Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet connection cutting in and out (not ISP) Trogen?


  • Please log in to reply
14 replies to this topic

#1 BMcGee

BMcGee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 05 November 2009 - 04:23 PM

Pages will either not load or load half way and stop. If i keep hitting refresh it will work... eventually. Downloads will pause for a time and then start again and repeat. Not sure what going on. It's not my isp because other computers on the same wireless network are not having any issues. Please help!! (I have The attach.txt file and ark.txt but don't see a way to attach it.
Bret


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 12:51:29.56 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.345 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.bRet\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4022
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4022
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\4.0.223.9\npchrome_tab.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\owner.bret\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CHotkey] "zHotkey.exe"
mRun: [High Definition Audio Property Page Shortcut] "HDAShCut.exe"
mRun: [Reminder] "%WINDIR%\Creator\Remind_XP.exe"
mRun: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [SecurDisc] "c:\program files\nero\nero 7\incd\NBHGui.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254075097109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\4.0.223.9\npchrome_tab.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.bre\applic~1\mozilla\firefox\profiles\c78l6m91.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\owner.bret\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-3 1205760]
S2 gupdate1c9beb6b8c78f82;Google Update Service (gupdate1c9beb6b8c78f82);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-3 33176]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2009-4-18 7548]
S4 Netbise;Netbise; [x]

=============== Created Last 30 ================


==================== Find3M ====================

2009-11-02 20:27:00 370052 ----a-w- c:\windows\fonts\DELUSION.ttf
2009-09-27 19:07:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-09-27 19:07:37 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 07:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2006-03-15 22:19:34 212992 ----a-w- c:\windows\inf\wg311v3\CopyWHQLDriver.exe
2006-01-27 01:55:10 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3.sys
2005-10-06 23:17:34 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3XP.sys
2005-05-26 21:35:42 1422 ----a-w- c:\program files\ReadMe.txt

============= FINISH: 12:52:51.23 ===============

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 10 November 2009 - 07:49 AM

Hello BMcGee

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 10 November 2009 - 08:42 PM

Okay here it is. Thank you by the way for your help!!

OTL logfile created on: 11/10/2009 5:38:12 PM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Owner.bRet\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.42 Mb Total Physical Memory | 410.16 Mb Available Physical Memory | 45.86% Memory free
2.11 Gb Paging File | 1.65 Gb Available in Paging File | 78.01% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 182.19 Gb Total Space | 74.05 Gb Free Space | 40.64% Space Free | Partition Type: NTFS
Drive D: | 4.11 Gb Total Space | 1.38 Gb Free Space | 33.72% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 931.51 Gb Total Space | 351.05 Gb Free Space | 37.69% Space Free | Partition Type: NTFS

Computer Name: BRET
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner.bRet\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (Webroot Software, Inc. )
PRC - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
PRC - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
PRC - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
PRC - C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe ()
PRC - C:\WINDOWS\ehome\ehrecvr.exe (Microsoft Corporation)
PRC - C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\ehSched.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
PRC - C:\WINDOWS\zHotkey.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner.bRet\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (WRConsumerService) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (Webroot Software, Inc. )
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WebrootSpySweeperService) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
SRV - (gupdate1c9beb6b8c78f82) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe ()
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (getPlus® -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (NBService) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NMIndexingService) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (InCDsrv) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (ehRecvr) -- C:\WINDOWS\ehome\ehrecvr.exe (Microsoft Corporation)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ehSched) -- C:\WINDOWS\ehome\ehSched.exe (Microsoft Corporation)
SRV - (McrdSvc) -- C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
SRV - (UMWdf) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (ssidrv) -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (sshrmd) -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (ssfs0bbc) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (ASCTRM) -- C:\WINDOWS\system32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Cdralw2k) -- C:\WINDOWS\system32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_xp) -- C:\WINDOWS\system32\drivers\cdr4_xp.sys (Sonic Solutions)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDRm.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDPass.sys (Nero AG)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Nero AG)
DRV - (samhid) -- C:\WINDOWS\system32\drivers\Samhid.sys ()
DRV - (iaStor) -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS (Intel Corporation)
DRV - (W8335XP) -- C:\WINDOWS\system32\drivers\WG311v3XP.sys (Marvell Semiconductor, Inc)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows ® Server 2003 DDK provider)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (mxnic) -- C:\WINDOWS\system32\drivers\mxnic.sys (Macronix International Co., Ltd. )


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT4022

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/18 02:10:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/08 18:33:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 12:10:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/09 19:01:44 | 00,000,000 | ---D | M]

