Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adware.agent.ZO and Security Center adware


  • This topic is locked This topic is locked
37 replies to this topic

#1 Dalilama

Dalilama

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 24 November 2009 - 03:43 PM

Hi, recently I got dinged with a nasty little virus, or set of them, that hijacks the browser when following links and redirects them to other sites. Originally, it ran a bogus 'Security Center' app that gave constant pop-ups claiming infections, and caused a few BSOD crashes, but I think I got them disabled during an early cleanup attempt.

I have tried many different techniques and solutions to cleaning the computer, but something keeps coming back, so obviously not getting the job done myself. Have had McAfee's Security Center running the whole time, but malware got through its defenses and it never completes a full scan, while showing no infections in a quick scan.

Previously I have run Spyware Doctor 6, which detects several low to medium level threats and cleans them or quarantines them, but apparently not entirely effectively. I have tried Malware Bytes Anti-Malware, but no luck there. The only solution that seems to help is to do a system restore to about 4 days back. This keeps the computer running pretty well, with no crashes, but still get the browser redirects and don't fell safe as a result. As a result of the restore(s), SD6 and MWBAM are not installed any longer and I wonder if they might contribute to the problems.

I've got the DDS report here and attached the 'attach' report and HiJackThis log as well. Trying to get a RootRepeal report to share, but after 45 mins and running at 1.2GB of Ram with only about 25 lines showing under the file tab, I don't think it's working right. Sticks at the Windows/winsxs/Catalogs/x86_microsoft.vc80.crt...(etc) line forever. I'll keep trying for a followup post.

Could use some smart solutions and figure this is the place to get them. Thanks for any help in advance.

DDS report:

DDS (Ver_09-11-24.02) - NTFSx86
Run by mdali at 14:47:11.42 on Tue 11/24/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.520 [GMT -5:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIAgent.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\mobsync.exe
C:\Users\mdali\Downloads\Computer downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\mdali\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [DisplayFusion] "c:\program files\displayfusion\DisplayFusion.exe"
uRun: [GFI Backup 2009 - Home Edition] "c:\progra~1\gfi\gfibac~1\GFIAgent.exe"
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [<NO NAME>]
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [braviax] c:\windows\system32\braviax.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: interpublic.com\mail
Trusted Zone: mcafee.com
DPF: Photobucket Publisher - hxxp://pic.photobucket.com/plugins/csve/photobucket_publisher.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/vista/prog/CLVistaGenie.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.teamdetroit.com/dwa7W.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: credssp.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mdali\appdata\roaming\mozilla\firefox\profiles\5h1fdi1t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\users\mdali\appdata\roaming\mozilla\firefox\profiles\5h1fdi1t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\mdali\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\mdali\appdata\local\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-7-5 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-7-5 1238824]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-16 210216]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S2 0275071258036288mcinstcleanup;McAfee Application Installer Cleanup (0275071258036288);c:\windows\temp\027507~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\027507~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9a43bf3d0f2e0;Google Update Service (gupdate1c9a43bf3d0f2e0);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-11 21504]

=============== Created Last 30 ================

2009-11-24 19:30:52 0 d-----w- c:\program files\Trend Micro
2009-11-24 18:45:29 0 d-----w- c:\users\mdali\appdata\roaming\McAfee
2009-11-23 02:46:25 0 d-----w- c:\users\mdali\appdata\roaming\Malwarebytes
2009-11-23 02:46:10 0 d-----w- c:\programdata\Malwarebytes
2009-11-23 02:46:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-21 18:12:12 0 d-----w- c:\program files\common files\PC Tools
2009-11-21 18:11:52 0 d-----w- c:\programdata\PC Tools
2009-11-21 18:11:51 0 d-----w- c:\users\mdali\appdata\roaming\PC Tools
2009-11-21 18:11:51 0 d-----w- c:\program files\Spyware Doctor
2009-11-20 19:32:49 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-20 19:32:07 0 d-----w- c:\program files\Lavasoft(83)
2009-11-20 18:53:50 0 d---a-w- c:\programdata\TEMP
2009-11-11 06:38:20 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 06:38:12 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 17:01:32 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-30 15:49:23 0 d-----w- c:\programdata\3DVIA
2009-10-30 15:49:15 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-10-30 15:49:14 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-10-29 03:34:08 0 d-----w- c:\program files\Windows Portable Devices
2009-10-29 03:33:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 03:31:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 00:49:18 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 00:49:15 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 00:49:15 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 00:47:25 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-29 00:44:54 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-29 00:44:52 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-29 00:44:52 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 22:06:31 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 22:06:25 8147456 ----a-w- c:\windows\system32\wmploc.DLL

