Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IExplorer running in Background - Infected with Trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 eperezruberte

eperezruberte

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 08 June 2009 - 10:03 PM

Hello Folks and thanks for helping us poor mortals in this dangerous cyberworld. :)
I was trying to open a file a friend sent me when my McAfee anti-virus detected a Trojan (sorry, I did not write the name) and said it blocked and deleted it. However, somehow something changed in my desktop. Not immediately after, but after some time, I could hear a radio station playing (eerie, yes! :thumbup2:). Even more eerie was the fact that I closed all my IE windows and I could still hear the radio station through the speakers. Then I went to the "Windows Task Manager" and in processes I saw several "iexplore.exe" processes running. I closed these and then the radio playback ended.
I thought that was that, but the thing is the next time I rebooted my computer, after it was on for a while, I saw a window pop up that said something like "IE is trying to navigate away from this page" or "Are you sure you want to navigate away from this page?" with an "OK" button. But THERE WERE NO IE WINDOWS OPEN! I then went to the "Windows Task Manager" again and, sure enough, several iexplore.exe processes were running. I TRIED to kill them, only this time, there was a popup that came up on the upper left of my screen with a call-out sign (pointing towards the upper left corner of the screen) saying that IE had been "able to recover this tab"... what tab that was, I have no clue, since I cannot see those windows that are apparently open. I had to kill the processes more than once in order for them to stop.
So, I am here :cool: :)
Here are the contents of my DDS.txt file:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Eddie Perez-Ruberte at 19:37:49.27 on Mon 06/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1310 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
svchost.exe
C:\WINNT\Nhksrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\MMKeybd.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINNT\System32\regsvr32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Palm2\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: thesuperads browser enhancer: {22002b0a-7720-54b5-c4cd-203952bee19d} - c:\winnt\system32\atorhdoqecu.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [smapp]
mRun: [DellTouch] c:\winnt\MMKeybd.exe
mRun: [NeroCheck] c:\winnt\system32\NeroCheck.exe
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [oyuegniwihmny] c:\winnt\system32\regsvr32.exe /s "c:\winnt\system32\atorhdoqecu.dll"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - h:\program files\palm2\Hotsync.exe
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eddiep~1.hom\applic~1\mozilla\firefox\profiles\yc3od61b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: h:\program files\adobe\acrobat 6.0\acrobat\browser\nppdf32.dll
FF - plugin: h:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - plugin: h:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-1-16 214024]
R2 LMIInfo;LogMeIn Kernel Information Provider;h:\program files\logmein\x86\rainfo.sys [2007-8-3 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\winnt\system32\drivers\LMIRfsDriver.sys [2008-1-21 46112]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-29 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-29 144704]
R2 Nhksrv;Netropa NHK Server;c:\winnt\Nhksrv.exe [2007-6-25 28672]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2007-6-21 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2007-6-21 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2007-6-21 40552]
R3 Msikbd2k;DellTouch;c:\winnt\system32\drivers\Msikbd2k.sys [2007-6-25 6942]
S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2007-8-31 139264]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2007-6-21 34216]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2007-6-19 49776]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2003-6-1 9038]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-06-06 11:05 48,274 a------- c:\winnt\system32\atyaljxbvtskzq.exe
2009-05-18 23:17 <DIR> --d----- c:\winnt\SxsCaPendDel
2009-05-09 21:54 190,696 a------- c:\winnt\system32\NPSWF32_FlashUtil.exe
2009-05-09 21:54 2,463,976 a------- c:\winnt\system32\NPSWF32.dll

==================== Find3M ====================

2009-04-17 09:38 482,816 a------- c:\winnt\system32\atorhdoqecu.dll
2009-04-05 07:23 410,984 a------- c:\winnt\system32\deploytk.dll
2009-03-29 16:22 86,315 a------- c:\winnt\pchealth\helpctr\offlinecache\index.dat
2009-03-29 15:42 25,424 a------- c:\winnt\system32\emptyregdb.dat
2009-03-20 11:50 3,358,720 a------- c:\winnt\system32\GPhotos.scr
2003-06-01 01:18 271 ---sh--- c:\program files\desktop.ini
2003-06-01 01:18 21,952 ----h--- c:\program files\folder.htt

============= FINISH: 19:38:33.51 ===============

Attach.txt is attached :)

Attached Files



BC AdBot (Login to Remove)

 


#2 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 14 June 2009 - 05:26 PM

Hello Ladies and Gentlemen. I thought I did everything I was asked to do to report my problem. Hopefully you can get to my problem within the next few days. It is really worrying me.

Thank you very much!

:thumbup2:

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 18 June 2009 - 06:46 PM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#4 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 June 2009 - 10:49 PM

Woo woo! :thumbup2:
Thanks Syler. Yes, I still need help with this and I have not run any other tools. I decided to wait since I know you are very busy. Here are both logs as you requested. Thank you very much!
----------------------------------------------------------------------------------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Eddie Perez-Ruberte at 2009-06-18 20:45:47
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (5%) free of 50 GB
Total RAM: 2048 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:19 PM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Nhksrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\MMKeybd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\Program Files\Palm2\Hotsync.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
H:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Desktop\RSIT.exe
C:\Program Files\trend micro\Eddie Perez-Ruberte.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: thesuperads browser enhancer - {22002B0A-7720-54B5-C4CD-203952BEE19D} - C:\WINNT\system32\atorhdoqecu.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [oyuegniwihmny] C:\WINNT\System32\regsvr32.exe /s "C:\WINNT\system32\atorhdoqecu.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\Palm2\Hotsync.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINNT\Nhksrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9928 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\McDefragTask.job
C:\WINNT\tasks\McQcTask.job
C:\WINNT\tasks\User_Feed_Synchronization-{204C3918-4B48-4521-A124-17101DA6A2AB}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22002B0A-7720-54B5-C4CD-203952BEE19D}]
thesuperads browser enhancer - C:\WINNT\system32\atorhdoqecu.dll [2009-04-17 482816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-03-25 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-05 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-11-20 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"smapp"= []
"DellTouch"=C:\WINNT\MMKeybd.exe [2001-09-05 163840]
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe [2001-07-09 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-05 148888]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2007-10-04 307200]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-01-08 645328]
"WD Drive Manager"=C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-01-30 438272]
"MioNet"=C:\Program Files\MioNet\MioNetLauncher.exe [2007-08-31 32768]
"oyuegniwihmny"=C:\WINNT\System32\regsvr32.exe [2008-05-07 11776]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=H:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2008-05-07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\Palm2\Hotsync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINNT\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2008-05-07 383488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\MioNet\MioNetManager.exe"="C:\Program Files\MioNet\MioNetManager.exe:*:Enabled:MioNetManager"
"C:\Program Files\MioNet\jvm\bin\MioNet.exe"="C:\Program Files\MioNet\jvm\bin\MioNet.exe:*:Enabled:MioNet"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\Program Files\iTunes\iTunes.exe"="H:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - open - "H:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"
.txt - open -

