Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware problem-dds log attached


  • This topic is locked This topic is locked
19 replies to this topic

#1 sunliner403

sunliner403

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 April 2009 - 04:19 PM

I'm not sure what I'm dealing with here. I ran HiJack This as well as the DDS. The problem is that when I change between websites or close my browser, a new window will pop-up either showing a shopping site such as JC Penney or a random entertainment site...sometimes a fake virus/malware check comes up.
The log mentions IE, but I'm using Mozilla Firefox.
Here's the DDS log: and THANK YOU in advance for helping!
-Mike


DDS (Ver_09-03-16.01) - NTFSx86
Run by Engle at 17:06:27.73 on Wed 04/29/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1467 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Best Buy Rhapsody\rhaphlpr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Engle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5f9a78d3-d015-470e-8bdf-b8f2df09bc41} - c:\windows\system32\tiyewome.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dc719244] rundll32.exe "c:\windows\system32\datezudu.dll",b
mRun: [CPMdf42a1d8] Rundll32.exe "c:\windows\system32\yowalunu.dll",a
mRun: [rohobizevu] Rundll32.exe "c:\windows\system32\gopiziwe.dll",s
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
AppInit_DLLs: c:\windows\system32\yowalunu.dll,c:\windows\system32\ravorumo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yowalunu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yowalunu.dll
LSA: Notification Packages = scecli c:\windows\system32\ravorumo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\engle\applic~1\mozilla\firefox\profiles\l1tnn5gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\engle\application data\mozilla\firefox\profiles\l1tnn5gn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 214024]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40552]
S2 gupdate1c9c68223539c60;Google Update Service (gupdate1c9c68223539c60);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]

=============== Created Last 30 ================

2009-04-29 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-16 07:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:11 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-15 17:10 <DIR> --d----- c:\windows\Logs
2009-04-15 17:07 <DIR> --d----- c:\docume~1\engle\applic~1\ThirdWire
2009-04-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThirdWire
2009-04-12 20:52 <DIR> --d----- c:\program files\iPod
2009-04-12 20:52 <DIR> --d----- c:\program files\iTunes
2009-04-12 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-01 00:24 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-31 18:51 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-31 18:50 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-31 18:50 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-31 18:50 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-31 18:50 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-31 18:50 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-31 18:50 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-31 18:50 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-31 18:50 <DIR> --d----- C:\e1f422c303d946017fa3

==================== Find3M ====================

2009-04-29 12:17 67,584 a--sh--- c:\windows\system32\senadaju.dll
2009-04-29 12:16 105,472 a--sh--- c:\windows\system32\yowalunu.dll
2009-04-29 12:16 98,304 a--sh--- c:\windows\system32\datezudu.dll
2009-04-28 22:15 99,840 -------- c:\windows\system32\yezarelu.dll
2009-04-28 22:15 104,960 a--sh--- c:\windows\system32\lidirayo.dll
2009-04-28 22:15 58,880 a--sh--- c:\windows\system32\dodapete.exe
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 17:08:00.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 29 April 2009 - 07:26 PM

Hi sunliner403,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 April 2009 - 08:13 PM

Thanks Mole!

If this helps any, since I posted the log, my virus program (McAfee) reported several times that it intercepted Vundo!grb and removed it. It did this probably 5 times in one hour this afternoon but the system's been pretty quiet the last couple hours.

Thanks again for your help

-Mike

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 30 April 2009 - 07:56 AM

Hi sunliner403,

You have an infection called Vundo. This is a stubborn one to remove so it may take a while to completely remove. Due to the nature of this malware there are other things to do.

Firstly,

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next, let's have a deeper look at the PC

Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
So please reply with both OTViewIt logs and the Gmer scan results.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 30 April 2009 - 06:56 PM

