55:42 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2008/06/01 03:13:10 | 00,034,064 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (npf [On_Demand | Stopped])
DRV - [1999/06/30 03:49:10 | 00,023,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\ppsio2.sys -- (ppsio2 [Auto | Running])
DRV - [2001/08/23 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/07/01 12:27:44 | 00,108,800 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2009/02/17 12:43:28 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/02/17 12:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/02/17 12:43:28 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/04/13 12:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/03/05 23:59:00 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2003/11/17 16:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1085031214-179605362-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1085031214-179605362-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1085031214-179605362-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1085031214-179605362-725345543-1003\S-1-5-21-1085031214-179605362-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1085031214-179605362-725345543-1003\S-1-5-21-1085031214-179605362-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://news.yahoo.com/i/514"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/01/02 19:37:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2009/03/22 10:47:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/22 20:13:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/22 20:13:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/03/06 10:19:18 | 00,000,000 | ---D | M]

[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Extensions
[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Firefox\Profiles\1a57gi9m.default\extensions
[2009/03/22 20:13:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/22 20:13:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/19 21:43:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/19 21:43:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/19 15:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/02/19 15:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/02/19 15:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/02/19 15:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/02/19 15:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/02/19 15:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/02/19 15:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (302468 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10428 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-1085031214-179605362-725345543-1003..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1085031214-179605362-725345543-1003..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show (AT&T)
O4 - HKU\S-1-5-21-1085031214-179605362-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\..Trusted Sites: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1085031214-179605362-725345543-1003\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{4694D261-D91B-4B74-8AE6-6C0222BA7F20}\\Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{4694D261-D91B-4B74-8AE6-6C0222BA7F20}\\NameServer = 9.0.2.1,9.0.3.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{CEE1844C-E088-4D61-9831-F744BB612C51}\\NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\vabotezu.dll rpkqgv.dll ) - C:\WINDOWS\system32\vabotezu.dll rpkqgv.dll File not found
O20 - AppInit_DLLs: ( ) - File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\hizofoku.dll) - C:\WINDOWS\system32\hizofoku.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/02 16:07:41 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4a2332ec-dd48-11dd-ad4f-002170458ca9}\Shell\AutoRun\command - "" = J:\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/03/24 10:23:28 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe
[2009/03/24 10:23:00 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\rocky\Desktop\mvflovq7.exe
[2009/03/23 16:24:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/03/22 21:10:18 | 00,360,002 | ---- | C] () -- C:\Documents and Settings\rocky\Desktop\dds.scr
[2009/03/22 20:55:21 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/16 11:08:27 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/03/16 11:08:25 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/03/16 11:08:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/03/06 10:28:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Talkback
[2009/03/06 10:19:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Local Settings\Application Data\Thunderbird
[2009/03/06 10:19:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Thunderbird
[2009/03/06 10:01:05 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2009/03/02 13:54:42 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/03/02 13:25:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\McAfee
[2009/03/01 12:33:24 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/01 11:34:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/03/01 11:34:24 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/01 11:34:21 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/03/01 11:34:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\SUPERAntiSpyware.com
[2009/03/01 11:33:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/03/01 11:30:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Malwarebytes
[2009/03/01 11:30:33 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/01 11:30:33 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/01 11:30:31 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/01 11:30:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/01 11:30:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/01 02:44:21 | 00,000,153 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/28 17:12:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/02/22 12:30:43 | 00,003,544 | ---- | C] () -- C:\Documents and Settings\rocky\Desktop\KeithWhitley.gif