==================== Find3M ====================

2009-11-23 05:30:47 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-23 04:40:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-29 03:33:39 86016 ----a-w- c:\windows\inf\infpub.dat
2009-10-29 03:33:38 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-29 03:33:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-29 03:33:36 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-26 23:23:44 80689 ----a-w- c:\users\mdali\appdata\roaming\nvModes.dat
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 12:49:40 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2009-10-07 12:48:54 539160 ----a-w- c:\windows\system32\LVUI2RC.dll
2009-10-07 12:48:32 539160 ----a-w- c:\windows\system32\LVUI2.dll
2009-10-07 12:47:56 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys
2009-10-07 12:46:14 114712 ----a-w- c:\windows\system32\drivers\lvpopflt.sys
2009-10-07 12:43:44 199192 ----a-w- c:\windows\system32\lvci12101110.dll
2009-10-07 12:43:32 416280 ----a-w- c:\windows\system32\lvcodec2.dll
2009-10-07 12:24:06 34068 ----a-w- c:\windows\system32\Repository.reg
2009-10-07 05:46:36 25752 ----a-w- c:\windows\system32\drivers\LVPr2Mon.sys
2009-10-07 05:25:10 85302 ----a-w- c:\windows\system32\drivers\LVFeL102.cfg
2009-10-07 05:25:10 69592 ----a-w- c:\windows\system32\drivers\LVFaL100.cfg
2009-10-07 05:25:10 227172 ----a-w- c:\windows\system32\drivers\LVFeL100.cfg
2009-10-07 05:25:10 146680 ----a-w- c:\windows\system32\drivers\LVFeL101.cfg
2009-10-07 05:23:08 13584 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-12 01:39:22 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-09-17 13:11:53 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 14:57:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:48:30.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 29 November 2009 - 03:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 30 November 2009 - 02:04 PM

Yes, my computer is still infected, but not sure exactly with what now. I think it is down to the same basic problem that many users are posting about now with the browser redirects. Any search follows two separate, random links out and the third attempt will reach the intended URL. I often get SiteAdvisor tabs opening up that explain that the site: serving.adsrevenue.clicksor is a bad site. These tabs will open up randomly, without me even having to be at the computer. Lots of tab activity without any clicking or attention to the computer actually occurring.

I don't have the security center virus symptoms that it all started with and I think I successfully removed the braviax.exe virus that came along with it. I have been able to run McAfee full virus scan to its completion, but it comes up clean. The only thing I've done since my original post is kill a few unneccsary processes in taskmonitor. I can reboot without having to hit safe mode, so I think it really is focused on the browser hijacking and redirects.

I mainly use Firefox, but it happens in that, IE8 and Chrome as well. Thanks for your help on these issues.