Here we go...
GMER:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-30 19:47:24
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAC5E44EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAC5E4581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAC5E4498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAC5E44AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAC5E4595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAC5E45C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAC5E462F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAC5E4619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAC5E452A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAC5E465B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAC5E456D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAC5E4470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAC5E4484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAC5E44FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAC5E4697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAC5E4603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAC5E45ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAC5E45AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAC5E4683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAC5E466F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAC5E44D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAC5E44C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAC5E45D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAC5E4559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAC5E4645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAC5E4540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAC5E4514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AC5E4518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AC5E44EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AC5E452E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AC5E4544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AC5E4502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP AC5E4474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP AC5E4488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AC5E44C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP AC5E44B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP AC5E449C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AC5E44DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP AC5E455D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP AC5E45F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP AC5E45DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP AC5E4649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP AC5E4607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP AC5E45AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP AC5E4585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP AC5E4599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP AC5E45C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP AC5E4633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP AC5E461D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP AC5E4571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP AC5E469B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP AC5E4673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP AC5E4687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP AC5E465F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000400A1
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040090
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0004007F
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040062
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F80
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F91
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F4A
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400E3
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400FE
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040047
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000400BC
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F6F
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006004B
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F4B
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD002F
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F0E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD008C
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EF3
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD009D
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD007B
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40F8D
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40F9E
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FAF
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30095
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F3007A
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30044
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F3005F
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30029
.text C:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F55
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F70
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB004A
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0F97
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB001E
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F02
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F29
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0080
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0EE7
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0ECC
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0039
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FDE
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0F3A
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FB2
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0FCD
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0065
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02420FB9
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02420F86
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02420014
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02420FDE
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02420039
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02420FEF
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02420F97
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [62, 8A]
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02420FA8
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02410042
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 02410FB7
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02410FD2
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02410FEF
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02410027
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60073
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60F7E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FA5
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F46
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F57
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F600C4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F600B3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F600DF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60084
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F35
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90025
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90051
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90014
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90F9E
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F8005F
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80029
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80044
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80F61
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F72
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F83
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F94
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F35
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F46
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80EF5
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A80F10
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80EDA
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80071
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FDB
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A8008E
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F6F
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FDB
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F94
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092006E
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092005D
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920027
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920038
.text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[1200] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[1200] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00910FC3
.text C:\WINDOWS\system32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00910014
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02990000
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02990FAF
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 029900A4
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02990FC0
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0299007D
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02990058
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02990F81
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029900C9
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02990110
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029900FF
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02990135
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02990FD1
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02990011
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02990F9E
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0299003D
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0299002C
.text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 029900E4
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 029F0FD1
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 029F0047
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 029F0022
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 029F0011
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 029F0F8A
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 029F0000
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 029F0FA5
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 8A]
.text C:\WINDOWS\System32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 029F0FB6
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 029C003D
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 029C0FB2
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 029C0FD4
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 029C000C
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 029C0FC3
.text C:\WINDOWS\System32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 029C0FEF
.text C:\WINDOWS\System32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029A0000
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 029B0FCA
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 029B0FEF
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 029B0000
.text C:\WINDOWS\System32\svchost.exe[1216] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 029B0011
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F92
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650087
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065006C
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500C9
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F81
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650109
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500EE
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0065011A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006500AC
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F66
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FB9
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640039
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F86
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00640F97
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 88]
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FA8
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630049
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FBE
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FD9
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0063002E
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063001D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F44
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800039
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800028
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F6B
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FA1
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F1D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800065
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800EDD
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800076
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800ECC
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800F86
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800054
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800EF8
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F006C
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0025
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F005B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F0040
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FB9
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FA1
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0022
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FE3
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FD2
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A0007F
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00062
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00FAF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A000BF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F77
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F3A
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F4B
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00F1F
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00047
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A000A4
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F66
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F86
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0F97
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FA8
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F90
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FC6
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FAB
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FD7
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B8008E
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80FA5
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80058
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800CB
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B800B0
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F3C
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F4D
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800E6
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80FB6
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B8009F
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[2716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F68
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B7006C
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B7005B
.text C:\WINDOWS\system32\svchost.exe[2716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70040
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60F95
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FA6
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FD2
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FC1
.text C:\WINDOWS\system32\svchost.exe[2716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6000C
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F8B
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0080
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A006F
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005E
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F64
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00AC
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1D
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F38
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F02
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0039
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009B
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[3836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F49
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F7C
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F8D
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F9E
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\explorer.exe[3836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A004C
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A003B
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\explorer.exe[3836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\explorer.exe[3836] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\explorer.exe[3836] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[3836] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 002C0025
.text C:\WINDOWS\explorer.exe[3836] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 002C0040
.text C:\WINDOWS\explorer.exe[3836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E8000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A8F4DD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
*****************************************************************************************************************************
OTViewIT:
OTViewIt logfile created on: 4/30/2009 7:49:35 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Engle\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 462.40 Gb Total Space | 394.47 Gb Free Space | 85.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ENGLEMAIN
Current User Name: Engle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/10/07 15:29:14 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2009/04/26 11:17:36 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
[2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2009/01/09 09:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
[2004/08/04 05:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
[2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
[2009/01/08 21:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
[2009/04/30 18:09:43 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\zsrp3rw0.exe
[2009/04/28 19:15:25 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2009/04/30 19:49:08 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Engle\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2009/03/06 00:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/07 15:29:14 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/04/26 11:17:36 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9c68223539c60 [Auto | Stopped])
[2009/02/23 12:13:30 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2004/08/04 05:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC [On_Demand | Stopped])
[2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
[2009/01/09 09:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService [Auto | Running])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp [Auto | Running])
[2007/12/02 18:34:30 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])
[2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])
[2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])
[2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2007/10/07 15:29:16 | 02,455,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2001/08/17 12:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Stopped])
[2007/07/19 22:10:10 | 00,254,872 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express [On_Demand | Running])
[2008/04/13 14:45:32 | 00,059,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gckernel.sys -- (GcKernel [On_Demand | Stopped])
[2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2001/08/17 14:02:50 | 00,002,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\HIDSwvd.sys -- (HIDSwvd [On_Demand | Stopped])
[2007/07/19 18:26:24 | 00,304,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iastor.sys -- (iaStor [Boot | Running])
[2007/07/16 19:48:54 | 04,403,712 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2008/04/13 14:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
[2008/10/23 14:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/11/14 03:00:00 | 00,043,840 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])
[2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2008/06/20 07:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6 [System | Running])
[2008/04/13 14:56:01 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tunmp.sys -- (tunmp [On_Demand | Running])
[2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])
[2009/03/05 23:59:00 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2003/12/21 21:28:20 | 00,104,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.dell.com
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Page_URL"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Start Page"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.dell4me.com/myway
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://search.yahoo.com/search?fr=mcafee&p=%s
"provider"=yaho