======List of files/folders created in the last 1 months======

2009-06-18 20:45:48 ----D---- C:\Program Files\trend micro
2009-06-18 20:45:47 ----D---- C:\rsit
2009-06-14 22:55:00 ----D---- C:\Program Files\iPod
2009-06-14 22:54:39 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 22:53:18 ----D---- C:\Program Files\Bonjour
2009-06-14 22:50:03 ----D---- C:\WINNT\LastGood
2009-06-14 22:50:01 ----A---- C:\WINNT\system32\usbaaplrc.dll
2009-06-14 22:49:10 ----D---- C:\Program Files\Common Files\Apple
2009-06-11 03:02:40 ----HDC---- C:\WINNT\$NtUninstallKB961501$
2009-06-11 03:02:34 ----HDC---- C:\WINNT\$NtUninstallKB969898$
2009-06-11 03:00:35 ----HDC---- C:\WINNT\$NtUninstallKB970238$
2009-06-11 03:00:25 ----HDC---- C:\WINNT\$NtUninstallKB968537$
2009-06-07 00:21:48 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-06 11:05:35 ----A---- C:\WINNT\system32\atyaljxbvtskzq.exe

======List of files/folders modified in the last 1 months======

2009-06-18 20:46:09 ----D---- C:\WINNT\temp
2009-06-18 20:45:55 ----D---- C:\WINNT\Prefetch
2009-06-18 20:45:48 ----RAD---- C:\Program Files
2009-06-18 11:52:08 ----AD---- C:\WINNT\security
2009-06-18 11:46:11 ----A---- C:\WINNT\MSIOSD.INI
2009-06-18 07:51:35 ----D---- C:\Program Files\Mozilla Firefox
2009-06-18 00:48:07 ----D---- C:\WINNT\system32\NtmsData
2009-06-17 23:50:02 ----SD---- C:\WINNT\Downloaded Program Files
2009-06-14 22:58:44 ----SD---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Microsoft
2009-06-14 22:56:36 ----SHD---- C:\WINNT\Installer
2009-06-14 22:56:31 ----AHD---- C:\Config.Msi
2009-06-14 22:55:58 ----HD---- C:\WINNT\system32\drivers
2009-06-14 22:55:58 ----AD---- C:\WINNT\system32
2009-06-14 22:55:57 ----HD---- C:\WINNT\inf
2009-06-14 22:55:53 ----DC---- C:\WINNT\system32\DRVSTORE
2009-06-14 22:52:57 ----D---- C:\Program Files\QuickTime
2009-06-14 22:50:46 ----SD---- C:\WINNT\Tasks
2009-06-14 22:50:42 ----D---- C:\Program Files\Apple Software Update
2009-06-14 22:50:06 ----D---- C:\WINNT\system32\ReinstallBackups
2009-06-14 22:50:03 ----HD---- C:\WINNT
2009-06-14 22:49:51 ----D---- C:\WINNT\winsxs
2009-06-14 22:49:10 ----AD---- C:\Program Files\Common Files
2009-06-14 10:18:11 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\U3
2009-06-13 15:04:06 ----D---- C:\WINNT\SxsCaPendDel
2009-06-13 15:03:53 ----D---- C:\Program Files\Common Files\Adobe
2009-06-13 15:03:53 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Adobe
2009-06-13 14:51:33 ----D---- C:\Program Files\Adobe
2009-06-13 14:43:54 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-13 14:34:46 ----RSD---- C:\WINNT\Fonts
2009-06-13 05:54:15 ----A---- C:\WINNT\SchedLgU.Txt
2009-06-11 03:20:23 ----D---- C:\WINNT\system32\CatRoot2
2009-06-11 03:09:55 ----D---- C:\Program Files\Internet Explorer
2009-06-11 03:02:56 ----RASHDC---- C:\WINNT\system32\dllcache
2009-06-11 03:02:45 ----HD---- C:\WINNT\$hf_mig$
2009-06-11 03:02:43 ----A---- C:\WINNT\imsins.BAK
2009-06-07 10:34:52 ----A---- C:\WINNT\MMKEYBD.INI
2009-06-06 11:38:30 ----D---- C:\Program Files\MioNet
2009-06-01 09:51:12 ----A---- C:\WINNT\system32\MRT.exe
2009-05-26 22:22:29 ----D---- C:\Fotos
2009-05-20 19:07:38 ----AD---- C:\Documents and Settings
2009-05-19 02:46:47 ----AD---- C:\WINNT\system32\config

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINNT\system32\DRIVERS\amdk7.sys [2008-05-07 37760]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINNT\system32\drivers\mfehidk.sys [2009-03-25 214024]
R1 MPFP;MPFP; C:\WINNT\System32\Drivers\Mpfp.sys [2008-10-23 120136]
R2 aslm75;aslm75; \??\C:\WINNT\system32\drivers\aslm75.sys []
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\H:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINNT\system32\drivers\LMIRfsDriver.sys []
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINNT\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINNT\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINNT\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
R3 lmimirr;lmimirr; C:\WINNT\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINNT\system32\drivers\mfeavfk.sys [2009-03-25 79880]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINNT\system32\drivers\mfebopk.sys [2009-03-25 35272]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINNT\system32\drivers\mferkdk.sys [2009-03-25 34216]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINNT\system32\drivers\mfesmfk.sys [2009-03-25 40552]
R3 Msikbd2k;DellTouch; C:\WINNT\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\system32\DRIVERS\usbccgp.sys [2008-05-07 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2008-05-07 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\system32\DRIVERS\usbhub.sys [2008-05-07 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2008-05-07 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbuhci.sys [2008-05-07 20608]
S1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2008-01-04 9336]
S1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2008-01-04 9464]
S1 NDISRD;NDISRD; C:\WINNT\system32\drivers\NDISRD.sys [2007-08-31 15340]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINNT\system32\drivers\BVRPMPR5.SYS []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINNT\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 NTSIM;NTSIM; \??\C:\WINNT\System32\ntsim.sys []
S3 PalmUSBD;PalmUSBD; C:\WINNT\system32\drivers\PalmUSBD.sys [2007-06-24 16694]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINNT\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 viafilter;VIA USB Filter; C:\WINNT\System32\Drivers\viausb.sys [2003-06-18 9038]
S3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINNT\System32\Drivers\vulfnth.sys [2002-10-24 6912]
S3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINNT\System32\Drivers\vulfntr.sys [2002-11-13 10496]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINNT\system32\drivers\LMIRfsClientNP.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\system32\Ati2evxx.exe [2009-02-25 602112]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-05 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-01-08 797864]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-01-09 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-01-09 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-03-25 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-03-19 884360]
R2 Nhksrv;Netropa NHK Server; C:\WINNT\Nhksrv.exe [2001-08-06 28672]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service; C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
R3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-04-01 365072]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-03-24 606736]
S2 ATI Smart;ATI Smart; C:\WINNT\system32\ati2sgag.exe [2009-02-25 593920]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2008-05-07 267776]
S2 MioNet;MioNet; C:\Program Files\MioNet\MioNetManager.exe [2007-08-31 139264]
S3 AresChatServer;Ares Chatroom server; H:\Program Files\Ares\chatServer.exe [2007-03-19 263168]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LPDSVC;TCP/IP Print Server; C:\WINNT\system32\tcpsvcs.exe [2008-05-07 19456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2006-11-09 65536]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2008-05-07 50176]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; H:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 LMIMaint;LogMeIn Maintenance Service; H:\Program Files\LogMeIn\x86\RaMaint.exe [2007-11-15 116032]
S4 LogMeIn;LogMeIn; H:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2007-11-07 20480]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-06-18 20:46:22