Here are the logs you requested using OTL:
OTL.txt:
OTL logfile created on: 11/30/2009 1:51:16 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Users\mdali\Downloads\Computer downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 42.87% Memory free
4.00 Gb Paging File | 2.74 Gb Available in Paging File | 68.61% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 109.74 Gb Total Space | 16.04 Gb Free Space | 14.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.92 Gb Total Space | 1.78 Gb Free Space | 92.84% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MDALI-LAPTOP
Current User Name: mdali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - File not found -- C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
PRC - [2009/11/30 13:50:28 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\mdali\Downloads\Computer downloads\OTL.exe
PRC - [2009/11/07 09:45:45 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/07 00:47:34 | 00,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/04 22:24:32 | 01,669,416 | ---- | M] (GFI Software Ltd.) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIAgent.exe
PRC - [2009/09/04 22:24:32 | 01,238,824 | ---- | M] (GFI Software Ltd.) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/07/07 16:45:22 | 00,436,752 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MSC\McUICnt.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/13 23:43:22 | 00,440,616 | ---- | M] (GFI Software Ltd.) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe
PRC - [2009/05/07 22:30:22 | 00,192,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSM\McSmtFwk.exe
PRC - [2009/04/11 01:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/11 01:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/30 15:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 15:28:36 | 00,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/01/30 16:52:48 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/16 19:12:28 | 00,569,344 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqbam08.exe
PRC - [2008/05/02 01:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 01:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
PRC - [2008/03/25 19:49:02 | 00,184,320 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
PRC - [2008/03/25 19:40:42 | 00,214,360 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
PRC - [2008/01/19 02:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2007/07/25 16:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/07/25 16:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/04/30 16:48:22 | 00,072,704 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2007/01/12 09:51:28 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe
PRC - [2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\Windows\System32\IoctlSvc.exe
PRC - [2006/12/10 20:52:38 | 00,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
PRC - [2006/11/15 18:06:00 | 00,815,104 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTSVCCDA.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/30 13:50:28 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\mdali\Downloads\Computer downloads\OTL.exe
MOD - [2009/10/31 22:14:02 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2009/04/11 01:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2009/02/11 10:06:38 | 00,014,032 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/05/02 01:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2008/05/02 01:38:54 | 00,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (aawservice)
SRV - File not found -- -- (0275071258036288mcinstcleanup) McAfee Application Installer Cleanup (0275071258036288)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/07 00:47:34 | 00,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/09/24 20:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/04 22:24:32 | 01,238,824 | ---- | M] (GFI Software Ltd.) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe -- (GFIBckHSched)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/13 23:43:22 | 00,440,616 | ---- | M] (GFI Software Ltd.) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe -- (GFIBckHAtt)
SRV - [2009/03/30 15:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/03/13 19:29:23 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a43bf3d0f2e0) Google Update Service (gupdate1c9a43bf3d0f2e0)
SRV - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/01/30 16:52:48 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/19 18:23:16 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/07/18 12:13:20 | 00,053,760 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/07/18 12:13:20 | 00,044,032 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/05/02 01:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/04/08 08:56:30 | 00,800,040 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2008/03/25 20:27:36 | 00,135,168 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2008/01/22 10:13:26 | 00,275,752 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2008/01/19 02:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/04 20:20:04 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2007/11/02 11:33:22 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/23 07:18:48 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2007/07/25 16:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/07/25 16:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/04/30 16:48:22 | 00,072,704 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\Windows\System32\IoctlSvc.exe -- (PLFlash DeviceIoControl Service)
SRV - [2006/11/02 07:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - [2009/10/07 07:49:40 | 06,756,632 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Ultra Vision(UVC)
DRV - [2009/10/07 07:47:56 | 00,266,008 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 07:46:14 | 00,114,712 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2009/10/07 00:46:36 | 00,025,752 | ---- | M] () -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,130,424 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/10 23:42:54 | 00,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/07/26 14:26:22 | 00,041,752 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/02/29 02:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 02:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/01/19 00:53:39 | 00,007,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\umpass.sys -- (UMPass)
DRV - [2007/11/11 12:51:00 | 08,236,640 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/26 07:12:00 | 02,251,776 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/08/26 16:16:26 | 00,047,360 | ---- | M] (VSO Software) -- C:\Windows\System32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2007/06/07 21:57:58 | 00,023,600 | ---- | M] (EnTech Taiwan) -- C:\Windows\System32\drivers\TVICHW32.SYS -- (TVICHW32)
DRV - [2007/04/12 03:53:00 | 00,016,432 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2007/04/12 03:50:00 | 00,081,200 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2007/04/12 03:50:00 | 00,079,664 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2007/01/23 14:45:00 | 00,078,864 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007/01/23 14:44:00 | 00,062,992 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007/01/23 14:44:00 | 00,020,496 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/01/12 09:52:26 | 00,647,680 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2006/11/22 09:57:00 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/22 09:57:00 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/22 09:57:00 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/21 03:25:44 | 00,045,568 | ---- | M] (Broadcom Corporation) -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 18:06:00 | 00,179,256 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/11/14 16:35:20 | 00,037,376 | ---- | M] (REDC) -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 04:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 03:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:41:50 | 00,987,648 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (HSF_DPV)
DRV - [2006/11/02 02:41:49 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 02:41:48 | 00,654,336 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2006/11/02 02:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 01,781,760 | ---- | M] (Intel® Corporation) -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/11/02 02:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 01:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/09/21 16:57:01 | 00,020,096 | ---- | M] (SlySoft, Inc.) -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2006/04/21 20:44:39 | 00,008,064 | ---- | M] (Elaborate Bytes AG) -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2005/12/22 16:02:22 | 00,051,840 | ---- | M] (REDC) -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/11/16 19:28:32 | 00,028,928 | ---- | M] (REDC) -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\S-1-5-21-3131491969-3378533542-3382806781-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\S-1-5-21-3131491969-3378533542-3382806781-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:3.9.7
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.0.20090922023629

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/08/29 22:06:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 09:45:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/22 23:39:06 | 00,000,000 | ---D | M]

[2008/06/18 18:58:50 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Extensions
[2009/11/29 22:41:46 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions
[2009/10/31 22:06:26 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2009/11/22 23:39:08 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}
[2009/10/02 14:16:50 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/05/04 18:04:53 | 00,000,000 | ---D | M] -- C:\Users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/11/29 22:41:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/14 20:34:14 | 00,090,112 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2007/03/21 18:19:00 | 01,093,632 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npphbkpublish2.dll