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421
"Start Page"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421
"Start Page"=www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080421

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.dell4me.com/myway
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.yahoo.com/

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Internet Explorer\SearchURL]
""=http://search.yahoo.com/search?fr=mcafee&p=%s
"provider"=yaho

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{5f9a78d3-d015-470e-8bdf-b8f2df09bc41} (HKLM) -- C:\WINDOWS\system32\tiyewome.dll File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (HKLM) -- c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
{CA6319C0-31B7-401E-A518-A07C3DB8F777} (HKLM) -- C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" ()
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" (CyberLink Corp.)
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rohobizevu"=Rundll32.exe "C:\WINDOWS\system32\gopiziwe.dll",s File not found

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rohobizevu"=Rundll32.exe "C:\WINDOWS\system32\gopiziwe.dll",s File not found

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (Microsoft Corporation)

========== (O4) Startup Folders ==========

[1996/11/21 00:00:00 | 00,111,376 | ---- | M] () -- C:\Documents and Settings\Engle\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
[1996/11/21 00:00:00 | 00,051,984 | ---- | M] () -- C:\Documents and Settings\Engle\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [2005/11/10 13:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}: Button: Create Mobile Favorite -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}: Menu: Create Mobile Favorite... -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [Sun Java Console] -> [2005/11/10 13:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [Sun Java Console] -> [2005/11/10 13:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [Sun Java Console] -> [2005/11/10 13:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [Sun Java Console] -> [2005/11/10 13:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 01:41:48 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
2 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-2742297360-2956118225-1646762170-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
2 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{A30FBBDC-FA29-4606-8565-14AADCCA6708}: https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab -- Rite Aid One Hour Photo Online Control
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06

========== (O17) DNS Name Servers ==========

{BF447A9D-15AA-42ED-8827-9756BD342531} (Servers: | Description: Intel® 82562V-2 10/100 Network Connection)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\WINDOWS\system32\ravorumo.dll c:\windows\system32\hitivora.dll
>File not found -- C:\WINDOWS\system32\ravorumo.dll
>File not found -- c:\windows\system32\hitivora.dll

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} (HKLM) -- CLSID or file not found.