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/24 10:23:28 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe
[2009/03/24 10:23:00 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\rocky\Desktop\mvflovq7.exe
[2009/03/24 07:57:46 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/03/23 01:35:37 | 00,001,766 | -H-- | M] () -- C:\Documents and Settings\rocky\My Documents\Default.rdp
[2009/03/23 00:56:48 | 00,007,755 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/03/23 00:56:35 | 00,002,271 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AT&T Network Client.lnk
[2009/03/22 21:10:18 | 00,360,002 | ---- | M] () -- C:\Documents and Settings\rocky\Desktop\dds.scr
[2009/03/22 21:06:43 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/22 21:05:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/22 21:05:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/22 21:05:27 | 00,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/22 20:55:14 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/22 19:59:42 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/22 19:58:29 | 00,015,872 | ---- | M] () -- C:\Documents and Settings\rocky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/21 16:59:46 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\nunogaza
[2009/03/15 20:21:01 | 00,511,750 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/15 20:21:01 | 00,429,312 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/15 20:21:01 | 00,074,280 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/15 01:00:00 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/03/02 14:01:50 | 00,302,468 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/01 15:55:17 | 00,302,468 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090302-130150.backup
[2009/03/01 12:33:24 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/01 11:34:24 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/01 11:30:33 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/01 02:44:27 | 00,000,153 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/03/01 02:00:02 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/22 12:30:44 | 00,003,544 | ---- | M] () -- C:\Documents and Settings\rocky\Desktop\KeithWhitley.gif
< End of report >
=================================================================================================

I will post the output from the GMER log this evening as it is still running:

Thanks again,
-Rocky

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 24 March 2009 - 01:56 PM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\vabotezu.dll rpkqgv.dll ) - C:\WINDOWS\system32\vabotezu.dll rpkqgv.dll File not found
    O20 - AppInit_DLLs: ( ) - File not found
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\hizofoku.dll) - C:\WINDOWS\system32\hizofoku.dll ()
    
    :Files
    C:\Documents and Settings\rocky\Desktop\mvflovq7.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

Also post the Gmer log once it completes.
Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 aredeem

aredeem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 March 2009 - 06:06 PM

Sam,
Here is the output from the GMER log.