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000..\Run: [DisplayFusion] C:\Program Files\DisplayFusion\DisplayFusion.exe (Binary Fortress Software)
O4 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000..\Run: [GFI Backup 2009 - Home Edition] C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIAgent.exe (GFI Software Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..Trusted Domains: interpublic.com ([mail] https in Trusted sites)
O15 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3131491969-3378533542-3382806781-1000\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommo...20Installer.cab (Support.com Configuration Class)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.winkflash.com/photo/loaders/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} http://www.winkflash.com/photo/loaders/ImageUploader4.cab (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} http://www.cyberlink.com/vista/prog/CLVistaGenie.cab (CLVistaGenie Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (Get_ActiveX Control)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://webmail.teamdetroit.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: Photobucket Publisher http://pic.photobucket.com/plugins/csve/ph...t_publisher.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\x-excid {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{17a98f35-14de-11de-9e22-00188bc1ba2d}\Shell - "" = AutoRun
O33 - MountPoints2\{17a98f35-14de-11de-9e22-00188bc1ba2d}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/11/24 20:19:32 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2009/11/24 20:18:52 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/24 14:30:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/24 14:23:58 | 00,714,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\timedate.cpl
[2009/11/24 13:45:29 | 00,000,000 | ---D | C] -- C:\Users\mdali\AppData\Roaming\McAfee
[2009/11/23 00:06:55 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2009/11/23 00:06:55 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2009/11/23 00:06:55 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2009/11/22 21:46:25 | 00,000,000 | ---D | C] -- C:\Users\mdali\AppData\Roaming\Malwarebytes
[2009/11/22 21:46:10 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/22 21:46:10 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/11/21 15:01:46 | 00,000,000 | ---D | C] -- C:\Users\mdali\Documents\My Scans
[2009/11/21 13:12:12 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/11/21 13:11:52 | 00,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2009/11/21 13:11:51 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/11/21 13:11:51 | 00,000,000 | ---D | C] -- C:\Users\mdali\AppData\Roaming\PC Tools
[2009/11/20 19:44:51 | 00,000,000 | ---D | C] -- C:\Users\mdali\AppData\Local\Threat Expert
[2009/11/20 14:32:49 | 00,000,000 | -H-D | C] -- C:\ProgramData\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/11/20 14:32:07 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft(83)
[2009/11/20 13:53:50 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2009/11/20 09:37:32 | 00,000,000 | ---D | C] -- C:\Users\mdali\Documents\DVDFab
[2009/11/11 01:38:20 | 02,036,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/11/11 01:38:12 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSDApi.dll
[2009/11/04 12:01:32 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2007/08/26 16:16:26 | 00,047,360 | ---- | C] (VSO Software) -- C:\Users\mdali\AppData\Roaming\pcouffin.sys
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/30 13:51:01 | 04,718,592 | -HS- | M] () -- C:\Users\mdali\ntuser.dat
[2009/11/30 13:51:00 | 00,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3131491969-3378533542-3382806781-1000UA.job
[2009/11/30 13:45:00 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/11/30 12:08:36 | 00,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/30 12:08:36 | 00,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/30 04:51:00 | 00,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3131491969-3378533542-3382806781-1000Core.job
[2009/11/29 22:45:00 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/29 22:09:39 | 00,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D88FCACD-209C-4626-9A27-D763806BD310}.job
[2009/11/28 18:03:20 | 00,080,689 | ---- | M] () -- C:\Users\mdali\AppData\Roaming\nvModes.001
[2009/11/28 16:56:36 | 00,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/28 16:56:36 | 00,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/28 16:56:36 | 00,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/27 21:48:13 | 00,000,116 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2009/11/27 20:11:07 | 00,017,849 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2009/11/27 20:08:31 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/27 20:08:18 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/27 20:07:46 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2009/11/27 20:07:40 | 21,458,49344 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/26 10:31:41 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/11/26 10:31:15 | 00,524,288 | -HS- | M] () -- C:\Users\mdali\NTUSER.DAT{922b9eed-7fd4-11de-917a-00188bc1ba2d}.TMContainer00000000000000000001.regtrans-ms
[2009/11/26 10:31:15 | 00,065,536 | -HS- | M] () -- C:\Users\mdali\NTUSER.DAT{922b9eed-7fd4-11de-917a-00188bc1ba2d}.TM.blf
[2009/11/26 10:30:38 | 03,184,920 | -H-- | M] () -- C:\Users\mdali\AppData\Local\IconCache.db
[2009/11/24 14:52:20 | 00,000,000 | ---- | M] () -- C:\Windows\System32\settings.dat
[2009/11/24 14:30:53 | 00,001,930 | ---- | M] () -- C:\Users\mdali\Desktop\HijackThis.lnk
[2009/11/20 09:36:45 | 00,000,040 | -HS- | M] () -- C:\Users\mdali\AppData\Roaming\.zreglib
[2009/11/15 02:37:56 | 00,000,340 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2009/11/11 19:40:14 | 01,728,672 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/11/01 00:01:54 | 00,000,318 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/24 14:52:20 | 00,000,000 | ---- | C] () -- C:\Windows\System32\settings.dat
[2009/11/24 14:30:53 | 00,001,930 | ---- | C] () -- C:\Users\mdali\Desktop\HijackThis.lnk
[2009/11/22 23:40:28 | 21,458,49344 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/07 07:24:22 | 00,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/10/07 00:46:36 | 00,025,752 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2009/10/07 00:23:08 | 00,013,584 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2009/09/29 22:14:49 | 00,000,760 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\setup_ldm.iss
[2009/09/10 18:57:23 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2007/12/15 13:18:08 | 00,038,462 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\Microsoft Excel 97-2003.ADR
[2007/12/15 13:17:42 | 00,000,028 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/12/03 16:59:52 | 00,000,695 | ---- | C] () -- C:\Windows\wincmd.ini
[2007/08/26 17:59:03 | 00,000,070 | ---- | C] () -- C:\Windows\sbwin.ini
[2007/08/26 16:17:09 | 00,000,034 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\pcouffin.log
[2007/08/26 16:16:26 | 00,087,608 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\inst.exe
[2007/08/26 16:16:26 | 00,007,887 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\pcouffin.cat
[2007/08/26 16:16:26 | 00,001,144 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\pcouffin.inf
[2007/07/25 16:40:02 | 00,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2007/06/23 13:43:17 | 00,000,008 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\usb.dat.bin
[2007/06/13 22:18:28 | 00,000,023 | ---- | C] () -- C:\Windows\System32\presets.ini
[2007/05/16 17:55:35 | 00,038,426 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\Comma Separated Values (Windows).ADR
[2007/05/03 10:43:08 | 00,000,116 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/05/02 20:20:28 | 00,008,302 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2007/05/02 19:51:52 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/05/02 19:44:23 | 00,080,689 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\nvModes.dat
[2007/05/02 19:44:23 | 00,080,689 | ---- | C] () -- C:\Users\mdali\AppData\Roaming\nvModes.001
[2007/05/02 19:33:04 | 00,000,628 | ---- | C] () -- C:\Windows\System32\PCI_VEN_1102&DEV_FF05&SUBSYS_00001102.ini
[2007/05/02 19:33:03 | 00,101,376 | ---- | C] () -- C:\Windows\System32\APOMngr.dll
[2007/05/02 19:33:03 | 00,066,560 | ---- | C] () -- C:\Windows\System32\CmdRtr.dll
[2007/05/02 12:15:28 | 00,044,032 | ---- | C] () -- C:\Users\mdali\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/30 22:00:35 | 00,000,680 | ---- | C] () -- C:\Users\mdali\AppData\Local\d3d9caps.dat
[2007/04/30 19:43:48 | 00,000,040 | -HS- | C] () -- C:\Users\mdali\AppData\Roaming\.zreglib
[2006/11/03 16:25:56 | 00,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 07:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/05/06 18:06:00 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2001/11/14 11:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >