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" (HKLM) = STS -- Reg Error: Key does not exist or could not be opened. File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2004/08/10 13:04:08 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/04/30 19:49:07 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Engle\Desktop\OTViewIt.exe
[2009/04/30 18:09:43 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Engle\Desktop\zsrp3rw0.exe
[2009/04/30 18:04:09 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\akawalil.ini
[2009/04/30 11:12:06 | 01,646,592 | ---- | C] () -- C:\ffastunT.ffl
[2009/04/29 18:25:29 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Engle\Desktop\new resume.doc
[2009/04/29 17:04:44 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Engle\Desktop\dds.scr
[2009/04/29 16:54:29 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Engle\Desktop\HijackThis.lnk
[2009/04/29 16:54:29 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/27 19:27:25 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Engle\My Documents\Eanalysis.xls
[2009/04/26 22:56:19 | 00,948,960 | ---- | C] () -- C:\Documents and Settings\Engle\Desktop\vha-10-2850c-fill.pdf
[2009/04/16 07:03:20 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 07:03:20 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 07:03:20 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 07:03:20 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 07:03:20 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 07:03:20 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 07:03:20 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 07:03:20 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009/04/16 07:03:19 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 07:03:19 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 07:02:59 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/16 07:02:59 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 07:02:59 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 17:12:06 | 01,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2009/04/15 17:12:06 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2009/04/15 17:12:05 | 04,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2009/04/15 17:12:05 | 00,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2009/04/15 17:12:05 | 00,069,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2009/04/15 17:12:04 | 04,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2009/04/15 17:12:04 | 02,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2009/04/15 17:12:04 | 00,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2009/04/15 17:12:04 | 00,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2009/04/15 17:12:04 | 00,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2009/04/15 17:12:03 | 00,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2009/04/15 17:12:03 | 00,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2009/04/15 17:12:03 | 00,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2009/04/15 17:12:03 | 00,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2009/04/15 17:12:02 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2009/04/15 17:12:02 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2009/04/15 17:12:02 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2009/04/15 17:12:02 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2009/04/15 17:12:02 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2009/04/15 17:12:01 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2009/04/15 17:12:01 | 00,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2009/04/15 17:12:01 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2009/04/15 17:12:01 | 00,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2009/04/15 17:12:00 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2009/04/15 17:12:00 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2009/04/15 17:12:00 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2009/04/15 17:11:59 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2009/04/15 17:10:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2009/04/15 17:07:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Engle\My Documents\ThirdWire
[2009/04/15 17:07:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Engle\Application Data\ThirdWire
[2009/04/15 17:07:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ThirdWire
[2009/04/12 20:52:16 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/04/12 20:52:14 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/04/12 20:52:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/05 21:37:19 | 00,337,920 | ---- | C] () -- C:\Documents and Settings\Engle\My Documents\B2009exp.xls
[2009/04/01 00:24:23 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/04/30 19:49:08 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Engle\Desktop\OTViewIt.exe
[2009/04/30 19:48:35 | 00,017,943 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/30 18:09:43 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\zsrp3rw0.exe
[2009/04/30 18:04:15 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\sejanufo