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ares 2.0.9-->"H:\Program Files\Ares\uninstall.exe"
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x6574
ATI Catalyst Registration-->MsiExec.exe /X{72736F5F-520D-472A-88CC-7B02872FD34E}
ATI Display Driver-->rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}
Citrix Presentation Server Client - Web Only-->MsiExec.exe /X{C49067A8-8212-4A82-A4D9-1519701644F0}
DellTouch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FileOpen Plug-in for Adobe Acrobat® and Adobe Reader®-->MsiExec.exe /I{2E8DC19D-E1E1-402D-A483-CFF559207B94}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINNT\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LogMeIn-->MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Streets & Trips 2007-->MsiExec.exe /I{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}
Microsoft Visual Studio 6.0 Enterprise Edition-->"H:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie3x86.inf,WebPostUninstall
MioNet-->MsiExec.exe /I{53AF3638-DDB4-4755-B3DC-259981689DB7}
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Palm-->MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}
PharmaSim #version#-->"C:\Program Files\Interpretive Simulations\PharmaSim\uninstall.exe"
Picasa 3-->"H:\Program Files\Google\Picasa3\Uninstall.exe"
QuickBooks Pro 2007-->msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service-->MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Satellite TV for PC Elite 4.8.8.0 -->C:\WINNT\uninstall\Satellite TV for PC Elite\setup.exe
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINNT\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINNT\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINNT\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINNT\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINNT\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINNT\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINNT\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINNT\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINNT\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINNT\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINNT\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINNT\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINNT\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINNT\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINNT\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINNT\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINNT\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINNT\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINNT\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINNT\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINNT\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINNT\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINNT\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINNT\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINNT\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINNT\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINNT\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINNT\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINNT\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINNT\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINNT\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINNT\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINNT\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINNT\$NtUninstallKB970238$\spuninst\spuninst.exe"
Spider-Man 2 Screensaver 1-->C:\WINNT\Spider-Man 2 Screensaver 1.scr /u
Stock Price II Retrieval-->C:\WINNT\st6unst.exe -n "H:\Program Files\StockPricesII\ST6UNST.LOG"
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Tagging System Thesuperads-->C:\WINNT\system32\atyaljxbvtskzq.exe
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINNT\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINNT\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINNT\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINNT\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINNT\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WD Drive Manager (x86)-->MsiExec.exe /X{51B833D8-66B0-4E72-92B9-4E4977EF37F2}
Windows Internet Explorer 8-->"C:\WINNT\ie8\spuninst\spuninst.exe"
WinRAR archiver-->H:\Program Files\WinRAR\uninstall.exe
World of Warcraft FREE Trial-->MsiExec.exe /X{02EBDBB9-4600-41D3-B566-40CB861511D2}
Yahoo! Software Update-->C:\PROGRA~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
ZipForm Desktop-->H:\PROGRA~1\ZIPFOR~1\UNWISE.EXE H:\PROGRA~1\ZIPFOR~1\INSTALL.LOG
ZoneAlarm Spy Blocker-->rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======System event log======

Computer Name: HOME
Event Code: 7
Message: The device, \Device\Harddisk0\DR0, has a bad block.

Record Number: 24084
Source Name: Disk
Time Written: 20071214041330.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 7
Message: The device, \Device\Harddisk0\DR0, has a bad block.

Record Number: 24083
Source Name: Disk
Time Written: 20071214041329.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 7
Message: The device, \Device\Harddisk0\DR0, has a bad block.

Record Number: 24082
Source Name: Disk
Time Written: 20071214041327.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 7
Message: The device, \Device\Harddisk0\DR0, has a bad block.

Record Number: 24081
Source Name: Disk
Time Written: 20071214041327.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 7
Message: The device, \Device\Harddisk0\DR0, has a bad block.

Record Number: 24080
Source Name: Disk
Time Written: 20071214041326.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: HOME
Event Code: 1015
Message: The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Record Number: 6535
Source Name: Perflib
Time Written: 20090306090544.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 1015
Message: The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Record Number: 6534
Source Name: Perflib
Time Written: 20090306090459.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 1015
Message: The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Record Number: 6533
Source Name: Perflib
Time Written: 20090306090454.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 1015
Message: The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Record Number: 6532
Source Name: Perflib
Time Written: 20090306090414.000000-420
Event Type: error
User:

Computer Name: HOME
Event Code: 1015
Message: The timeout waiting for the performance data collection function "PerfProc"
in the "C:\WINNT\system32\perfproc.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Record Number: 6531
Source Name: Perflib
Time Written: 20090306090228.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 18 June 2009 - 11:50 PM

Hi eperezruberte :thumbup2:

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    LMIRfsClientNP
    
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22002B0A-7720-54B5-C4CD-203952BEE19D}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"=-
    "smapp"=-
    "oyuegniwihmny"=-
    
    :Files
    C:\WINNT\system32\atorhdoqecu.dll
    C:\WINNT\system32\atyaljxbvtskzq.exe
    C:\WINNT\system32\drivers\LMIRfsClientNP.sys
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then please post back here with the following:
  • OTM results
  • MBAM report
  • Fresh Rsit log

unite.jpg


#6 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 20 June 2009 - 06:16 PM

Thanks Syler:

Here are the posts, per your request.
====================================
========== SERVICES/DRIVERS ==========

Service\Driver LMIRfsClientNP deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22002B0A-7720-54B5-C4CD-203952BEE19D}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Synchronization Manager deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\smapp deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\oyuegniwihmny deleted successfully.
========== FILES ==========
C:\WINNT\system32\atorhdoqecu.dll unregistered successfully.
C:\WINNT\system32\atorhdoqecu.dll moved successfully.
C:\WINNT\system32\atyaljxbvtskzq.exe moved successfully.
File/Folder C:\WINNT\system32\drivers\LMIRfsClientNP.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\EDDIEP~1.HOM\LOCALS~1\Temp\etilqs_mBkFsqEB1uHGA2Cwjr06 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINNT\temp\mcafee_PlX2vKd5cQHAJuT scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\mcmsc_cdIMdDMkBHfUzTu scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\mcmsc_eGcQgtEdqalA0Fc scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\mcmsc_ouQJsNMG55U7gHt scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\mcmsc_zP9aex6Qe9HzLlV scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\Perflib_Perfdata_70c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\Perflib_Perfdata_9e4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_6o04efR7nfV9MmK scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_JnzXciXgMoJpB1p scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_sQefq9g72ct9bvt scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\yc3od61b.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06202009_094947

Files moved on Reboot...
File C:\DOCUME~1\EDDIEP~1.HOM\LOCALS~1\Temp\etilqs_mBkFsqEB1uHGA2Cwjr06 not found!
File C:\WINNT\temp\mcafee_PlX2vKd5cQHAJuT not found!
File C:\WINNT\temp\mcmsc_cdIMdDMkBHfUzTu not found!
File C:\WINNT\temp\mcmsc_eGcQgtEdqalA0Fc not found!
File C:\WINNT\temp\mcmsc_ouQJsNMG55U7gHt not found!
File C:\WINNT\temp\mcmsc_zP9aex6Qe9HzLlV not found!
File C:\WINNT\temp\Perflib_Perfdata_70c.dat not found!
File C:\WINNT\temp\Perflib_Perfdata_9e4.dat not found!
C:\WINNT\temp\sqlite_6o04efR7nfV9MmK moved successfully.
C:\WINNT\temp\sqlite_JnzXciXgMoJpB1p moved successfully.
C:\WINNT\temp\sqlite_sQefq9g72ct9bvt moved successfully.
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\yc3od61b.default\urlclassifier3.sqlite moved successfully.