Extras.txt:
OTL Extras logfile created on: 11/30/2009 1:51:16 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Users\mdali\Downloads\Computer downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 42.87% Memory free
4.00 Gb Paging File | 2.74 Gb Available in Paging File | 68.61% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 109.74 Gb Total Space | 16.04 Gb Free Space | 14.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.92 Gb Total Space | 1.78 Gb Free Space | 92.84% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MDALI-LAPTOP
Current User Name: mdali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3131491969-3378533542-3382806781-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.txt [@ = TextPad.txt] -- C:\Program Files\TextPad 4\textpad.exe (Helios Software Solutions)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3131491969-3378533542-3382806781-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00B50D13-A284-4FCB-8E16-812ECBE39CBF}" = lport=10244 | protocol=6 | dir=in | app=system |
"{06245CC6-867E-472B-B010-06072FCB1374}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{081C65BB-CFC9-49F0-8C17-87A7DAB8D343}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1253E476-6031-4C43-8848-3D4D418A1857}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1B4D958B-57EE-4D53-84B6-11C880AB6E75}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{34ED8B56-B590-4926-A4C2-C65A9650558B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{365688F3-0509-4AAB-943F-2048F37AA853}" = lport=3390 | protocol=6 | dir=in | app=system |
"{39EFD3F5-F5F3-49F2-A598-95EF199FD974}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{45C56567-B601-4D55-9DF3-7640CF604583}" = lport=137 | protocol=17 | dir=in | app=system |
"{47D069C3-0EF6-49EC-A562-4C5FE1083575}" = rport=10243 | protocol=6 | dir=out | app=system |
"{52CFF931-839E-4F87-9F19-1B14A8F0510B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{55EEA928-9CCE-4990-B9D3-4DB070821666}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{55FDD18D-3C21-4292-82BD-95C1FCF9CF24}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{56803AFF-A715-433C-BA12-DF6DD18A64AA}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{67CBAE78-E984-46CD-BC92-E4A201936E42}" = rport=138 | protocol=17 | dir=out | app=system |
"{7296F3A7-D863-4764-8D97-9A1A7E3B7EC1}" = lport=2869 | protocol=6 | dir=in | app=system |
"{741CC2C7-1515-446C-BDB7-0C8D3380DA8A}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{82066D13-3D14-4B44-9462-17EA2F711027}" = lport=10243 | protocol=6 | dir=in | app=system |
"{844D1A41-4C35-4EF5-994A-4BD9FE68F86A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{893C8961-5BCE-46C5-AB11-119C1D110E4A}" = lport=10244 | protocol=6 | dir=in | app=system |
"{926FB28A-5E8C-48BC-BC3E-6BF8FA87B530}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9B70BC0E-C29D-482A-911D-44290316BC38}" = lport=3390 | protocol=6 | dir=in | app=system |
"{A5435E38-34AF-4AD7-9079-7455513AAE27}" = rport=445 | protocol=6 | dir=out | app=system |
"{A7B80974-4AA5-4A21-AB04-A2BE4604881A}" = lport=445 | protocol=6 | dir=in | app=system |
"{B0332CBA-E082-4F23-9712-93DFE0D9521B}" = rport=10244 | protocol=6 | dir=out | app=system |
"{B3D13C16-0212-4311-ABCF-0B8170D0895E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B7CF8049-0F8C-4C40-A01F-0309015A3910}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{BA9857B5-74BB-41BB-B020-492909446DEC}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{C0E362FD-CFDD-4C21-8FEA-D31210C78301}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C4C809F4-C589-4874-B481-40252BE30469}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{C6ACEFAE-C726-4E55-BF1E-E67742392A41}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C76B876D-0041-44A8-B6D4-8B5D28800428}" = lport=138 | protocol=17 | dir=in | app=system |
"{CE11B1A4-F49E-4B5A-AA75-9D6442B6B29B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{DA502005-FEDF-4E51-BE0E-64D8B8FC5BEF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DA6058A0-F72C-4C50-B421-0C2FA05744D2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E4448F06-04D4-4310-B82D-A564884D43A6}" = lport=139 | protocol=6 | dir=in | app=system |
"{E5B94100-ECED-401D-8FDC-C608A85586C3}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{EA46BF4D-D2B3-459C-B993-AB88AEC941DD}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EBEC8B1A-A1A2-4D2D-96F0-D4837400ACF5}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{F6692792-8416-4B15-9337-A4A69EC7D526}" = rport=10244 | protocol=6 | dir=out | app=system |
"{F78C576C-7A35-4047-B65D-09F2153478F8}" = rport=137 | protocol=17 | dir=out | app=system |
"{FC7BB2DE-4A3E-4CC8-A63E-2314C0D29F68}" = rport=139 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0C2F3640-7400-422E-8290-8271E237BCF6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{0EECC566-203A-4365-9CD7-02EF14BF614A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{129E052C-F00F-41A6-9544-2EFDDB3F42EE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{139D7BDD-CF51-4429-8B10-963F16F8ED33}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{1532B2C2-E516-4F59-9026-504D0D907CF0}" = protocol=6 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{19FF5FA6-3A39-438C-B1D2-EAF851CA0C9E}" = protocol=6 | dir=out | app=system |