[2009/10/19 10:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Mozilla\Extensions
[2009/10/19 10:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/10 10:07:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Mozilla\Firefox\Profiles\c78l6m91.default\extensions
[2009/10/20 07:24:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Mozilla\Firefox\Profiles\c78l6m91.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/10 10:07:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/07 12:10:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/09 19:01:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2009/11/07 12:10:13 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/07 12:10:13 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/11 04:17:27 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/11/07 12:10:17 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/08/24 10:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 10:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 10:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 10:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 10:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 10:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 10:45:46 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.223.9\npchrome_tab.dll (@COMPANY_FULLNAME@)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] File not found
O4 - HKLM..\Run: [Reminder] File not found
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1254075097109 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\4.0.223.9\npchrome_tab.dll (@COMPANY_FULLNAME@)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (MrvGINA.dll) - C:\WINDOWS\System32\MrvGINA.dll (Marvell®)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (ecurity) - File not found
O30 - LSA: Security Packages - (Packages) - File not found
O30 - LSA: Security Packages - (settings...) - File not found
O30 - LSA: Security Packages - (ys) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/09 17:13:09 | 00,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | ---- | M] () - D:\autorun.inf.vir -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/10 17:32:34 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.bRet\Desktop\OTL.exe
[2009/11/09 19:01:43 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/09 19:01:43 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/09 19:01:43 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/05 17:15:05 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009/11/05 17:05:02 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2009/11/05 17:05:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.bRet\My Documents\Simply Super Software
[2009/11/05 17:04:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.bRet\Application Data\Simply Super Software
[2009/11/05 17:04:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2009/10/19 10:07:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\Mozilla
[2009/10/19 10:07:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.bRet\Application Data\Mozilla
[2009/10/19 10:07:00 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/10/17 18:04:18 | 00,215,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll
[2009/10/17 18:04:17 | 00,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2009/10/17 18:04:15 | 00,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2009/10/17 14:48:40 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/10/17 14:43:38 | 00,100,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/10 17:32:34 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.bRet\Desktop\OTL.exe
[2009/11/10 16:57:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/11/10 16:57:00 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/10 16:52:01 | 00,000,988 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3161455560-1849787054-2812868008-1006UA.job
[2009/11/10 14:41:17 | 00,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/10 14:41:17 | 00,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/10 14:41:15 | 00,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/10 14:40:23 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/11/10 14:40:07 | 00,030,277 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/10 14:39:03 | 10,935,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/10 14:36:51 | 00,023,015 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/11/10 14:36:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/10 14:36:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/10 14:34:53 | 07,077,888 | -H-- | M] () -- C:\Documents and Settings\Owner.bRet\NTUSER.DAT
[2009/11/10 14:34:53 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner.bRet\ntuser.ini
[2009/11/10 14:28:12 | 00,000,598 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/10 14:02:48 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\PUTTY.RND
[2009/11/10 12:52:06 | 00,000,936 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3161455560-1849787054-2812868008-1006Core.job
[2009/11/09 22:25:41 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/09 22:25:40 | 00,055,808 | ---- | M] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/05 17:15:11 | 00,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2009/11/05 16:08:58 | 00,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2009/11/05 10:16:05 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/05 09:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/05 08:50:42 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/02 12:47:00 | 00,370,052 | ---- | M] () -- C:\Documents and Settings\Owner.bRet\Desktop\DELUSION.ttf
[2009/11/01 00:00:00 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/10/22 01:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/10/22 01:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/10/17 15:26:59 | 01,045,654 | -H-- | M] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\IconCache.db
[2009/10/17 15:26:54 | 00,002,560 | ---- | M] () -- C:\WINDOWS\_MSRSTRT.EXE
[2009/10/13 11:36:35 | 00,001,028 | ---- | M] () -- C:\Documents and Settings\Owner.bRet\Application Data\WavCodec.wff
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/05 17:15:11 | 00,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2009/11/05 17:05:02 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/11/05 17:05:02 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/11/05 17:05:02 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/11/05 17:05:01 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2009/11/02 12:47:00 | 00,370,052 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Desktop\DELUSION.ttf
[2009/10/17 19:03:19 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/10/17 15:26:59 | 01,045,654 | -H-- | C] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\IconCache.db
[2009/10/17 15:26:54 | 00,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2009/10/03 23:11:03 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\PUTTY.RND
[2009/07/20 14:47:58 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2009/07/20 14:47:57 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\TrackerNET.dll
[2009/07/20 11:02:32 | 00,000,069 | ---- | C] () -- C:\WINDOWS\PingTool.INI
[2009/07/20 08:02:30 | 00,000,056 | ---- | C] () -- C:\WINDOWS\sierra.ini
[2009/07/15 18:13:33 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/15 17:50:09 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/07/06 19:41:33 | 00,002,554 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2009/05/03 14:49:20 | 00,001,422 | ---- | C] () -- C:\Program Files\ReadMe.txt
[2009/04/21 17:26:56 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/04/19 15:10:26 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\sam.ini
[2009/04/18 11:58:26 | 00,007,548 | ---- | C] () -- C:\WINDOWS\System32\drivers\Samhid.sys
[2009/04/18 11:58:22 | 00,487,424 | ---- | C] () -- C:\WINDOWS\System32\FDRpage.dll
[2009/04/14 16:11:27 | 00,001,028 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Application Data\WavCodec.wff
[2009/04/08 14:58:29 | 00,000,094 | ---- | C] () -- C:\WINDOWS\MusicRip.ini
[2009/04/03 17:03:23 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/04/03 16:39:37 | 00,055,808 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/03 16:35:53 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner.bRet\Application Data\desktop.ini
[2009/04/03 16:35:52 | 00,013,104 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/03 16:31:12 | 00,000,133 | ---- | C] () -- C:\Documents and Settings\Owner.bRet\Local Settings\Application Data\fusioncache.dat
[2009/04/03 15:49:58 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2009/04/03 15:44:07 | 00,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2009/04/03 15:44:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2009/04/03 15:44:07 | 00,011,776 | ---- | C] () -- C:\WINDOWS\HIDMNT.dll
[2009/04/03 15:35:35 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/05/11 11:14:33 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/05/11 11:14:33 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/05/11 11:14:31 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/05/11 11:14:29 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/05/11 11:14:29 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/05/11 11:14:29 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/05/11 11:14:25 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/08/05 21:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/12 09:38:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/09 15:49:16 | 00,001,270 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/01/09 15:49:16 | 00,000,514 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/01/09 15:48:33 | 00,000,598 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/01/09 15:48:30 | 00,000,322 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/01/09 09:00:14 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/05/06 21:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
[2009/04/03 22:13:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/07/10 10:07:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CopyPod
[2009/07/15 18:03:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2009/04/03 17:01:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/07/23 09:30:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/11/05 17:04:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2009/11/05 18:01:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/03 15:46:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/04/03 17:21:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/04/22 19:16:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/09/09 12:42:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Alien Skin
[2009/11/09 22:52:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Azureus
[2009/07/15 18:01:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\DAEMON Tools Pro
[2009/11/10 14:04:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\FileZilla
[2009/07/08 09:25:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Movie Label
[2009/04/14 16:08:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\NCH Swift Sound
[2009/04/03 15:51:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\SampleView
[2009/11/05 17:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.bRet\Application Data\Simply Super Software
[2004/08/10 11:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/03 19:27:37 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/11/01 00:00:00 | 00,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/11/10 14:36:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:774432BA
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60932BF0
< End of report >