Registry entries deleted on Reboot...

------------------------------------------------
Malwarebytes' Anti-Malware 1.38
Database version: 2315
Windows 5.1.2600 Service Pack 3

6/20/2009 1:06:41 PM
mbam-log-2009-06-20 (13-06-41).txt

Scan type: Full Scan (C:\|G:\|H:\|I:\|)
Objects scanned: 554987
Time elapsed: 2 hour(s), 59 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
c:\_OTM\movedfiles\06202009_094947\WINNT\system32\atorhdoqecu.dll (Adware.GooochiBiz) -> Quarantined and deleted successfully.
c:\_OTM\movedfiles\06202009_094947\WINNT\system32\atyaljxbvtskzq.exe (Adware.TheSuperAds) -> Quarantined and deleted successfully.
c:\WINNT\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

-----------------------------------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Eddie Perez-Ruberte at 2009-06-20 16:15:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (11%) free of 50 GB
Total RAM: 2048 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:18 PM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINNT\MMKeybd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\QuickTime\QTTask.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
H:\Program Files\Palm2\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Desktop\RSIT.exe
C:\Program Files\trend micro\Eddie Perez-Ruberte.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\Palm2\Hotsync.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINNT\Nhksrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9503 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\McDefragTask.job
C:\WINNT\tasks\McQcTask.job
C:\WINNT\tasks\User_Feed_Synchronization-{204C3918-4B48-4521-A124-17101DA6A2AB}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2009-03-25 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-05 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-11-20 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"=C:\WINNT\MMKeybd.exe [2001-09-05 163840]
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe [2001-07-09 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-05 148888]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2007-10-04 307200]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-01-08 645328]
"WD Drive Manager"=C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-01-30 438272]
"MioNet"=C:\Program Files\MioNet\MioNetLauncher.exe [2007-08-31 32768]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=H:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2008-05-07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\Palm2\Hotsync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINNT\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2008-05-07 383488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\MioNet\MioNetManager.exe"="C:\Program Files\MioNet\MioNetManager.exe:*:Enabled:MioNetManager"
"C:\Program Files\MioNet\jvm\bin\MioNet.exe"="C:\Program Files\MioNet\jvm\bin\MioNet.exe:*:Enabled:MioNet"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\Program Files\iTunes\iTunes.exe"="H:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - open - "H:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"
.txt - open -

======List of files/folders created in the last 1 months======

2009-06-20 10:02:41 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Malwarebytes
2009-06-20 10:02:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-20 10:02:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-20 09:49:47 ----D---- C:\_OTM
2009-06-18 20:45:48 ----D---- C:\Program Files\trend micro
2009-06-18 20:45:47 ----D---- C:\rsit
2009-06-14 22:55:00 ----D---- C:\Program Files\iPod
2009-06-14 22:54:39 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 22:53:18 ----D---- C:\Program Files\Bonjour
2009-06-14 22:50:01 ----A---- C:\WINNT\system32\usbaaplrc.dll
2009-06-14 22:49:10 ----D---- C:\Program Files\Common Files\Apple
2009-06-11 03:02:40 ----HDC---- C:\WINNT\$NtUninstallKB961501$
2009-06-11 03:02:34 ----HDC---- C:\WINNT\$NtUninstallKB969898$
2009-06-11 03:00:35 ----HDC---- C:\WINNT\$NtUninstallKB970238$
2009-06-11 03:00:25 ----HDC---- C:\WINNT\$NtUninstallKB968537$
2009-06-07 00:21:48 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

======List of files/folders modified in the last 1 months======

2009-06-20 16:15:13 ----D---- C:\WINNT\temp
2009-06-20 15:10:02 ----A---- C:\WINNT\SchedLgU.Txt
2009-06-20 14:56:23 ----A---- C:\WINNT\MSIOSD.INI
2009-06-20 14:56:22 ----AD---- C:\WINNT\security
2009-06-20 14:55:39 ----D---- C:\Program Files\Mozilla Firefox
2009-06-20 13:15:58 ----D---- C:\WINNT\Prefetch
2009-06-20 13:10:14 ----HD---- C:\WINNT
2009-06-20 13:09:54 ----A---- C:\WINNT\MMKEYBD.INI
2009-06-20 13:09:42 ----D---- C:\WINNT\system32\NtmsData
2009-06-20 13:08:35 ----HD---- C:\WINNT\system32\drivers
2009-06-20 13:06:41 ----RAD---- C:\Program Files
2009-06-20 09:54:37 ----D---- C:\WINNT\SxsCaPendDel
2009-06-20 09:54:37 ----AHD---- C:\Config.Msi
2009-06-20 09:49:56 ----AD---- C:\WINNT\system32
2009-06-17 23:50:02 ----SD---- C:\WINNT\Downloaded Program Files
2009-06-14 22:58:44 ----SD---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Microsoft
2009-06-14 22:56:36 ----SHD---- C:\WINNT\Installer
2009-06-14 22:55:57 ----HD---- C:\WINNT\inf
2009-06-14 22:55:53 ----DC---- C:\WINNT\system32\DRVSTORE
2009-06-14 22:52:57 ----D---- C:\Program Files\QuickTime
2009-06-14 22:50:46 ----SD---- C:\WINNT\Tasks
2009-06-14 22:50:42 ----D---- C:\Program Files\Apple Software Update
2009-06-14 22:50:06 ----D---- C:\WINNT\system32\ReinstallBackups
2009-06-14 22:49:51 ----D---- C:\WINNT\winsxs
2009-06-14 22:49:10 ----AD---- C:\Program Files\Common Files
2009-06-14 10:18:11 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\U3
2009-06-13 15:03:53 ----D---- C:\Program Files\Common Files\Adobe
2009-06-13 15:03:53 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Adobe
2009-06-13 14:51:33 ----D---- C:\Program Files\Adobe
2009-06-13 14:43:54 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-13 14:34:46 ----RSD---- C:\WINNT\Fonts
2009-06-11 03:20:23 ----D---- C:\WINNT\system32\CatRoot2
2009-06-11 03:09:55 ----D---- C:\Program Files\Internet Explorer
2009-06-11 03:02:56 ----RASHDC---- C:\WINNT\system32\dllcache
2009-06-11 03:02:45 ----HD---- C:\WINNT\$hf_mig$
2009-06-11 03:02:43 ----A---- C:\WINNT\imsins.BAK
2009-06-06 11:38:30 ----D---- C:\Program Files\MioNet
2009-06-01 09:51:12 ----A---- C:\WINNT\system32\MRT.exe
2009-05-26 22:22:29 ----D---- C:\Fotos