"{1A8EC190-4BB9-44DA-A4F3-4EDE277B4C31}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{28017489-C5C1-4512-BCED-054E7E973809}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{475601A7-22BC-4457-B4EB-A7BABF35B9D9}" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe |
"{4BC37A46-73B2-4BA2-A5B7-007C20046701}" = protocol=17 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{5253F520-4D38-4481-AF36-4403D5A02DF1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{61971ECE-0B30-495B-BDEB-8AF7F3EB4949}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{622C26EB-7702-4F7C-BC8D-B682C29DD121}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6702872F-98CB-410D-9B9F-253F15F879F5}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{69B1CF3E-71F9-44A9-92DC-21C59FE25FAD}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7097BD1C-F3A0-497C-B7BF-C8DA1E62AA1E}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{72C5ADEA-0202-4776-BC6B-700ACB4EBA7D}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{737D1474-A9FC-4E66-8990-A08AEC6558B5}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{7461BFA4-2FBC-4BA8-A4C0-102907688DFD}" = protocol=6 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{770C16E8-B204-417D-9B13-4DE4564F8D1F}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{7C4181F1-B537-4DFC-B5F8-24C5A513E43C}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{7EFF4C2F-06C8-4CAE-AD10-8FF33306BC3C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{803589D6-E531-4F43-A676-FDAEB279FA45}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{8312414C-10D2-4876-A5CE-5C0F959E149E}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{84BA7772-BC03-4A1C-8B04-F73D430E3E46}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{84E2323E-A315-4197-B729-E5B33B890081}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8F040ECA-D4B6-48A0-8260-C011FA069608}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{90E85828-39CC-4CE3-B978-D824BDDB464D}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{93D444EA-5AF8-4319-8A57-49CEAD091AB7}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{989CB0AB-B0C1-4E97-81A0-03ED922E8483}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{9AE28947-452A-4F72-B44E-2371C9C11638}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{9BBBAA6E-C93B-424F-A471-68EA78B13FA8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A057FAC1-C088-4346-86F0-8ADBC2185B43}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{A34C9A23-5979-44C8-88D7-870747FBAE09}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A4A999E9-5AEE-46EE-99B7-203E240D2D45}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{BD384889-44B8-43F0-8FA3-E2FB8C8330B7}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{BF2641ED-A38D-4EA0-9549-0E06FB87E22E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BF945897-3D26-48DD-B352-F61285342914}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C3554C60-5725-4661-87E7-0C67AD5CF9AF}" = protocol=17 | dir=in | app=c:\program files\logitech\logitech vid\vid.exe |
"{D650F02D-E227-448D-88E3-A24C3CBE275B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{D8FD1E26-BF31-48CC-964F-B2BAB5426066}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{DB24EC0A-ABA7-4DF8-9438-94296CDD383E}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E32E8264-DA85-4485-9AF4-D948B4BD24F7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{E6F6E0AD-60F0-404D-9157-1B28E82A70DA}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{E7872BAB-19F8-4233-8705-54E6DCF8EA6E}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{ECD5F096-68E9-4784-98AD-64ACEC555678}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F134126D-F479-4B40-8E9E-B45F44A8CC46}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{F41DD679-FBDA-43E4-8444-AB2EB8FC4586}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{FB7B0CCE-B0AD-412D-AFB1-08BC80DAC095}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{FFDBC3B5-EE9D-4A14-BF11-A29ED40C6BBF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"TCP Query User{02DAAE71-A3B2-4A8E-A53C-1BD8FBCE7961}C:\program files\common files\ahead\nero web\setupx.exe" = protocol=6 | dir=in | app=c:\program files\common files\ahead\nero web\setupx.exe |
"TCP Query User{22F64320-DCCF-4AFF-B889-B95B9EDFA865}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"TCP Query User{3CB90455-CC25-43C4-B09C-39BB2D64719B}C:\program files\azureus\azureus.exe" = protocol=6 | dir=in | app=c:\program files\azureus\azureus.exe |
"TCP Query User{5FE102F6-D4A6-4128-9019-706DF306B390}C:\users\mdali\appdata\local\temp\nero web\setupxu.exe" = protocol=6 | dir=in | app=c:\users\mdali\appdata\local\temp\nero web\setupxu.exe |