#4 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 10 November 2009 - 08:48 PM

Sorry here are the other two

Extras.txt

OTL Extras logfile created on: 11/10/2009 5:38:12 PM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Owner.bRet\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.42 Mb Total Physical Memory | 410.16 Mb Available Physical Memory | 45.86% Memory free
2.11 Gb Paging File | 1.65 Gb Available in Paging File | 78.01% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 182.19 Gb Total Space | 74.05 Gb Free Space | 40.64% Space Free | Partition Type: NTFS
Drive D: | 4.11 Gb Total Space | 1.38 Gb Free Space | 33.72% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 931.51 Gb Total Space | 351.05 Gb Free Space | 37.69% Space Free | Partition Type: NTFS

Computer Name: BRET
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- File not found
"C:\Program Files\Common Files\AOL\1238802372\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1238802372\EE\AOLServiceHost.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1" = Spy Sweeper
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{42082D6A-7C60-4CD9-B6FC-81E6F1FA96EF}" = Theme Park World Fix
"{495B6040-801F-474C-ADB8-309F132CF5F9}" = iPhoneBrowser
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{70014586-7BBA-4A92-A610-CDC896C48F8F}" = NETGEAR WG311v3 PCI Adapter
"{703C4409-D597-433A-9B17-E411D9236451}" = Button Manager v1.874
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_EXCELR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_EXCELR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_WebDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_EXCELR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_WebDesigner_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_EXCELR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_WebDesigner_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0026-0000-0000-0000000FF1CE}" = Microsoft Expression Web
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{9037FDA8-8383-4B6F-859D-D49C3C625225}" = Microsoft Expression Web Service Pack 1 (SP1)
"{90120000-0026-0409-0000-0000000FF1CE}" = Microsoft Expression Web MUI (English)
"{90120000-0026-0409-0000-0000000FF1CE}_WebDesigner_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_EXCELR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_EXCELR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0016-0000-0000-0000000FF1CE}" = Microsoft Office Excel 2007
"{91120000-0016-0000-0000-0000000FF1CE}_EXCELR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0016-0000-0000-0000000FF1CE}_EXCELR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM
"{EF6F70D0-C242-4047-946B-98EA8208481A}" = ArcSoft TotalMedia Backup & Record
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"CopyPod" = CopyPod (remove only)
"Counter-Strike 1.6" = Counter-Strike 1.6
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EXCELR" = Microsoft Office Excel 2007
"Exposure 2" = Alien Skin Exposure 2
"ExpressBurn" = Express Burn
"ExpressRip" = Express Rip
"Eye Candy 4000" = Eye Candy 4000
"EyeCandy5Impact" = Alien Skin Eye Candy 5 Impact
"EyeCandy5Nature" = Alien Skin Eye Candy 5 Nature
"EyeCandy5Textures" = Alien Skin Eye Candy 5 Textures
"FileZilla Client" = FileZilla Client 3.2.7.1
"Google Chrome Frame" = Google Chrome Frame
"gtw_logo" = gtw_logo
"Half-Life" = Half-Life
"Half-Life 1.1.1.2 Retail Update_is1" = Half-Life 1.1.1.2 Retail Update
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"InstallShield_{70014586-7BBA-4A92-A610-CDC896C48F8F}" = NETGEAR WG311v3 PCI Adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Philips Retractable PC Controller" = Philips Retractable PC Controller
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"RealPlayer 6.0" = RealPlayer Basic
"SimCity2000CDv1" = SimCity 2000® Special Edition
"Snap Art" = Alien Skin Snap Art
"Theme Park World" = SimTheme Park
"ToneGen" = NCH Tone Generator
"Trojan Remover_is1" = Trojan Remover 6.8.1
"ViewpointMediaPlayer" = Viewpoint Media Player
"Vuze" = Vuze
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebDesigner" = Microsoft Expression Web
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Xenofex2" = Alien Skin Xenofex 2

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/1/2009 1:57:16 PM | Computer Name = BRET | Source = Google Update | ID = 20
Description =

Error - 11/3/2009 3:41:31 AM | Computer Name = BRET | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x00144dae.

Error - 11/5/2009 4:22:34 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 8:08:06 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application SpySweeperRegSetup_EN.tmp, version 51.49.0.0,
hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 8:09:15 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application SpySweeperRegSetup_EN.tmp, version 51.49.0.0,
hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 9:23:29 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application trupd.exe, version 1.3.5.1091, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/6/2009 4:18:28 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 1:55:23 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.41.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 1:56:04 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.41.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 1:56:43 PM | Computer Name = BRET | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.41.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/6/2009 3:21:31 AM | Computer Name = BRET | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.