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINNT\system32\DRIVERS\amdk7.sys [2008-05-07 37760]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2008-01-04 9336]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2008-01-04 9464]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINNT\system32\drivers\mfehidk.sys [2009-03-25 214024]
R1 MPFP;MPFP; C:\WINNT\System32\Drivers\Mpfp.sys [2008-10-23 120136]
R2 aslm75;aslm75; \??\C:\WINNT\system32\drivers\aslm75.sys []
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\H:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINNT\system32\drivers\LMIRfsDriver.sys []
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINNT\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINNT\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINNT\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
R3 lmimirr;lmimirr; C:\WINNT\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINNT\system32\drivers\mfeavfk.sys [2009-03-25 79880]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINNT\system32\drivers\mfebopk.sys [2009-03-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINNT\system32\drivers\mfesmfk.sys [2009-03-25 40552]
R3 Msikbd2k;DellTouch; C:\WINNT\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\system32\DRIVERS\usbccgp.sys [2008-05-07 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2008-05-07 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\system32\DRIVERS\usbhub.sys [2008-05-07 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2008-05-07 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbuhci.sys [2008-05-07 20608]
S1 NDISRD;NDISRD; C:\WINNT\system32\drivers\NDISRD.sys [2007-08-31 15340]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINNT\system32\drivers\BVRPMPR5.SYS []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINNT\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINNT\system32\drivers\mferkdk.sys [2009-03-25 34216]
S3 NTSIM;NTSIM; \??\C:\WINNT\System32\ntsim.sys []
S3 PalmUSBD;PalmUSBD; C:\WINNT\system32\drivers\PalmUSBD.sys [2007-06-24 16694]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINNT\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 viafilter;VIA USB Filter; C:\WINNT\System32\Drivers\viausb.sys [2003-06-18 9038]
S3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINNT\System32\Drivers\vulfnth.sys [2002-10-24 6912]
S3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINNT\System32\Drivers\vulfntr.sys [2002-11-13 10496]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\system32\Ati2evxx.exe [2009-02-25 602112]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-05 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-01-08 797864]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-01-09 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-01-09 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-03-25 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-03-19 884360]
R2 Nhksrv;Netropa NHK Server; C:\WINNT\Nhksrv.exe [2001-08-06 28672]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service; C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-03-24 606736]
S2 ATI Smart;ATI Smart; C:\WINNT\system32\ati2sgag.exe [2009-02-25 593920]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2008-05-07 267776]
S2 MioNet;MioNet; C:\Program Files\MioNet\MioNetManager.exe [2007-08-31 139264]
S3 AresChatServer;Ares Chatroom server; H:\Program Files\Ares\chatServer.exe [2007-03-19 263168]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LPDSVC;TCP/IP Print Server; C:\WINNT\system32\tcpsvcs.exe [2008-05-07 19456]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-04-01 365072]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2006-11-09 65536]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2008-05-07 50176]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; H:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 LMIMaint;LogMeIn Maintenance Service; H:\Program Files\LogMeIn\x86\RaMaint.exe [2007-11-15 116032]
S4 LogMeIn;LogMeIn; H:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2007-11-07 20480]

-----------------EOF-----------------

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 20 June 2009 - 07:36 PM

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Then please post back with the Kaspersky report and Gmer log.

Thanks

unite.jpg


#8 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 21 June 2009 - 11:47 PM

Thanks again Syler. Here are the GMER log and the Kaspersky report.
--------------------------------------------------------------------------------