"TCP Query User{86CC2F4D-6380-423B-B34C-1BA13061A86D}C:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=6 | dir=in | app=c:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"TCP Query User{AC10D436-E2CD-45B8-BC57-FB32122D7BC9}C:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=6 | dir=in | app=c:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"TCP Query User{B6DDB191-7CA4-4264-9EC5-3BA03090526E}C:\program files\azureus\azureus.exe" = protocol=6 | dir=in | app=c:\program files\azureus\azureus.exe |
"TCP Query User{B98C0746-4583-4DAB-826D-2186565C526F}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{DEFE9A4C-B0F3-473F-8935-AEF935BA4A02}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{2E558085-3FFB-4305-A409-9A6AD272CB28}C:\program files\azureus\azureus.exe" = protocol=17 | dir=in | app=c:\program files\azureus\azureus.exe |
"UDP Query User{2E780972-E0A2-41BA-B65C-C45713D80DC1}C:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=17 | dir=in | app=c:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"UDP Query User{48792D09-CD0A-4792-A3DF-61CE10D14272}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{4D7034AE-C23C-4968-A044-72720AE7A9B4}C:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=17 | dir=in | app=c:\users\mdali\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"UDP Query User{5C089FFD-2EF2-4102-9844-17E23FEF1446}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"UDP Query User{6596769B-835F-4BDD-A94F-D0F661401D96}C:\program files\azureus\azureus.exe" = protocol=17 | dir=in | app=c:\program files\azureus\azureus.exe |
"UDP Query User{AC721742-33FB-4B90-8C31-98ED401132D8}C:\users\mdali\appdata\local\temp\nero web\setupxu.exe" = protocol=17 | dir=in | app=c:\users\mdali\appdata\local\temp\nero web\setupxu.exe |
"UDP Query User{C45887AC-8881-4A6C-B475-A282316752EA}C:\program files\common files\ahead\nero web\setupx.exe" = protocol=17 | dir=in | app=c:\program files\common files\ahead\nero web\setupx.exe |
"UDP Query User{E84F01EB-14B5-4F24-BE76-A83494856058}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 17
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{39CB30DB-27F8-4dd4-A294-CB4AE3B584FD}" = Copy
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}" = Logitech Vid
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{52D56C42-8C69-4882-A661-39695537C9CF}" = DellConnect
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}" = Microsoft Outlook Web Access S/MIME
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6E4D4E0B-02F6-46C1-BAE5-1B6B2E486A7B}" = Microsoft Office Live Meeting 2007
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFA9D219-A7FD-4240-8793-E5C7C9D715F4}" = IKEA Home Planner
"{B076073A-5527-4F4F-B46B-B10692277DA2}" = DisplayFusion
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{BEF106F8-2689-4530-925A-E1117836E8CD}" = Google SketchUp 7
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D61524CF-93FE-4193-91AD-C6E21FEEAA5A}" = Logitech Harmony Remote Software 7
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E60B8506-DDC7-433d-AF9E-999D0F543C4A}" = 2570_Help
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{EA7FE7AB-34AE-4e14-84C5-187E6EC0AB9B}" = 2570
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{ED3F469E-D9EC-4DF1-968F-5812CE2F30F8}" = HP Driver Diagnostics
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1362843-0E0E-4F74-8662-724CF101ADCE}" = Skype web features
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}" = mCore
"{F66D5732-C2A6-4f88-B8FE-AEDA10355FBD}" = 2570Trb
"{F751C062-87DA-4D33-8A12-6E7F1D4C051C}" = Netflix in Windows Media Center
"{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1033}" = Nero 7 Ultra Edition
"{FE24D361-A3E8-11DE-88F3-005056806466}" = Google Earth Plug-in
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"AnyDVD" = AnyDVD
"Audacity_is1" = Audacity 1.2.6
"Azureus Vuze" = Azureus Vuze
"B076073A-5527-4f4f-B46B-B10692277DA2_is1" = DisplayFusion 2.2.1
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"CCleaner" = CCleaner (remove only)
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab Platinum_is1" = DVDFab Platinum 3.1.5.0
"ENTERPRISER" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.1.1.1
"FlashFXP v3.0 (Build 1022)" = FlashFXP v3.0 (Build 1022)
"GFI Backup 2009 - Home Edition" = GFI Backup 2009 - Home Edition
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPOCR" = HP OCR Software 8.0
"IrfanView" = IrfanView (remove only)
"legacyqcam_11.10" = Logitech Legacy USB Camera Driver Package
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MiniLyrics" = Minilyrics(remove only)
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel® PROSet/Wireless Software
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"Shop for HP Supplies" = Shop for HP Supplies
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Totalcmd" = Total Commander (Remove or Repair)
"Virtools3DLifePlayer" = Virtools 3D Life Player
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Photos Drag-Drop Uploader 1v7" = Yahoo! Photos Easy Upload Tool 1v7
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3131491969-3378533542-3382806781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus
"Yahoo! Messenger for Vista" = Yahoo! Messenger for Vista