Error - 11/7/2009 1:53:09 PM | Computer Name = BRET | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.

Error - 11/7/2009 7:38:05 PM | Computer Name = BRET | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 00223FDAEF4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/7/2009 7:45:21 PM | Computer Name = BRET | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.2
with the system having network hardware address 04:1E:64:5E:1B:83. Network operations
on this system may be disrupted as a result.

Error - 11/7/2009 9:57:55 PM | Computer Name = BRET | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 00223FDAEF4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/9/2009 10:54:43 PM | Computer Name = BRET | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 11/10/2009 2:51:53 AM | Computer Name = BRET | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.

Error - 11/10/2009 6:28:20 PM | Computer Name = BRET | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer Microsoft Office Document
Image Writer,0 driver Microsoft Office Document Image Writer Driver error 1801.

Error - 11/10/2009 6:34:34 PM | Computer Name = BRET | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.

Error - 11/10/2009 9:35:56 PM | Computer Name = BRET | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.


< End of report >

#5 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 11 November 2009 - 02:11 AM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-10 23:06:05
Windows 5.1.2600 Service Pack 3
Running: 4hdfe3xo.exe; Driver: C:\DOCUME~1\OWNER~1.BRE\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT 853DE680 ZwAllocateVirtualMemory
SSDT 853A6BF8 ZwCreateKey
SSDT 85352AD0 ZwCreateProcess
SSDT 85275FA8 ZwCreateProcessEx
SSDT 853A5208 ZwCreateThread
SSDT 8535CAD0 ZwDeleteKey
SSDT 8534AED0 ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF736BFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF736C340]
SSDT sptd.sys ZwOpenKey [0xF73660B0]
SSDT sptd.sys ZwQueryKey [0xF736C418]
SSDT sptd.sys ZwQueryValueKey [0xF736C298]
SSDT 853DD100 ZwQueueApcThread
SSDT 85356B20 ZwReadVirtualMemory
SSDT 85357AD0 ZwRenameKey
SSDT 8518A1A0 ZwSetContextThread
SSDT 853CDA80 ZwSetInformationKey
SSDT 853CFAC0 ZwSetInformationProcess
SSDT 853A61D8 ZwSetInformationThread
SSDT 8535DA80 ZwSetValueKey
SSDT 85348AC8 ZwSuspendProcess
SSDT 853A50D0 ZwSuspendThread
SSDT 853813C8 ZwTerminateProcess
SSDT 853A9020 ZwTerminateThread
SSDT 8535BB20 ZwWriteVirtualMemory

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF226A788]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF226A7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF226A710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF226A724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF226A79C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF226A7DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF226A7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F5BD58AC 5 Bytes JMP 851FF770
? System32\Drivers\a4siukfe.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F8D
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40078
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40F9E
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400BA
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B400A9
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F57
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400FA
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B4010B
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F7C
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B4002F
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40014
.text C:\WINDOWS\system32\svchost.exe[200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B400D5
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30040
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30F97
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B30FB9
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D3, 88]
.text C:\WINDOWS\system32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30FCA
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B2002A
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20F9F
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FC1
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20FE3
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FB0
.text C:\WINDOWS\system32\svchost.exe[200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FD2
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD00AE
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0093
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0078
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0FAF
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD0FDB
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0F6D
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD00BF
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD00FF
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD00E4
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD011A
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F9E
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD0047
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0036
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0F5C
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0036
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0073
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0058
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0FB6
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0053
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FBE
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB001D
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB002E
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB000C
.text C:\WINDOWS\system32\svchost.exe[500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090F90
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090085
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090FAB
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090FBC
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0109004A
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010900CE
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010900B1
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F50
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010900E9
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01090F3F
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090FCD
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090014
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01090096
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FDE
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090025
.text C:\WINDOWS\system32\services.exe[644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01090F6B
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0108002F
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080FA8
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01080FDE
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0108000A
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01080065
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0108004A
.text C:\WINDOWS\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01080FCD
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01070F86
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070F97
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01070FD7
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01070FBC
.text C:\WINDOWS\system32\services.exe[644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01070011
.text C:\WINDOWS\system32\services.exe[644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0059
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F64
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F75
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F86
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0085
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F3D
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00BB
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F22
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F07
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0074
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00A0
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F9A
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FAB
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FBC
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\lsass.exe[680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0062
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0051
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0F77
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA009A
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA007D
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00D0
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0F37
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F1C
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FDE
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0F5C
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0025
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0014
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00B5
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FC0
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A9004A
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90F9E
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FAF
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FA6
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FB7
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8001D
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A8000C
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80FC8
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50FBB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C500B0
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C5009F
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C5008E
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50058
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500E6
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50101
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F68
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F4D
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50073
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C500CB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5003D
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C5002C
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F83
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40054
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40F8D
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40FA8
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30031
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FA6
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FD2
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FB7
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3000C
.text C:\WINDOWS\system32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028E000A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028E0F99
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028E0084
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028E0073
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028E0FB6
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028E0047
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028E00D0
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028E0F88
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028E0117
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028E00FC
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028E0F63
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 028E0058
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 028E001B
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 028E00B3
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 028E0036
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 028E0FDB
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028E00EB
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 028D0036
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 028D0FA5
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 028D0025
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 028D000A
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 028D0FC0
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 028D0FEF
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 028D0062
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 028D0047
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 028C0FA8
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 028C003D
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 028C0022
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 028C0000
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 028C0FC3
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 028C0011
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028B0000
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01ED0FEF
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01ED0FDE
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01ED0014
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01ED002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F83
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F94
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780062
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F4B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F5C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800C2
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F29
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800D3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780093
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FCA
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780F3A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770FDE
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770FA5
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760FAF
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760033
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0076000C
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760044
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0067
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C004C
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F72
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0098
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F46
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0EFF
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0F1A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00B3
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F57
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FAF
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F35
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0022
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0062
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0011
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0047
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0FA5
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FC0
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FC8
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A002E
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FD9
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F5C
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0051
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F0B
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F26
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0EE6
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB007F
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0ED5
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F37
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB006E
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093007D
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920042
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920031
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920016
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900022
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B006C
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F81
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F92
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B005B
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0025
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0093
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F1F
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00B8
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F0E
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B004A
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\Explorer.EXE[2404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F30
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F97
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[2404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0053
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0038
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD9
.text C:\WINDOWS\Explorer.EXE[2404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\Explorer.EXE[2404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[2404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FB9
.text C:\WINDOWS\Explorer.EXE[2404] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0014
.text C:\WINDOWS\Explorer.EXE[2404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0098
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0087
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FAD
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0076
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F61
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B3
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00F0
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00D5
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0101
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F88
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[2748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00C4
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0033
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0022
.text C:\WINDOWS\system32\wuauclt.exe[2748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F7C
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0064
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A003D
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009F
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D5
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F21
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A002C
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0011
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\system32\dllhost.exe[2936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00B0
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F7F
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290014
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FB5
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290F9A
.text C:\WINDOWS\system32\dllhost.exe[2936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FD2
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F9B
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FB6
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\dllhost.exe[2936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\dllhost.exe[2936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7366AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7366C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7366B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7367748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F736761E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F737C29A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 85361B20
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 852FA5F8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 853461E8