-Rocky

======================================================================================
GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-24 19:04:47
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xACA5F9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xACA5FA61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xACA5F978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xACA5F98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xACA5FA75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xACA5FAA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xACA5FB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xACA5FAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xACA5FA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xACA5FB3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xACA5FA4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xACA5F950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xACA5F964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xACA5F9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xACA5FB77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xACA5FAE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xACA5FACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xACA5FA8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xACA5FB63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xACA5FB4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xACA5F9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xACA5F9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xACA5FAB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xACA5FA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xACA5FB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xACA5FA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xACA5F9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP ACA5F9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP ACA5F9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP ACA5FA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP ACA5FA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP ACA5F9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP ACA5F954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP ACA5F968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP ACA5F9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP ACA5F990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP ACA5F97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP ACA5F9BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP ACA5FA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP ACA5FAD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP ACA5FABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP ACA5FB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP ACA5FAE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP ACA5FA8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP ACA5FA65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP ACA5FA79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP ACA5FAA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP ACA5FB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP ACA5FAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP ACA5FA51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP ACA5FB7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP ACA5FB53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP ACA5FB67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP ACA5FB3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011C0075
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011C0F8A
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011C0064
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011C0047
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011C0FCA
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011C00A3
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011C0F5B
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011C00D2
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011C0F39
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011C00E3
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011C0FAF
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011C0014
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011C0086
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011C0036
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011C0025
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011C0F4A
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CD002C
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CD0062
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CD001B
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CD0F9B
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CD0FAC
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ED, 88]
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CD003D
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C8005D
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80042
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FD2
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80011
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D00000
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D00011
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00D00036
.text C:\WINDOWS\Explorer.EXE[400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F99
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700CE
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F35
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700E9
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1188] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F90
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050093
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01050078
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050F9E
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050FAF
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01050040
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010500BA
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050F72
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01050F3C
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01050F4D
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010500F0
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01050051
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01050F83
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\lsass.exe[1200] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010500CB
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\lsass.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE005D
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE004C
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FE3
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\system32\lsass.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE001D
.text C:\WINDOWS\system32\lsass.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F72
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0078
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F3C
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00B8
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F1F
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FD0F0E
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FD0F57
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FD009D
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FC0F79
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [1C, 89] {SBB AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB003B
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FA6
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB000C
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0FB7
.text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB0FD2
.text C:\WINDOWS\system32\svchost.exe[1408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10F6A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10069
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E10058
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10F9B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10036
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10090
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10F48
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E10F0B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E10F1C
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E100B5
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E10047
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E10FDE
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E10F59
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E1001B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E10F2D
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E00FAF
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E00051
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E00FCA
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E00040
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E0001B
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E00F94
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DF0042
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DF0FB7
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DF0FC8
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DF001D
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DF0FE3
.text C:\WINDOWS\system32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE000A
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03A7000A
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03A70FA8
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03A7009D
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03A70FC3
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03A70076
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03A70FE5
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03A70F86
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03A70F97
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03A70F50
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03A700E9
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03A70F35
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03A70FD4
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03A70025
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03A700B8
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03A70047
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03A70036
.text C:\WINDOWS\System32\svchost.exe[1636] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 03A70F6B
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03A50FA8
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03A50028
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03A50FC3
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03A50FD4
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 03A50F6B
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03A50FEF
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03A50F86
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [C5, 8B]
.text C:\WINDOWS\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03A50F97
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03A40033
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!system 77C293C7 5 Bytes JMP 03A40FA8
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03A40018
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03A40FEF
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03A40FB9
.text C:\WINDOWS\System32\svchost.exe[1636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03A40FDE
.text C:\WINDOWS\System32\svchost.exe[1636] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03070000
.text C:\WINDOWS\System32\svchost.exe[1636] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03A60000
.text C:\WINDOWS\System32\svchost.exe[1636] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03A6001B
.text C:\WINDOWS\System32\svchost.exe[1636] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03A60036
.text C:\WINDOWS\System32\svchost.exe[1636] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03A60047
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1768] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00056
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F61
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A0002F
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00F7C
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F29
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00071
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00ED8
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00EFD
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A0008C
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A00F97
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A00F50
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A00F0E
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009F002C
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009F0F91
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009F0FDB
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009F0011
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009F004E
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 009F0FAC
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009F003D
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F92
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FA3
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FD2
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E001D
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\system32\svchost.exe[1800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F66
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F77
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F92
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600A2
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60091
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600D1
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F38
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C600F6
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C60076
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C6002C
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C60F49
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009F0014
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009F0039
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009F0F72
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 009F0F8D
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009F0FA8
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0F9A
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FBC
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FAB
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A0002C
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F30
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F41
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F68
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F13
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EE7
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B8008A
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800A5
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F8D
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B8004A
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[2416] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F02
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70069
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70058
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B7003D
.text C:\WINDOWS\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60055
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6003A
.text C:\WINDOWS\system32\svchost.exe[2416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60029

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

======================================================================================

Edited by aredeem, 24 March 2009 - 06:06 PM.


#6 aredeem

aredeem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 March 2009 - 06:22 PM

Sam,
I followed your instructions to paste the cmds in OTListIt2 and executed it. After the reboot, I am not seeing the original pop-up message about "the application or dll....is not a valid windows image" an longer. The machine seems to be running just fine. I am guessing that your script I feed to OTListIt2 is renaming and removing some .dll's. Was that the major issue?

I am also posting the latest output from OTListIt below.

Thank you!
-Rocky

===================================================================================
OTListIt logfile created on: 3/24/2009 7:13:19 PM - Run 3
OTListIt2 by OldTimer - Version 2.0.7.1 Folder = C:\Documents and Settings\rocky\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.56 Gb Total Space | 657.99 Gb Free Space | 94.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 232.83 Gb Total Space | 145.29 Gb Free Space | 62.40% Space Free | Partition Type: FAT32