[2009/04/30 18:03:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/30 18:03:53 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/30 18:03:49 | 32,193,08544 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/30 17:59:33 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/30 17:59:02 | 00,062,464 | -HS- | M] () -- C:\WINDOWS\System32\megegulo.exe
[2009/04/30 11:12:06 | 01,646,592 | ---- | M] () -- C:\ffastunT.ffl
[2009/04/30 09:12:05 | 00,737,280 | -H-- | M] () -- C:\ffastun.ffo
[2009/04/30 09:12:05 | 00,005,276 | -H-- | M] () -- C:\ffastun.ffa
[2009/04/30 09:12:04 | 03,125,248 | -H-- | M] () -- C:\ffastun0.ffx
[2009/04/30 09:12:04 | 01,646,592 | -H-- | M] () -- C:\ffastun.ffl
[2009/04/30 00:18:26 | 00,060,416 | -HS- | M] () -- C:\WINDOWS\System32\birirujo.exe
[2009/04/29 18:26:32 | 02,110,538 | -H-- | M] () -- C:\Documents and Settings\Engle\Local Settings\Application Data\IconCache.db
[2009/04/29 18:25:29 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\new resume.doc
[2009/04/29 17:04:45 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\dds.scr
[2009/04/29 16:54:29 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\HijackThis.lnk
[2009/04/29 12:17:01 | 00,067,584 | -HS- | M] () -- C:\WINDOWS\System32\senadaju.dll
[2009/04/28 22:15:55 | 00,058,880 | -HS- | M] () -- C:\WINDOWS\System32\dodapete.exe
[2009/04/28 19:44:07 | 00,870,128 | ---- | M] () -- C:\Documents and Settings\Engle\Application Data\mcs.rma
[2009/04/28 19:44:07 | 00,000,004 | ---- | M] () -- C:\Documents and Settings\Engle\Application Data\E824DB
[2009/04/27 22:40:03 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\2009analysis.xls
[2009/04/27 22:38:29 | 00,338,432 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\B2010.xls
[2009/04/27 19:27:25 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\Eanalysis.xls
[2009/04/26 23:21:06 | 00,948,960 | ---- | M] () -- C:\Documents and Settings\Engle\Desktop\vha-10-2850c-fill.pdf
[2009/04/26 19:54:14 | 00,337,920 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\B2009.xls
[2009/04/25 20:54:59 | 00,237,056 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\Check Register.xls
[2009/04/25 10:11:52 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\Sienna_Maintenance.xls
[2009/04/23 14:15:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/17 03:12:31 | 00,523,844 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/17 03:12:31 | 00,442,796 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/17 03:12:31 | 00,071,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/17 03:02:20 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 17:10:00 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/15 01:20:13 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/04/13 20:36:37 | 00,095,744 | ---- | M] () -- C:\Documents and Settings\Engle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/05 22:16:05 | 00,337,920 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\B2009exp.xls
[2009/04/04 12:18:25 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Engle\My Documents\Boarding.xls
[2009/04/01 01:00:09 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
< End of report >
********************************************************************************************************************
Extras:
OTViewIt Extras logfile created on: 4/30/2009 7:49:35 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Engle\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 462.40 Gb Total Space | 394.47 Gb Free Space | 85.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ENGLEMAIN
Current User Name: Engle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/03/02 14:33:54 | 00,063,600 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX
[2007/09/17 11:56:08 | 00,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
File not found -- C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/03/02 14:33:54 | 00,063,600 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX
[2007/09/17 11:56:08 | 00,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
[2008/04/13 20:12:25 | 00,245,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard
File not found -- C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL
[2008/04/13 20:12:17 | 00,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server
[2006/08/30 13:51:22 | 00,163,840 | ---- | M] (Third Wire Productions, Inc.) -- C:\Program Files\FlightSims\Strike Fighters Gold\SFG.exe:*:Enabled:Strike Fighters Gold
[2004/02/03 01:42:54 | 00,401,491 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Disabled:ActiveSync Connection Manager
[1999/11/29 15:47:29 | 00,864,313 | ---- | M] () -- C:\Q3Ademo\quake3.exe:*:Disabled:quake3
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/07/03 15:12:48 | 00,167,936 | ---- | M] (Musiccity Co.Ltd.) -- C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player
[2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2009/04/02 16:10:58 | 13,646,632 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe:*:Enabled:Explorer
[2008/04/13 20:12:24 | 00,514,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui
[2008/04/13 20:12:39 | 00,507,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon
[2006/09/25 09:12:20 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe:*:Enabled:CLI