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8462F1E8
Device \Driver\Tcpip \Device\Ip 84FEB198
Device \Driver\Tcpip \Device\Ip 85206508
Device \Driver\Tcpip \Device\Ip 8514E978
Device \Driver\Tcpip \Device\Ip 84EF6788
Device \Driver\Tcpip \Device\Ip 8504A0B0
Device \Driver\Tcpip \Device\Ip 853083D8

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 851FE790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 853CF1E8
Device \Driver\dmio \Device\DmControl\DmConfig 853CF1E8
Device \Driver\dmio \Device\DmControl\DmPnP 853CF1E8
Device \Driver\dmio \Device\DmControl\DmInfo 853CF1E8
Device \Driver\usbehci \Device\USBPDO-1 85103790
Device \Driver\usbstor \Device\000000a0 84E83790
Device \Driver\Tcpip \Device\Tcp 84FEB198
Device \Driver\Tcpip \Device\Tcp 85206508
Device \Driver\Tcpip \Device\Tcp 8514E978
Device \Driver\Tcpip \Device\Tcp 84EF6788
Device \Driver\Tcpip \Device\Tcp 8504A0B0
Device \Driver\Tcpip \Device\Tcp 853083D8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbstor \Device\000000a1 84E83790
Device \Driver\Ftdisk \Device\HarddiskVolume1 853621E8
Device \Driver\usbstor \Device\000000a4 84E83790
Device \Driver\Ftdisk \Device\HarddiskVolume2 853621E8
Device \Driver\Cdrom \Device\CdRom0 85211790
Device \Driver\usbstor \Device\000000a5 84E83790
Device \Driver\Cdrom \Device\CdRom1 85211790
Device \Driver\Ftdisk \Device\HarddiskVolume3 853621E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [F7189B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\usbstor \Device\000000a6 84E83790
Device \Driver\PCI_NTPNP6294 \Device\00000074 sptd.sys
Device \Driver\usbstor \Device\000000a7 84E83790
Device \Driver\usbstor \Device\000000a8 84E83790
Device \Driver\NetBT \Device\NetBt_Wins_Export 846421E8
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\NetBT \Device\NetbiosSmb 846421E8
Device \Driver\Tcpip \Device\Udp 84FEB198
Device \Driver\Tcpip \Device\Udp 85206508
Device \Driver\Tcpip \Device\Udp 8514E978
Device \Driver\Tcpip \Device\Udp 84EF6788
Device \Driver\Tcpip \Device\Udp 8504A0B0
Device \Driver\Tcpip \Device\Udp 853083D8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 84FEB198
Device \Driver\Tcpip \Device\RawIp 85206508
Device \Driver\Tcpip \Device\RawIp 8514E978
Device \Driver\Tcpip \Device\RawIp 84EF6788
Device \Driver\Tcpip \Device\RawIp 8504A0B0
Device \Driver\Tcpip \Device\RawIp 853083D8

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBFDO-0 851FE790
Device \Driver\usbehci \Device\USBFDO-1 85103790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 846351E8
Device \Driver\Tcpip \Device\IPMULTICAST 84FEB198
Device \Driver\Tcpip \Device\IPMULTICAST 85206508
Device \Driver\Tcpip \Device\IPMULTICAST 8514E978
Device \Driver\Tcpip \Device\IPMULTICAST 84EF6788
Device \Driver\Tcpip \Device\IPMULTICAST 8504A0B0
Device \Driver\Tcpip \Device\IPMULTICAST 853083D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 846351E8
Device \Driver\Ftdisk \Device\FtControl 853621E8
Device \Driver\a4siukfe \Device\Scsi\a4siukfe1 851D01E8
Device \Driver\a4siukfe \Device\Scsi\a4siukfe1Port4Path0Target0Lun0 851D01E8
Device \FileSystem\Fastfat \Fat 8462F1E8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 84F971E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCC 0xCC 0x08 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x77 0x31 0x57 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0x58 0x9D 0xE2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCC 0xCC 0x08 0x62 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x77 0x31 0x57 0xA2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0x58 0x9D 0xE2 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 11 November 2009 - 05:07 AM

Hi is the only issue that you have a slow erratic network connection speeds?
I see no malware in your logs.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 11 November 2009 - 01:47 PM

Yes pretty much. It like the internet connection just stops working for 60sec at a time. If i just keep hitting refresh every ten seconds or so it will work again eventually. I have an iphone that will be on the same home wifi network and work just fine at the same time this is happening. Downloads will stop and then start again also.