Computer Name: RDHOMEY
Current User Name: rocky
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/07/09 12:11:44 | 00,561,152 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/01/02 19:37:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/07 00:21:51 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/10/10 17:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/07/18 09:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/07/09 15:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2008/06/20 06:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2008/07/09 18:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2007/12/03 15:21:24 | 00,869,672 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2007/01/13 09:00:00 | 00,323,584 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetCfgSv.EXE
PRC - [2008/04/13 20:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/09/16 11:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2008/07/11 17:48:54 | 00,641,208 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/08/19 19:28:26 | 16,850,944 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/08/14 01:04:42 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/03/12 20:56:58 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2006/11/03 19:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2008/08/14 01:04:52 | 01,017,648 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\gs_agent\dsc.exe
PRC - [2009/03/12 20:56:52 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/24 10:23:28 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (0037171237839869mcinstcleanup [Auto | Stopped])
SRV - [2008/12/10 01:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\apache\bin\httpd.exe -- (Apache2.2 [On_Demand | Stopped])
SRV - [2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/09 12:11:44 | 00,561,152 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/07/08 22:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/01/31 15:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [On_Demand | Stopped])
SRV - [2007/10/24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/01/09 09:49:07 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2009/02/07 00:21:51 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c988db9baaf03a [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/12 20:56:52 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/01/02 19:37:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
SRV - [2008/10/10 17:16:00 | 00,792,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/07/18 09:02:52 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2008/06/20 14:10:22 | 00,361,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2008/07/09 15:49:10 | 00,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2008/06/20 06:41:04 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2008/09/16 11:04:12 | 00,605,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2008/07/09 18:36:30 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2007/12/03 15:21:24 | 00,869,672 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Auto | Running])
SRV - [2007/01/13 09:00:00 | 00,323,584 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetCfgSv.EXE -- (NetCfgSvr [Auto | Running])
SRV - [2007/12/13 20:10:56 | 00,447,784 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/05/19 10:46:14 | 00,180,864 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\agnfilt.sys -- (agnfilt [On_Demand | Running])
DRV - [2004/04/29 18:19:18 | 00,019,328 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\agnwifi.sys -- (agnwifi [Auto | Running])
DRV - [2008/07/09 13:45:12 | 03,231,744 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2008/05/21 08:53:36 | 00,093,696 | ---- | M] (ATI Research Inc.) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService [On_Demand | Running])
DRV - [2003/04/04 13:48:06 | 00,013,952 | ---- | M] (AT&T) -- C:\WINDOWS\system32\DRIVERS\avpnnic.sys -- (avpnnic [On_Demand | Stopped])
DRV - [2008/02/27 13:49:00 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt [System | Running])
DRV - [2000/07/24 02:01:00 | 00,019,537 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar [Auto | Stopped])
DRV - [2009/01/15 12:19:36 | 00,023,848 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2003/11/17 16:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2003/11/17 16:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2008/08/19 18:27:58 | 04,805,632 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2003/04/09 14:48:08 | 00,011,043 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2008/06/27 07:08:40 | 00,079,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2008/06/27 07:08:40 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2008/06/27 07:08:40 | 00,207,656 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2008/06/20 06:41:38 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2008/06/27 07:08:40 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2008/06/02 15:55:42 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2008/06/01 03:13:10 | 00,034,064 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (npf [On_Demand | Stopped])
DRV - [1999/06/30 03:49:10 | 00,023,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\ppsio2.sys -- (ppsio2 [Auto | Running])
DRV - [2001/08/23 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/07/01 12:27:44 | 00,108,800 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2009/02/17 12:43:28 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/02/17 12:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/02/17 12:43:28 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/04/13 12:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/03/05 23:59:00 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2003/11/17 16:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://news.yahoo.com/i/514"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/01/02 19:37:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2009/03/22 10:47:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/22 20:13:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/22 20:13:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/03/06 10:19:18 | 00,000,000 | ---D | M]