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [PNRP Cloud Namespace Provider] -- C:\WINDOWS\system32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000005 [PNRP Name Namespace Provider] -- C:\WINDOWS\system32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000006 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 20:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/02/03 01:43:36 | 00,077,903 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft ActiveSync\AATP.DLL (mctp:{d7b95390-b1c5-11d0-b111-0080c712fe82} (HKLM) [mctp: Asynchronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 20:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 20:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2009/02/13 12:44:56 | 00,150,032 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}"=Bonjour
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}"=Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}"=Roxio Creator DE
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}"=Microsoft Plus! Photo Story 2 LE
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}"=Adobe AIR
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}"=Adobe Media Player
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}"=Roxio Creator Tools
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}"=QuickTime
"{2C164906-E68F-462A-9010-70DD022223EF}"=RemoteCapture Task 1.0.2
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}"=Rhapsody Player Engine
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}"=Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{49D8D67B-E840-4BE7-B012-A6BC6B723E3E}"=Sansa Connect Device Recovery
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}"=Dell DataSafe Online
"{548EAC70-EE00-11DD-908C-005056806466}"=Google Earth
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}"=Dell Driver Reset Tool
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}"=iTunes
"{62230596-37E5-4618-A329-0D21F529A86F}"=Browser Address Error Redirector
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}"=AOLIcon
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}"=Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}"=Microsoft Plus! Digital Media Edition Installer
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}"=Roxio Creator Audio
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}"=Dell System Restore
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}"=ATI Catalyst Control Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}"=Napster Burn Engine
"{9518F764-C54D-47B2-9E73-154B21E79FD2}"=RAW Image Task 1.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}"=Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}"=Apple Mobile Device Support
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}"=Documentation & Support Launcher
"{B6884A07-0305-47AE-9969-8F26FADC17DE}"=Games, Music, & Photos Launcher
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}"=Roxio Creator Copy
"{B9B9863A-32FD-4133-ADB7-46244ED77694}"=Camera Support Core Library
"{BAB004F0-F04C-49DD-8118-AE4A7697C469}"=Quake 4™ Demo
"{BBBCAE4B-B416-4182-A6F2-438180894A81}"=Napster
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}"=Netflix Movie Viewer
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}"=Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}"=ContentSAFER for Wizmax
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}"=Canon Utilities ZoomBrowser EX
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}"=EmoDio
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}"=WinZip 11.2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{DE286975-ACF1-45B8-9EF7-34E162B2C817}"=MovieEdit Task
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}"=Dell Support Center
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}"=Musicmatch for Windows Media Player
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}"=Roxio Creator DE
"{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}"=PhotoStitch
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}"=Camera Window
"7-Zip"=7-Zip 4.65
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe SVG Viewer"=Adobe SVG Viewer 3.0
"ATI Display Driver"=ATI Display Driver
"Best Buy Digital Music Store"=Best Buy Digital Music Store
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Adobe Media Player
"Delta Force 2"=Delta Force 2
"Google Updater"=Google Updater
"HijackThis"=HijackThis 2.0.2
"hp deskjet 5550 series"=hp deskjet 5550 series (Remove only)
"InstallShield_{2C164906-E68F-462A-9010-70DD022223EF}"=Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{9518F764-C54D-47B2-9E73-154B21E79FD2}"=Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{B9B9863A-32FD-4133-ADB7-46244ED77694}"=Canon Camera Support Core Library
"InstallShield_{BAB004F0-F04C-49DD-8118-AE4A7697C469}"=Quake 4™ Demo
"InstallShield_{C20CE592-B0F8-4D20-BF31-0151CA6331A6}"=EmoDio
"InstallShield_{DE286975-ACF1-45B8-9EF7-34E162B2C817}"=Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}"=Canon Utilities PhotoStitch 3.1
"InstallShield_{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}"=Canon Camera Window for ZoomBrowser EX
"KLiteCodecPack_is1"=K-Lite Codec Pack 4.3.1 (Full)
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.10)"=Mozilla Firefox (3.0.10)
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MyFreeCodec"=MyFreeCodec
"Office8.0"=Microsoft Office 97, Standard Edition
"PROSet"=Intel® PRO Network Connections Drivers
"Quake 3 Arena Demo"=Quake 3 Arena Demo
"RealPlayer 6.0"=RealPlayer Basic
"SearchAssist"=SearchAssist
"StreetPlugin"=Learn2 Player (Uninstall Only)
"Strike Fighters 2 Vietnam"=Strike Fighters 2 Vietnam
"Strike Fighters Gold"=Strike Fighters Gold
"Windows CE Services"=Microsoft ActiveSync 3.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"Wings Over Europe"=Wings Over Europe
"Wings Over Israel"=Wings Over Israel
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/2/2009 7:49:42 AM | Computer Name = ENGLEMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/7/2009 11:11:32 PM | Computer Name = ENGLEMAIN | Source = Application Hang | ID = 1002
Description = Hanging application rhapsody.exe, version 4.0.4.545, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/12/2009 8:00:13 PM | Computer Name = ENGLEMAIN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/27/2009 11:14:53 PM | Computer Name = ENGLEMAIN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/12/2009 10:41:57 PM | Computer Name = ENGLEMAIN | Source = Application Error | ID = 1000
Description = Faulting application sfg.exe, version 8.30.6.7, faulting module unknown,
version 0.0.0.0, fault address 0x504b4a4a.