Any thought?

#8 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 11 November 2009 - 01:55 PM

I'll try to go to a website and it will say "waiting for www.example.com" and sometimes not load the page at all, then say "network connection timed out".

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 12 November 2009 - 06:42 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 12 November 2009 - 06:46 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:42 on 12/11/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:43 04/04/2009] [19:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [00:50 04/04/2009] [08:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [15:12 22/03/2009] [08:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 13 November 2009 - 08:35 AM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\drivers\atapi.sys

Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 13 November 2009 - 12:58 PM

File bbatapi.sys received on 2009.11.13 14:06:40 (UTC)
Current status: finished
Result: 1/36 (2.78%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.13 -
AhnLab-V3 5.0.0.2 2009.11.12 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.13 -
Avast 4.8.1351.0 2009.11.13 -
BitDefender 7.2 2009.11.13 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.13 -
Comodo 2942 2009.11.13 -
DrWeb 5.0.0.12182 2009.11.13 -
eSafe 7.0.17.0 2009.11.12 Win32.Rootkit
eTrust-Vet 35.1.7119 2009.11.13 -
F-Prot 4.5.1.85 2009.11.12 -
Fortinet 3.120.0.0 2009.11.13 -
GData 19 2009.11.13 -
Ikarus T3.1.1.74.0 2009.11.13 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.894 2009.11.11 -
Kaspersky 7.0.0.125 2009.11.13 -
McAfee 5800 2009.11.12 -
McAfee+Artemis 5800 2009.11.12 -
Microsoft 1.5202 2009.11.13 -
NOD32 4603 2009.11.13 -
Norman 6.03.02 2009.11.13 -
nProtect 2009.1.8.0 2009.11.13 -
Panda 10.0.2.2 2009.11.13 -
Prevx 3.0 2009.11.13 -
Rising 22.21.04.09 2009.11.13 -
Sophos 4.47.0 2009.11.13 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.13 -
TheHacker 6.5.0.2.067 2009.11.12 -
TrendMicro 9.0.0.1003 2009.11.13 -
ViRobot 2009.11.13.2034 2009.11.13 -
VirusBuster 4.6.5.0 2009.11.12 -
Additional information
File size: 96512 bytes
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159F7
timedatestamp.....: 0x4802539D (Sun Apr 13 20:40:29 2008)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97BA 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9B80 0x18E8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xB480 0xA64 0xA80 4.31 8523651899e28819a14bf9415af25708
.data 0xBF00 0xD94 0xE00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xCD00 0x157F 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xE280 0x61DA 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22BE 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3E0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16B80 0xD20 0xD80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...f062c712cfa2674
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
-----------------------------------------------------------------------------------------------------------------------------------------------------------

File 9D6081B280209DE174C2011395153C00E47C5A8D.sys received on 2009.11.13 14:07:31 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.13 -
AhnLab-V3 5.0.0.2 2009.11.12 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.13 -
Avast 4.8.1351.0 2009.11.13 -
AVG 8.5.0.425 2009.11.13 -
BitDefender 7.2 2009.11.13 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.13 -
Comodo 2942 2009.11.13 -
DrWeb 5.0.0.12182 2009.11.13 -
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7119 2009.11.13 -
F-Prot 4.5.1.85 2009.11.12 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.13 -
GData 19 2009.11.13 -
Ikarus T3.1.1.74.0 2009.11.13 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.894 2009.11.11 -
Kaspersky 7.0.0.125 2009.11.13 -
McAfee 5800 2009.11.12 -
McAfee+Artemis 5800 2009.11.12 -
McAfee-GW-Edition 6.8.5 2009.11.13 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5202 2009.11.13 -
NOD32 4603 2009.11.13 -
Norman 6.03.02 2009.11.13 -
nProtect 2009.1.8.0 2009.11.13 -
Panda 10.0.2.2 2009.11.13 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.13 -
Rising 22.21.04.09 2009.11.13 -
Sophos 4.47.0 2009.11.13 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.13 -
TheHacker 6.5.0.2.067 2009.11.12 -
TrendMicro 9.0.0.1003 2009.11.13 -
VBA32 3.12.10.11 2009.11.13 -
ViRobot 2009.11.13.2034 2009.11.13 -
VirusBuster 4.6.5.0 2009.11.12 -
Additional information
File size: 95360 bytes
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
SHA256: 0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x155F7
timedatestamp.....: 0x41107B4D (Wed Aug 4 07:59:41 2004)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2
NONPAGE 0x9A00 0x18E8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942
.rdata 0xB300 0xA54 0xA80 4.37 569d2979d21f645730a1a59fd512d25c
.data 0xBD80 0xD94 0xE00 0.44 77b784be18c5257bf3b9c132a03019db
PAGESCAN 0xCB80 0x154F 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f
PAGE 0xE100 0x5F54 0x5F80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc
INIT 0x14080 0x22A0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd
.rsrc 0x16380 0x3F0 0x400 3.40 0184b21986944fd39532f818b4c642ab
.reloc 0x16780 0xCF0 0xD00 6.46 ae8fd4a932f7899f6257876856210914