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-21 07:20:04
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA6FA84EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA6FA8581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA6FA8498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA6FA84AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA6FA8595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA6FA85C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA6FA862F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA6FA8619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA6FA852A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA6FA865B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA6FA856D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA6FA8470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA6FA8484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA6FA84FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA6FA8697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA6FA8603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA6FA85ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA6FA85AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA6FA8683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA6FA866F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA6FA84D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA6FA84C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA6FA85D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA6FA8559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA6FA8645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA6FA8540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA6FA8514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP A6FA8518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP A6FA8571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP A6FA85F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP A6FA84EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP A6FA84C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP A6FA8585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP A6FA869B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP A6FA8633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP A6FA8474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 2 Bytes JMP A6FA8502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 3 80571CB4 4 Bytes [A3, 26, 90, 90]
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP A6FA85DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP A6FA8544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP A6FA852E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP A6FA84B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP A6FA855D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP A6FA8488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP A6FA865F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP A6FA861D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP A6FA85C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP A6FA8599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP A6FA849C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP A6FA84DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP A6FA8649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP A6FA8607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP A6FA85AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP A6FA8673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP A6FA8687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? hnei.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINNT\system32\services.exe[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070082
.text C:\WINNT\system32\services.exe[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F83
.text C:\WINNT\system32\services.exe[532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F94
.text C:\WINNT\system32\services.exe[532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FAF
.text C:\WINNT\system32\services.exe[532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FCA
.text C:\WINNT\system32\services.exe[532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F4D
.text C:\WINNT\system32\services.exe[532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F68
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F32
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700D5
.text C:\WINNT\system32\services.exe[532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700E6
.text C:\WINNT\system32\services.exe[532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070051
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070093
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070040
.text C:\WINNT\system32\services.exe[532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070025
.text C:\WINNT\system32\services.exe[532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700BA
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FC0
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060062
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD1
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060051
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FAF
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINNT\system32\services.exe[532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060036
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA1
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050022
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FCD
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB2
.text C:\WINNT\system32\services.exe[532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050011
.text C:\WINNT\system32\services.exe[532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F7E
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0073
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0062
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0047
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF002C
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F37
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F52
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EFA
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F0B
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00AE
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FA5
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FEF
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F63
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FCA
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF001B
.text C:\WINNT\system32\lsass.exe[544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F26
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FCD
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F7C
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FDE
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FEF
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F97
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0039
.text C:\WINNT\system32\lsass.exe[544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB2
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0036
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0025
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD000A
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FE3
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FB5
.text C:\WINNT\system32\lsass.exe[544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FD2
.text C:\WINNT\system32\lsass.exe[544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD000A
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F7E
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0FA3
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0FC0
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD007D
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0047
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD00A4
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F5C
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00B5
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F26
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD00C6
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0062
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD001B
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0F6D
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0FE5
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0036
.text C:\WINNT\system32\svchost.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F41
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FAF
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0F6F
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0FD4
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0000
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0F8A
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0FEF
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC002C
.text C:\WINNT\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC001B
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB002C
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0FAB
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB0FBC
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FE3
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0011
.text C:\WINNT\system32\svchost.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0000
.text C:\WINNT\system32\svchost.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0000
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F97
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90082
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90065
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90054
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FC3
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F6B
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F86
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900E9
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900D8
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90F35
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90FB2
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C900A7
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FDE
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90025
.text C:\WINNT\system32\svchost.exe[772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F5A
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C8002F
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C8004A
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80014
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80FDE
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80F97
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C80FB2
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes CALL C89FEDE5
.text C:\WINNT\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80FC3
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C7003D
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70FB2
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70011
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70022
.text C:\WINNT\system32\svchost.exe[772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70FE3
.text C:\WINNT\system32\svchost.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02BD0FE5
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02BD0051
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02BD0040
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02BD0F66
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02BD0025
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02BD0F9E
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02BD0F41
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02BD0089
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02BD0F30
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02BD00C9
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02BD0F0B
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02BD0F83
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02BD0FD4
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02BD0062
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02BD000A
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02BD0FB9
.text C:\WINNT\System32\svchost.exe[840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02BD00AE
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BC0025
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BC0F8D
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BC0FD4
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BC0FE5
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BC0F9E
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BC0000
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02BC0FAF
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 8A]
.text C:\WINNT\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BC0036
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BB0F81
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BB0F9C
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BB000C
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BB0FE3
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BB0FAD
.text C:\WINNT\System32\svchost.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BB0FD2
.text C:\WINNT\System32\svchost.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02710000
.text C:\WINNT\System32\svchost.exe[840] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 02700000
.text C:\WINNT\System32\svchost.exe[840] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 02700011
.text C:\WINNT\System32\svchost.exe[840] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 02700FDB
.text C:\WINNT\System32\svchost.exe[840] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 02700FCA
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C000A
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0093
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C0082
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0065
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0FA8
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C0FD4
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C00C9
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C00B8
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C0F52
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C00EB
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F41
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0FB9
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FEF
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F8D
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0040
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0025
.text C:\WINNT\system32\svchost.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C00DA
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FB2
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0F61
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FC3
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FD4
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F72
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0FEF
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008B0014
.text C:\WINNT\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B0F97
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0F90
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0FA1
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FC3
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FB2
.text C:\WINNT\system32\svchost.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FDE
.text C:\WINNT\system32\svchost.exe[912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0089000A
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0059
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0F64
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F7F
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F90
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FAB
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F33
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0085
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F07
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00A0
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0EF6
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0032
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0074
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FBC
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FCD
.text C:\WINNT\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F18
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FCA
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F8D
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FDB
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0011
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F9E
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0000
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B0040
.text C:\WINNT\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FB9
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FA3
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FB4
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FD9
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A002E
.text C:\WINNT\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0011
.text C:\WINNT\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E900AB
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90FB6
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90FC7
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90084
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9004E
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900CD
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F85
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900F9
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900E8
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90114
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90073
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90011
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E900BC
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90033
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90022
.text C:\WINNT\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F6A
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80036
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80087
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FE5
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E8001B
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80FCA
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80062
.text C:\WINNT\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80051
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70FB9
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FD4
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E7003A
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70FE5
.text C:\WINNT\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70029
.text C:\WINNT\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60000
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015F0000
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015F0078
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015F0F79
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015F0F94
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015F0047
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015F0FC0
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015F00B5
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015F00A4
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015F00C6
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015F0F2D
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015F0F12
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015F0FAF
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015F0011
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015F0093
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015F0FD1
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015F0022
.text C:\WINNT\Explorer.EXE[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015F0F48
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015E0FE5
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015E0FAF
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015E0036
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015E0011
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015E0FC0
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015E0000
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 015E0062
.text C:\WINNT\Explorer.EXE[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015E0051
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015A0053
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 015A0038
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015A000C
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015A0FE3
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015A0027
.text C:\WINNT\Explorer.EXE[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015A0FD2
.text C:\WINNT\Explorer.EXE[1624] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 01560FEF
.text C:\WINNT\Explorer.EXE[1624] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 01560FCA
.text C:\WINNT\Explorer.EXE[1624] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 01560000
.text C:\WINNT\Explorer.EXE[1624] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 01560011
.text C:\WINNT\Explorer.EXE[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0159000A
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0064
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0053
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA002C
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F79
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA001B
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA007F
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F43
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F1C
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00B5
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00D0
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F8A
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDB
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F54
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FAF
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FCA
.text C:\WINNT\system32\svchost.exe[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA009A
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FDE
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093007D
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930025
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930014
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093006C
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093005B
.text C:\WINNT\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093004A
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920033
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB2
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FDE
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0092000C
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FCD
.text C:\WINNT\system32\svchost.exe[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FEF
.text C:\WINNT\system32\svchost.exe[1724] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00900FEF
.text C:\WINNT\system32\svchost.exe[1724] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 0090000A
.text C:\WINNT\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00900FD4
.text C:\WINNT\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00900FC3
.text C:\WINNT\system32\svchost.exe[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text H:\Program Files\Palm2\Hotsync.exe[2740] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 H:\Program Files\Palm2\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA7F93FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA7F9458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA7F9684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA7F96B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA7F9684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA7F9458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA7F93FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA7F9684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA7F96B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA7F93FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA7F9458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1624] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 21, 2009 15:18:11
Records in database: 2374281
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 491804
Threat name: 3
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 11:22:53


File name / Threat name / Threats count
C:\Program Files\PowerQuest\Drive Image 7.0\Shared\PQV2iObj.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.o 1
H:\Program Files\Instant Article Submitter\result\ArticleCopy.com.html Infected: Trojan-Downloader.JS.Iframe.aqf 1
H:\Program Files\Instant Article Submitter\result\ArticleLookup.com.html Infected: Trojan-Downloader.JS.Iframe.aqf 1
H:\Program Files\Instant Article Submitter\result\ArticleTime.com.html Infected: Trojan-Downloader.JS.Psyme.hz 1
I:\Backups\Memeo\Eddie's Backup\C_\Program Files\PowerQuest\Drive Image 7.0\Shared\PQV2iObj.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.o 1
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleCopy.com.html Infected: Trojan-Downloader.JS.Iframe.aqf 1
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleLookup.com.html Infected: Trojan-Downloader.JS.Iframe.aqf 1
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleTime.com.html Infected: Trojan-Downloader.JS.Psyme.hz 1

The selected area was scanned.

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 22 June 2009 - 01:44 AM

Are you still getting the radio station playing in the background or any other problems?

Do you Know the program detected below by Kaspersky, if it's something you use it should be fine, if you
don't use it you can safetly delete it.

C:\Program Files\PowerQuest\Drive Image 7.0\Shared\PQV2iObj.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.o 1


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    H:\Program Files\Instant Article Submitter\result\ArticleCopy.com.html 
    H:\Program Files\Instant Article Submitter\result\ArticleLookup.com.html I
    H:\Program Files\Instant Article Submitter\result\ArticleTime.com.html 
    I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleCopy.com.html 
    I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleLookup.com.html
    I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleTime.com.html 
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Then post back with the OTM results and a fresh Rsit log.