Error - 3/12/2009 10:43:46 PM | Computer Name = ENGLEMAIN | Source = Application Error | ID = 1000
Description = Faulting application sfg.exe, version 8.30.6.7, faulting module unknown,
version 0.0.0.0, fault address 0x0286060d.

Error - 3/12/2009 10:44:29 PM | Computer Name = ENGLEMAIN | Source = Application Error | ID = 1000
Description = Faulting application sfg.exe, version 8.30.6.7, faulting module unknown,
version 0.0.0.0, fault address 0x0286060d.

Error - 3/13/2009 9:43:28 PM | Computer Name = ENGLEMAIN | Source = Application Error | ID = 1000
Description = Faulting application sfg.exe, version 8.30.6.7, faulting module unknown,
version 0.0.0.0, fault address 0x504b4a4a.

Error - 3/14/2009 12:44:42 PM | Computer Name = ENGLEMAIN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3334, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2009 2:38:35 PM | Computer Name = ENGLEMAIN | Source = Application Error | ID = 1000
Description = Faulting application itunes.exe, version 8.1.0.52, faulting module
itunes.exe, version 8.1.0.52, fault address 0x00001f45.

[ System Events ]
Error - 4/28/2009 7:21:01 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 4/29/2009 7:07:14 AM | Computer Name = ENGLEMAIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/29/2009 6:29:06 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 4/29/2009 6:45:02 PM | Computer Name = ENGLEMAIN | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/29/2009 6:46:30 PM | Computer Name = ENGLEMAIN | Source = DCOM | ID = 10010
Description = The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register
with DCOM within the required timeout.

Error - 4/29/2009 6:48:02 PM | Computer Name = ENGLEMAIN | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/29/2009 6:56:45 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 4/30/2009 6:04:16 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 4/30/2009 6:04:49 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 4/30/2009 6:04:49 PM | Computer Name = ENGLEMAIN | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053


< End of report >

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 01 May 2009 - 10:18 AM

Hi sunliner403,

Thanks for the logs.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix.. Please visit HERE if you don't know how.. Please re-enable them after performing all steps given..

We need to backup your registry as we will be making changes there.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    C:\WINDOWS\system32\tiyewome.dll
    C:\WINDOWS\system32\gopiziwe.dll
    C:\WINDOWS\system32\ravorumo.dll
    c:\windows\system32\hitivora.dll
    C:\WINDOWS\System32\akawalil.ini
    C:\WINDOWS\System32\sejanufo
    C:\WINDOWS\System32\birirujo.exe
    C:\WINDOWS\System32\senadaju.dll
    C:\WINDOWS\System32\dodapete.exe
    :Reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f9a78d3-d015-470e-8bdf-b8f2df09bc41}]
    [HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rohobizevu"=-
    [HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rohobizevu"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_Dlls"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "SSODL"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please also run a new DDS scan and post the log. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 01 May 2009 - 05:21 PM

Problem....OTMove it appears to execute when I click "Move it" but then freezes up. It came up with a list of things on the right-hand pane...all were marked "not found'
I do note that McAfee did an automatic scan this morning, while I was at work, and apparently deleted several instances of Vundo.

I did run another DDS scan..results below:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Engle at 18:16:10.87 on Fri 05/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2419 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Engle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\ravorumo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\engle\applic~1\mozilla\firefox\profiles\l1tnn5gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\engle\application data\mozilla\firefox\profiles\l1tnn5gn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 214024]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34216]
S2 gupdate1c9c68223539c60;Google Update Service (gupdate1c9c68223539c60);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 606736]

=============== Created Last 30 ================

2009-05-01 17:59 <DIR> --d----- C:\_OTMoveIt
2009-04-30 11:12 1,646,592 a------- C:\ffastunT.ffl
2009-04-29 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-16 07:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:11 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-15 17:10 <DIR> --d----- c:\windows\Logs
2009-04-15 17:07 <DIR> --d----- c:\docume~1\engle\applic~1\ThirdWire
2009-04-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThirdWire
2009-04-12 20:52 <DIR> --d----- c:\program files\iPod
2009-04-12 20:52 <DIR> --d----- c:\program files\iTunes
2009-04-12 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 18:16:20.48 ===============

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 02 May 2009 - 04:34 AM

Looking much better, sunliner403.

We need to do another run of OTMoveIt.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix.. Please visit HERE if you don't know how.. Please re-enable them after performing all steps given..

We need to backup your registry as we will be making changes there.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    c:\windows\system32\ravorumo.dll
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next...