( 3 imports )

> hal.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress
> wmilib.sys: WmiSystemControl, WmiCompleteRequest

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...1d11b2da92dac51
ssdeep: 1536:BVzXEOXUOyD8HT6OhAVJqNoQrPs2W7IDdXBoDZYkvR5TJWBwEsjG0cXFIQ0bbZPO:BVL/Eiz6OhrNoQzsnwBoDjR51hljrckO
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: ATAPI.SYS, atapi.sys
( Microsoft )

Disc 2438.5: atapi.sysMSDN Disc 2428.4: atapi.sysMSDN Disc 2428.5: atapi.sysMSDN Disc 2428.8: atapi.sysMSDN Disc 2438.7: atapi.sysMSDN Disc 2438.8: atapi.sysMSDN Disc 2439.6: atapi.sysMSDN Disc 2439.7: atapi.sysMSDN Disc 2439.8: atapi.sysMSDN Disc 2440.3: atapi.sysMSDN Disc 2440.4: atapi.sysMSDN Disc 2440.5: atapi.sysMSDN Disc 2441.5: atapi.sysMSDN Disc 2441.6: atapi.sysMSDN Disc 2441.7: atapi.sysMSDN Disc 2442.4: atapi.sysMSDN Disc 2442.6: atapi.sysMSDN Disc 2443.2: atapi.sysMSDN Disc 2443.4: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.4: atapi.sysMSDN Disc 2444.6: atapi.sysMSDN Disc 2455.6: atapi.sysMSDN Disc 2464.5: atapi.sysMSDN Disc 2465.4: atapi.sysMSDN Disc 2465.5: atapi.sysMSDN Disc 2466.2: atapi.sysMSDN Disc 2466.4: atapi.sysMSDN Disc 2476.2: atapi.sysMSDN Disc 2476.4: atapi.sysMSDN Disc 2477.2: atapi.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: atapi.sysVirtual PC for Mac Windows XP Home Edition: atapi.sysVirtual PC for Mac Windows XP Professional Edition: atapi.sys
-----------------------------------------------------------------------------------------------------------------------------------------------------------

File atapi.sys received on 2009.11.13 17:50:16 (UTC)
Current status: finished
Result: 2/41 (4.88%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.10 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.10 -
Antiy-AVL 2.0.3.7 2009.11.10 -
Authentium 5.2.0.5 2009.11.10 -
Avast 4.8.1351.0 2009.11.10 -
AVG 8.5.0.423 2009.11.10 -
BitDefender 7.2 2009.11.10 -
CAT-QuickHeal 10.00 2009.11.10 -
ClamAV 0.94.1 2009.11.10 -
Comodo 2905 2009.11.10 -
DrWeb 5.0.0.12182 2009.11.10 -
eSafe 7.0.17.0 2009.11.10 Win32.Rootkit
eTrust-Vet 35.1.7113 2009.11.10 -
F-Prot 4.5.1.85 2009.11.10 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.10 -
GData 19 2009.11.10 -
Ikarus T3.1.1.74.0 2009.11.10 -
Jiangmin 11.0.800 2009.11.10 -
K7AntiVirus 7.10.892 2009.11.09 -
Kaspersky 7.0.0.125 2009.11.10 -
McAfee 5797 2009.11.09 -
McAfee+Artemis 5797 2009.11.09 -
McAfee-GW-Edition 6.8.5 2009.11.10 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5202 2009.11.10 -
NOD32 4592 2009.11.10 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.10 -
Panda 10.0.2.2 2009.11.09 -
PCTools 7.0.3.5 2009.11.10 -
Prevx 3.0 2009.11.13 -
Rising 22.21.01.09 2009.11.10 -
Sophos 4.47.0 2009.11.10 -
Sunbelt 3.2.1858.2 2009.11.10 -
Symantec 1.4.4.12 2009.11.10 -
TheHacker 6.5.0.2.064 2009.11.09 -
TrendMicro 9.0.0.1003 2009.11.10 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.10.2029 2009.11.10 -
VirusBuster 4.6.5.0 2009.11.09 -
Additional information
File size: 96512 bytes
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159F7
timedatestamp.....: 0x4802539D (Sun Apr 13 20:40:29 2008)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97BA 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9B80 0x18E8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xB480 0xA64 0xA80 4.31 8523651899e28819a14bf9415af25708
.data 0xBF00 0xD94 0xE00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xCD00 0x157F 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xE280 0x61DA 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22BE 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3E0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16B80 0xD20 0xD80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...f062c712cfa2674
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
-

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 14 November 2009 - 06:12 AM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 BMcGee

BMcGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 14 November 2009 - 02:50 PM

ComboFix 09-11-14.03 - Owner 11/14/2009 11:12..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.489 [GMT -8:00]
Running from: c:\documents and settings\Owner.bRet\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\recycler\S-1-5-21-2628095795-950328730-2532298668-500