Thanks

unite.jpg


#10 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 22 June 2009 - 10:44 PM

Syler,

I do not hear the radio station. I also opened IE and closed it several times and I checked the running processes in the "Windows Task Manager" and there are two instances of iexplore.exe running while IE is opened, but once I close it, the both disappear from the running processes. I wonder why there should be two of them, though. But it is not like before when, even after I closed it, I could see instances of it running. Thanks for all your help. Am I clean now? :thumbup2:

Below is my latest OTM log:
-----------------------------------
========== FILES ==========
H:\Program Files\Instant Article Submitter\result\ArticleCopy.com.html moved successfully.
File/Folder H:\Program Files\Instant Article Submitter\result\ArticleLookup.com.html I not found.
H:\Program Files\Instant Article Submitter\result\ArticleTime.com.html moved successfully.
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleCopy.com.html moved successfully.
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleLookup.com.html moved successfully.
I:\Backups\Memeo\Eddie's Backup\H_\Program Files\Instant Article Submitter\result\ArticleTime.com.html moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\EDDIEP~1.HOM\LOCALS~1\Temp\jkos-Eddie Perez-Ruberte\binaries\FSSync.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINNT\temp\mcmsc_0MEi7cZqxDtQ7Hb scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\mcmsc_0PgclyUYGIzVna3 scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\Perflib_Perfdata_c50.dat scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_BLZPhYMTL8LgccK scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_JBqbc8c8ihUuiJK scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\sqlite_WVdUI353dQVfYJB scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06222009_202913

Files moved on Reboot...
File C:\DOCUME~1\EDDIEP~1.HOM\LOCALS~1\Temp\jkos-Eddie Perez-Ruberte\binaries\FSSync.dll not found!
File C:\WINNT\temp\mcmsc_0MEi7cZqxDtQ7Hb not found!
File C:\WINNT\temp\mcmsc_0PgclyUYGIzVna3 not found!
File C:\WINNT\temp\Perflib_Perfdata_c50.dat not found!
C:\WINNT\temp\sqlite_BLZPhYMTL8LgccK moved successfully.
C:\WINNT\temp\sqlite_JBqbc8c8ihUuiJK moved successfully.
C:\WINNT\temp\sqlite_WVdUI353dQVfYJB moved successfully.

Registry entries deleted on Reboot...

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 22 June 2009 - 10:55 PM

eperezruberte,

Can you post a new Rsit log for on last check please.

unite.jpg


#12 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 25 June 2009 - 01:28 AM

Syler,

RSIT log, per your request. Thanks! :thumbup2:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Eddie Perez-Ruberte at 2009-06-24 23:27:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (7%) free of 50 GB
Total RAM: 2048 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:45 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\MMKeybd.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\QuickTime\QTTask.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Netropa\OSD.exe
H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
H:\Program Files\Palm2\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\U3\284521138EC1E4C9\LaunchPad.exe
C:\WINNT\system32\SearchIndexer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
H:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
H:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Desktop\RSIT.exe
C:\Program Files\trend micro\Eddie Perez-Ruberte.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\Palm2\Hotsync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0159681245720594) (0159681245720594mcinstcleanup) - Unknown owner - C:\WINNT\TEMP\015968~1.EXE (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINNT\Nhksrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12725 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\McDefragTask.job
C:\WINNT\tasks\McQcTask.job
C:\WINNT\tasks\User_Feed_Synchronization-{204C3918-4B48-4521-A124-17101DA6A2AB}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-03-25 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-22 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-06-22 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-11-20 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-11-15 262144]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-11-20 911600]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"=C:\WINNT\MMKeybd.exe [2001-09-05 163840]
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe [2001-07-09 155648]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2007-10-04 307200]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-01-08 645328]
"WD Drive Manager"=C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-01-30 438272]
"MioNet"=C:\Program Files\MioNet\MioNetLauncher.exe [2007-08-31 32768]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=H:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"Acrobat Assistant 8.0"=H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2006-10-22 620152]
""= []
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-22 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2008-05-07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
Adobe Acrobat Synchronizer.lnk - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\Palm2\Hotsync.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINNT\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2008-05-07 383488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\MioNet\MioNetManager.exe"="C:\Program Files\MioNet\MioNetManager.exe:*:Enabled:MioNetManager"
"C:\Program Files\MioNet\jvm\bin\MioNet.exe"="C:\Program Files\MioNet\jvm\bin\MioNet.exe:*:Enabled:MioNet"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\Program Files\iTunes\iTunes.exe"="H:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"H:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="H:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5eebf7f-ea72-11dd-ae7b-000c6e3db576}]
shell\AutoRun\command - K:\LaunchU3.exe -a


======File associations======

.js - open - "H:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2009-06-24 20:06:12 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Windows Desktop Search
2009-06-24 20:04:41 ----D---- C:\Program Files\Windows Desktop Search
2009-06-24 20:04:16 ----HDC---- C:\WINNT\$NtUninstallKB940157$
2009-06-24 20:03:54 ----HDC---- C:\WINNT\$NtUninstallKB915800-v4$
2009-06-24 20:03:45 ----D---- C:\WINNT\LastGood
2009-06-22 21:09:42 ----D---- C:\Program Files\Microsoft Works
2009-06-22 21:09:09 ----D---- C:\Program Files\MSBuild
2009-06-22 21:00:46 ----D---- C:\Program Files\Microsoft Visual Studio 8
2009-06-22 20:59:29 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-06-22 20:25:34 ----A---- C:\WINNT\system32\javaws.exe
2009-06-22 20:25:34 ----A---- C:\WINNT\system32\javaw.exe
2009-06-22 20:25:34 ----A---- C:\WINNT\system32\java.exe
2009-06-20 17:38:27 ----D---- C:\Program Files\Common Files\Control Panels
2009-06-20 17:34:36 ----D---- C:\Documents and Settings\All Users\Application Data\ALM
2009-06-20 17:00:45 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-06-20 10:02:41 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Malwarebytes
2009-06-20 10:02:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-20 10:02:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-20 09:49:47 ----D---- C:\_OTM
2009-06-18 20:45:48 ----D---- C:\Program Files\trend micro
2009-06-18 20:45:47 ----D---- C:\rsit
2009-06-14 22:55:00 ----D---- C:\Program Files\iPod
2009-06-14 22:54:39 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 22:53:18 ----D---- C:\Program Files\Bonjour
2009-06-14 22:50:01 ----A---- C:\WINNT\system32\usbaaplrc.dll
2009-06-14 22:49:10 ----D---- C:\Program Files\Common Files\Apple
2009-06-11 03:02:40 ----HDC---- C:\WINNT\$NtUninstallKB961501$
2009-06-11 03:02:34 ----HDC---- C:\WINNT\$NtUninstallKB969898$
2009-06-11 03:00:35 ----HDC---- C:\WINNT\$NtUninstallKB970238$
2009-06-11 03:00:25 ----HDC---- C:\WINNT\$NtUninstallKB968537$
2009-06-07 00:21:48 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