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please post another DDS log too. Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 May 2009 - 08:39 AM

Here's the latest...
========== FILES ==========
File/Folder c:\windows\system32\ravorumo.dll not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05022009_085943
****************************************************************************************************************

Malwarebytes' Anti-Malware 1.36
Database version: 2067
Windows 5.1.2600 Service Pack 3

5/2/2009 9:28:32 AM
mbam-log-2009-05-02 (09-28-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170177
Time elapsed: 21 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Engle\Local Settings\Temporary Internet Files\Content.IE5\CDMNSH2F\Install_2005-2[1].exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
*****************************************************
DDS:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Engle at 9:33:24.48 on Sat 05/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2607 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Engle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\ravorumo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\engle\applic~1\mozilla\firefox\profiles\l1tnn5gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\engle\application data\mozilla\firefox\profiles\l1tnn5gn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 214024]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40552]
S2 gupdate1c9c68223539c60;Google Update Service (gupdate1c9c68223539c60);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34216]

=============== Created Last 30 ================

2009-05-02 09:02 <DIR> --d----- c:\docume~1\engle\applic~1\Malwarebytes
2009-05-02 09:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-02 09:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 09:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-02 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-01 17:59 <DIR> --d----- C:\_OTMoveIt
2009-04-29 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-16 07:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:11 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-15 17:10 <DIR> --d----- c:\windows\Logs
2009-04-15 17:07 <DIR> --d----- c:\docume~1\engle\applic~1\ThirdWire
2009-04-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThirdWire
2009-04-12 20:52 <DIR> --d----- c:\program files\iPod
2009-04-12 20:52 <DIR> --d----- c:\program files\iTunes
2009-04-12 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 9:34:16.29 ===============

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 02 May 2009 - 11:12 AM

Hi sunliner403,

Your Vundo infection is a little stubborn.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Then reboot the system.

Please make sure you let me know that it merged correctly in your next post.

Then...

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image
m0le is a proud member of UNITE

#11 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 May 2009 - 12:38 PM

OK...Merge successfully completed.
Ran Kapersky. Report blank. Message at top says "no Malware detected"

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 02 May 2009 - 04:44 PM

Hi sunliner403,

Okay, looks good. :thumbup2:

Can you post a new DDS log so I can do a final check.

Thanks
Posted Image
m0le is a proud member of UNITE

#13 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 May 2009 - 04:47 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Engle at 17:45:32.89 on Sat 05/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2346 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Engle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\ravorumo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\engle\applic~1\mozilla\firefox\profiles\l1tnn5gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\engle\application data\mozilla\firefox\profiles\l1tnn5gn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 214024]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40552]
S2 gupdate1c9c68223539c60;Google Update Service (gupdate1c9c68223539c60);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34216]

=============== Created Last 30 ================

2009-05-02 09:02 <DIR> --d----- c:\docume~1\engle\applic~1\Malwarebytes
2009-05-02 09:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-02 09:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 09:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-02 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-01 17:59 <DIR> --d----- C:\_OTMoveIt
2009-04-29 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-16 07:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:11 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-15 17:10 <DIR> --d----- c:\windows\Logs
2009-04-15 17:07 <DIR> --d----- c:\docume~1\engle\applic~1\ThirdWire
2009-04-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThirdWire
2009-04-12 20:52 <DIR> --d----- c:\program files\iPod
2009-04-12 20:52 <DIR> --d----- c:\program files\iTunes
2009-04-12 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 17:45:51.82 ===============

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 02 May 2009 - 05:39 PM

Hi sunliner403,

This should do it.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

You must reboot your PC

Please reply back letting me know if it merged correctly.

Please post a new DDS log too. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 sunliner403

sunliner403
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 May 2009 - 10:10 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Engle at 23:08:03.71 on Sat 05/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2498 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Engle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\engle\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\engle\applic~1\mozilla\firefox\profiles\l1tnn5gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\engle\application data\mozilla\firefox\profiles\l1tnn5gn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 214024]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40552]
S2 gupdate1c9c68223539c60;Google Update Service (gupdate1c9c68223539c60);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 34216]

=============== Created Last 30 ================

2009-05-02 09:02 <DIR> --d----- c:\docume~1\engle\applic~1\Malwarebytes
2009-05-02 09:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-02 09:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 09:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-02 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-01 17:59 <DIR> --d----- C:\_OTMoveIt
2009-04-29 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-16 07:02 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:02 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:11 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-15 17:10 <DIR> --d----- c:\windows\Logs
2009-04-15 17:07 <DIR> --d----- c:\docume~1\engle\applic~1\ThirdWire
2009-04-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThirdWire
2009-04-12 20:52 <DIR> --d----- c:\program files\iPod
2009-04-12 20:52 <DIR> --d----- c:\program files\iTunes
2009-04-12 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 23:08:28.53 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users