[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Extensions
[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/22 20:13:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\rocky\Application Data\mozilla\Firefox\Profiles\1a57gi9m.default\extensions
[2009/03/22 20:13:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/22 20:13:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/19 21:43:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/19 21:43:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/19 15:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/02/19 15:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/02/19 15:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/02/19 15:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/02/19 15:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/02/19 15:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/02/19 15:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (302468 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10428 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKCU..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show (AT&T)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{4694D261-D91B-4B74-8AE6-6C0222BA7F20}\\Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{4694D261-D91B-4B74-8AE6-6C0222BA7F20}\\NameServer = 9.0.2.1,9.0.3.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{CEE1844C-E088-4D61-9831-F744BB612C51}\\NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/02 16:07:41 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4a2332ec-dd48-11dd-ad4f-002170458ca9}\Shell\AutoRun\command - "" = J:\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/03/24 19:07:57 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/03/24 10:23:28 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe
[2009/03/22 21:10:18 | 00,360,002 | ---- | C] () -- C:\Documents and Settings\rocky\Desktop\dds.scr
[2009/03/22 20:55:21 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/16 11:08:27 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/03/16 11:08:25 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/03/16 11:08:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/03/06 10:28:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Talkback
[2009/03/06 10:19:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Local Settings\Application Data\Thunderbird
[2009/03/06 10:19:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Thunderbird
[2009/03/06 10:01:05 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2009/03/02 13:54:42 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/03/02 13:25:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\McAfee
[2009/03/01 12:33:24 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/01 11:34:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/03/01 11:34:24 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/01 11:34:21 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/03/01 11:34:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\SUPERAntiSpyware.com
[2009/03/01 11:33:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/03/01 11:30:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\rocky\Application Data\Malwarebytes
[2009/03/01 11:30:33 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/01 11:30:33 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/01 11:30:31 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/01 11:30:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/01 11:30:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/01 02:44:21 | 00,000,153 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/28 17:12:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/24 19:11:51 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/24 19:10:06 | 00,007,887 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/03/24 19:09:35 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/24 19:09:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/24 19:02:20 | 00,001,766 | -H-- | M] () -- C:\Documents and Settings\rocky\My Documents\Default.rdp
[2009/03/24 11:18:38 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/03/24 10:23:28 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rocky\Desktop\OTListIt2.exe
[2009/03/23 00:56:35 | 00,002,271 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AT&T Network Client.lnk
[2009/03/22 21:10:18 | 00,360,002 | ---- | M] () -- C:\Documents and Settings\rocky\Desktop\dds.scr
[2009/03/22 21:05:27 | 00,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/22 20:55:14 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/22 19:59:42 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/22 19:58:29 | 00,015,872 | ---- | M] () -- C:\Documents and Settings\rocky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/21 16:59:46 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\nunogaza
[2009/03/15 20:21:01 | 00,511,750 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/15 20:21:01 | 00,429,312 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/15 20:21:01 | 00,074,280 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/15 01:00:00 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/03/02 14:01:50 | 00,302,468 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/01 15:55:17 | 00,302,468 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090302-130150.backup
[2009/03/01 12:33:24 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/01 11:34:24 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/01 11:30:33 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/01 02:44:27 | 00,000,153 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/03/01 02:00:02 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

===================================================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 25 March 2009 - 02:43 PM

Actually the files were already gone. Probably deleted by one of your antimalware programs that you already have. But what was left was the registry entry that was calling on that file. When the file wasn't there, that's when you got the error message.

Just a little cleaning up and then some final recommendations for you.

Run OTListIt2 and click on the CleanUp button.
Reboot when it asks you to.


==============


Run an online scan at Secunia Online Software Inspector
  • Click on the red button at the bottom of the screen that says Start Scanner.
  • Follow the prompts to install the scanning software.
  • Do not check the box for Enable thorough system inspection
  • Click the Start button.
  • The program will scan your system and identify insecure versions of software and missing security updates.
  • Using the links provided in the scan, download and install any current and secure versions that are needed.



===============



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 aredeem

aredeem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 26 March 2009 - 12:07 AM

Thanks for all your help Sam.
-Rocky

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:10 PM

Posted 26 March 2009 - 02:31 PM

I'm glad I could help you out! :thumbup2:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users