======List of files/folders modified in the last 1 months======

2009-06-24 23:27:38 ----D---- C:\WINNT\Prefetch
2009-06-24 23:27:32 ----D---- C:\WINNT\temp
2009-06-24 23:20:58 ----D---- C:\WINNT\system32\NtmsData
2009-06-24 22:01:26 ----AD---- C:\WINNT\system32\config
2009-06-24 21:55:51 ----A---- C:\WINNT\MSIOSD.INI
2009-06-24 21:55:49 ----AD---- C:\WINNT\security
2009-06-24 20:05:03 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-06-24 20:05:01 ----D---- C:\WINNT\system32\CatRoot2
2009-06-24 20:05:00 ----HD---- C:\WINNT\inf
2009-06-24 20:04:56 ----HD---- C:\WINNT
2009-06-24 20:04:51 ----AD---- C:\WINNT\system32
2009-06-24 20:04:51 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2009-06-24 20:04:46 ----D---- C:\WINNT\system32\en-US
2009-06-24 20:04:41 ----RAD---- C:\Program Files
2009-06-24 20:04:39 ----AD---- C:\WINNT\system32\wbem
2009-06-24 20:04:09 ----A---- C:\WINNT\imsins.BAK
2009-06-24 20:04:04 ----RASHDC---- C:\WINNT\system32\dllcache
2009-06-24 19:58:30 ----SD---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Microsoft
2009-06-24 19:41:19 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\U3
2009-06-24 09:20:00 ----A---- C:\WINNT\SchedLgU.Txt
2009-06-24 08:57:36 ----D---- C:\Program Files\Mozilla Firefox
2009-06-22 21:23:57 ----A---- C:\WINNT\MMKEYBD.INI
2009-06-22 21:22:04 ----AHD---- C:\Config.Msi
2009-06-22 21:19:42 ----SHD---- C:\WINNT\Installer
2009-06-22 21:18:54 ----HD---- C:\WINNT\ShellNew
2009-06-22 21:18:40 ----A---- C:\WINNT\win.ini
2009-06-22 21:13:56 ----RSD---- C:\WINNT\assembly
2009-06-22 21:09:27 ----AD---- C:\Program Files\Common Files\Microsoft Shared
2009-06-22 21:07:55 ----RSD---- C:\WINNT\Fonts
2009-06-22 20:25:07 ----A---- C:\WINNT\system32\deploytk.dll
2009-06-22 20:19:56 ----D---- C:\Program Files\McAfee
2009-06-22 20:14:55 ----D---- C:\Program Files\Java
2009-06-22 18:29:53 ----HD---- C:\WINNT\system32\drivers
2009-06-20 17:41:59 ----D---- C:\Program Files\Common Files\Adobe
2009-06-20 17:38:27 ----AD---- C:\Program Files\Common Files
2009-06-20 17:34:36 ----D---- C:\Documents and Settings\Eddie Perez-Ruberte.HOME\Application Data\Adobe
2009-06-20 17:31:49 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-20 17:15:58 ----D---- C:\WINNT\winsxs
2009-06-20 17:08:34 ----D---- C:\Program Files\Adobe
2009-06-20 09:54:37 ----D---- C:\WINNT\SxsCaPendDel
2009-06-17 23:50:02 ----SD---- C:\WINNT\Downloaded Program Files
2009-06-14 22:55:53 ----DC---- C:\WINNT\system32\DRVSTORE
2009-06-14 22:52:57 ----D---- C:\Program Files\QuickTime
2009-06-14 22:50:46 ----SD---- C:\WINNT\Tasks
2009-06-14 22:50:42 ----D---- C:\Program Files\Apple Software Update
2009-06-14 22:50:06 ----D---- C:\WINNT\system32\ReinstallBackups
2009-06-11 03:09:55 ----D---- C:\Program Files\Internet Explorer
2009-06-11 03:02:45 ----HD---- C:\WINNT\$hf_mig$
2009-06-06 11:38:30 ----D---- C:\Program Files\MioNet
2009-06-01 09:51:12 ----A---- C:\WINNT\system32\MRT.exe
2009-05-26 22:22:29 ----D---- C:\Fotos

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINNT\system32\DRIVERS\amdk7.sys [2008-05-07 37760]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINNT\system32\drivers\mfehidk.sys [2009-03-25 214024]
R1 MPFP;MPFP; C:\WINNT\System32\Drivers\Mpfp.sys [2008-10-23 120136]
R2 aslm75;aslm75; \??\C:\WINNT\system32\drivers\aslm75.sys []
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\H:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINNT\system32\drivers\LMIRfsDriver.sys []
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ati2mtag;ati2mtag; C:\WINNT\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINNT\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINNT\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
R3 lmimirr;lmimirr; C:\WINNT\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINNT\system32\drivers\mfeavfk.sys [2009-03-25 79880]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINNT\system32\drivers\mfebopk.sys [2009-03-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINNT\system32\drivers\mfesmfk.sys [2009-03-25 40552]
R3 Msikbd2k;DellTouch; C:\WINNT\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\system32\DRIVERS\usbccgp.sys [2008-05-07 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2008-05-07 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\system32\DRIVERS\usbhub.sys [2008-05-07 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2008-05-07 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbuhci.sys [2008-05-07 20608]
S1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2008-01-04 9336]
S1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2008-01-04 9464]
S1 NDISRD;NDISRD; C:\WINNT\system32\drivers\NDISRD.sys [2007-08-31 15340]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINNT\system32\drivers\BVRPMPR5.SYS []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINNT\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINNT\system32\drivers\mferkdk.sys [2009-03-25 34216]
S3 NTSIM;NTSIM; \??\C:\WINNT\System32\ntsim.sys []
S3 PalmUSBD;PalmUSBD; C:\WINNT\system32\drivers\PalmUSBD.sys [2007-06-24 16694]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINNT\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 viafilter;VIA USB Filter; C:\WINNT\System32\Drivers\viausb.sys [2003-06-18 9038]
S3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINNT\System32\Drivers\vulfnth.sys [2002-10-24 6912]
S3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINNT\System32\Drivers\vulfntr.sys [2002-11-13 10496]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\system32\Ati2evxx.exe [2009-02-25 602112]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-06-22 152984]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-01-08 797864]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-01-09 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-01-09 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-03-25 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-03-19 884360]
R2 Nhksrv;Netropa NHK Server; C:\WINNT\Nhksrv.exe [2001-08-06 28672]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service; C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
R2 WSearch;Windows Search; C:\WINNT\system32\SearchIndexer.exe [2008-05-26 439808]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-06-20 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-03-24 606736]
S2 0159681245720594mcinstcleanup;McAfee Application Installer Cleanup (0159681245720594); C:\WINNT\TEMP\015968~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S2 ATI Smart;ATI Smart; C:\WINNT\system32\ati2sgag.exe [2009-02-25 593920]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2008-05-07 267776]
S2 MioNet;MioNet; C:\Program Files\MioNet\MioNetManager.exe [2007-08-31 139264]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 AresChatServer;Ares Chatroom server; H:\Program Files\Ares\chatServer.exe [2007-03-19 263168]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LPDSVC;TCP/IP Print Server; C:\WINNT\system32\tcpsvcs.exe [2008-05-07 19456]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-04-01 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2006-11-09 65536]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2008-05-07 50176]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; H:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 LMIMaint;LogMeIn Maintenance Service; H:\Program Files\LogMeIn\x86\RaMaint.exe [2007-11-15 116032]
S4 LogMeIn;LogMeIn; H:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2007-11-07 20480]

-----------------EOF-----------------

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 25 June 2009 - 02:42 PM

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)
Syler

unite.jpg


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:46 AM

Posted 25 June 2009 - 06:43 PM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users