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-11 01:50 . 2009-11-11 01:50 291328 ----a-w- C:\4hdfe3xo.exe
2009-11-10 03:00 . 2009-11-10 03:00 152576 ----a-w- c:\documents and settings\Owner.bRet\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-06 01:57 . 2009-09-21 23:59 3101560 ----a-w- c:\documents and settings\Owner.bRet\Application Data\Simply Super Software\Trojan Remover\ycg14.exe
2009-11-06 01:15 . 2009-11-06 01:15 -------- d-----w- c:\program files\Trojan Remover
2009-11-06 01:05 . 2006-06-19 21:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-06 01:05 . 2006-05-25 23:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-06 01:05 . 2005-08-26 09:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-06 01:05 . 2002-03-06 09:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-06 01:05 . 2003-02-03 04:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-11-06 01:04 . 2009-11-06 01:15 -------- d-----w- c:\documents and settings\Owner.bRet\Application Data\Simply Super Software
2009-11-06 01:04 . 2009-11-06 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-19 18:07 . 2009-10-19 18:07 -------- d-----w- c:\documents and settings\Owner.bRet\Local Settings\Application Data\Mozilla
2009-10-18 02:04 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-18 02:04 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-17 23:26 . 2009-10-17 23:26 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-10-17 22:54 . 2009-10-17 22:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-17 22:48 . 2009-10-17 22:49 -------- dc-h--w- c:\windows\ie8
2009-10-17 22:43 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 03:54 . 2009-10-02 17:27 -------- d-----w- c:\documents and settings\Owner.bRet\Application Data\FileZilla
2009-11-14 01:30 . 2005-01-10 01:26 197464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 19:05 . 2009-04-04 06:12 -------- d-----w- c:\documents and settings\Owner.bRet\Application Data\Azureus
2009-11-10 22:24 . 2009-09-30 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 03:01 . 2009-04-03 23:40 -------- d-----w- c:\program files\Java
2009-11-07 17:54 . 2009-04-05 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 17:52 . 2009-06-23 17:15 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-06 02:01 . 2009-07-08 17:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-06 00:08 . 2009-04-04 03:32 164 ----a-w- c:\windows\install.dat
2009-10-31 19:01 . 2009-09-30 16:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-22 20:32 . 2009-04-03 23:52 -------- d-----w- c:\program files\McAfee
2009-10-17 23:28 . 2009-04-20 20:10 -------- d-----w- c:\program files\AlienGUIse
2009-10-11 12:17 . 2009-04-09 02:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 01:40 . 2009-08-03 17:51 -------- d-----w- c:\program files\iFunbox
2009-10-02 17:27 . 2009-10-02 17:26 -------- d-----w- c:\program files\FileZilla FTP Client
2009-09-30 16:24 . 2009-09-30 16:24 -------- d-----w- c:\program files\Total Training
2009-09-30 16:18 . 2009-09-30 16:18 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-30 16:18 . 2009-09-30 16:14 -------- d-----w- c:\program files\Microsoft Expression
2009-09-28 16:59 . 2009-04-03 23:34 -------- d-----w- c:\program files\Google
2009-09-27 19:07 . 2009-09-27 19:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-09-27 19:07 . 2009-09-27 19:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-27 18:58 . 2009-09-27 18:58 -------- d-----w- c:\program files\MSBuild
2009-09-27 18:58 . 2009-09-27 18:58 -------- d-----w- c:\program files\Reference Assemblies
2009-09-27 18:50 . 2009-09-27 18:50 -------- d-----w- c:\program files\MSXML 4.0
2009-09-17 16:48 . 2009-04-03 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-16 17:22 . 2009-04-04 03:27 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2009-04-04 03:27 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2009-04-04 03:27 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2009-04-04 03:27 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2009-04-04 03:27 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2009-03-22 15:15 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-04-05 17:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-04-05 17:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2009-03-22 15:15 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2009-03-22 15:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2009-03-22 15:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 07:33 . 2009-08-18 07:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2005-05-26 21:35 . 2009-05-03 22:49 1422 ----a-w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner.bRet\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-5-6 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2009-5-6 738968]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-3 113664]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-1-26 1486848]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-5-2 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/3/2009 7:34 PM 1205760]
S2 gupdate1c9beb6b8c78f82;Google Update Service (gupdate1c9beb6b8c78f82);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 9:13 AM 133104]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [4/18/2009 11:58 AM 7548]
S4 Netbise;Netbise; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 17:13]

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 17:13]

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3161455560-1849787054-2812868008-1006Core.job
- c:\documents and settings\Owner.bRet\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-20 21:43]

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3161455560-1849787054-2812868008-1006UA.job
- c:\documents and settings\Owner.bRet\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-20 21:43]

2009-04-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-04 19:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-04 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4022
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\Google\Chrome Frame\Application\4.0.223.9\npchrome_tab.dll
FF - ProfilePath - c:\documents and settings\Owner.bRet\Application Data\Mozilla\Firefox\Profiles\c78l6m91.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Owner.bRet\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x853828AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x853ce1e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !
Use "Recovery Console" command "fixmbr" to clear infection !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF7189B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF7189B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF7189B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF7189B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF7189B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF7189B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3161455560-1849787054-2812868008-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\MrvGINA.dll
.
Completion time: 2009-11-14 11:26
ComboFix-quarantined-files.txt 2009-11-14 19:25

Pre-Run: 79,400,042,496 bytes free
Post-Run: 83,465,568,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F855AAD8970BA3AB356F69A3DE3B494D

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:34 PM

Posted 14 November 2009 - 04:20 PM

Hmm I really see no infection in your logs.
I recommend going to this forum and past a new topic there:
You can find the forum here > http://www.bleepingcomputer.com/forums/f/21/networking/
=============
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
===================

Delete\uninstall anything else that we have used that is leftover.

=====================================
The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users