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/29/2009 1:22:44 AM | Computer Name = mdali-Laptop | Source = System Restore | ID = 8210
Description =

Error - 11/29/2009 9:01:42 AM | Computer Name = mdali-Laptop | Source = Application Error | ID = 1000
Description = Faulting application mcupdate.EXE, version 6.0.6002.18005, time stamp
0x49e02324, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x0001197d, process id 0x1440, application start time
0x01ca70f4171406c0.

Error - 11/29/2009 11:38:24 AM | Computer Name = mdali-Laptop | Source = Application Hang | ID = 1002
Description = The program DVD Shrink 3.2.exe version 3.2.0.15 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 180 Start Time: 01ca7109c59bd910 Termination Time: 446

Error - 11/29/2009 6:54:55 PM | Computer Name = mdali-Laptop | Source = SPP | ID = 16387
Description =

Error - 11/29/2009 6:54:55 PM | Computer Name = mdali-Laptop | Source = System Restore | ID = 8193
Description =

Error - 11/29/2009 6:55:19 PM | Computer Name = mdali-Laptop | Source = SPP | ID = 16387
Description =

Error - 11/29/2009 6:55:19 PM | Computer Name = mdali-Laptop | Source = System Restore | ID = 8193
Description =

Error - 11/29/2009 6:55:25 PM | Computer Name = mdali-Laptop | Source = Windows Search Service | ID = 3013
Description =

Error - 11/29/2009 6:55:33 PM | Computer Name = mdali-Laptop | Source = Windows Search Service | ID = 3013
Description =

Error - 11/30/2009 9:01:41 AM | Computer Name = mdali-Laptop | Source = Application Error | ID = 1000
Description = Faulting application mcupdate.EXE, version 6.0.6002.18005, time stamp
0x49e02324, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x0001197d, process id 0x1194, application start time
0x01ca71bd418085e1.

[ Media Center Events ]
Error - 10/26/2009 6:51:10 PM | Computer Name = mdali-Laptop | Source = Mcx2Dvcs | ID = 401
Description =

Error - 10/26/2009 6:53:42 PM | Computer Name = mdali-Laptop | Source = Mcx2Dvcs | ID = 405
Description =

Error - 10/26/2009 6:55:29 PM | Computer Name = mdali-Laptop | Source = Mcx2Svc | ID = 301
Description =

Error - 10/26/2009 6:58:21 PM | Computer Name = mdali-Laptop | Source = Mcx2Dvcs | ID = 405
Description =

Error - 10/26/2009 7:03:15 PM | Computer Name = mdali-Laptop | Source = Mcx2Dvcs | ID = 405
Description =

Error - 10/26/2009 7:32:21 PM | Computer Name = mdali-Laptop | Source = McrMgr | ID = 109
Description =

[ OSession Events ]
Error - 6/2/2007 1:12:48 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/12/2007 10:39:18 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 7
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/12/2007 10:39:38 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 7
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/12/2007 10:55:38 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 58
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/12/2007 11:02:12 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/13/2008 11:43:19 AM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6211.1000, Microsoft Office Version: 12.0.6215.1000. This session lasted 85
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/13/2008 11:43:40 AM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6211.1000, Microsoft Office Version: 12.0.6215.1000. This session lasted 11
seconds with 0 seconds of active time. This session ended with a crash.

Error - 4/30/2009 9:05:34 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 26
seconds with 0 seconds of active time. This session ended with a crash.

Error - 4/30/2009 9:29:55 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 14
seconds with 0 seconds of active time. This session ended with a crash.

Error - 5/15/2009 9:32:59 PM | Computer Name = mdali-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 21
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/29/2009 11:37:41 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 11:37:50 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 11:37:58 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 11:38:07 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 11:38:15 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 11:38:24 AM | Computer Name = mdali-Laptop | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/29/2009 6:42:46 PM | Computer Name = mdali-Laptop | Source = Service Control Manager | ID = 7031
Description =

Error - 11/29/2009 6:50:58 PM | Computer Name = mdali-Laptop | Source = Service Control Manager | ID = 7031
Description =

Error - 11/29/2009 6:52:38 PM | Computer Name = mdali-Laptop | Source = Service Control Manager | ID = 7031
Description =

Error - 11/29/2009 6:53:13 PM | Computer Name = mdali-Laptop | Source = Service Control Manager | ID = 7034
Description =


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 01 December 2009 - 09:06 AM

Hi,

please run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please also run a scan with mbr:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 11:44 AM

I am working on running the scans, but the gmer scan is taking forever. It has been scanning the windows/winsxs/manifests folder for 1 1/2 hrs already and doesn't seem to find an end. Of course, it is over 2GB and 126,000 files deep, but can I stop this scan to provide what is already scanned or do you really need anything from this part of the scan?

Also, I am not getting the email notifications about your posts at all. I just keep revisiting the site to check in. I have the track this post immediate notification settings chosen, but I still haven't even gotten notification from your first post. Anything I can do to correct this? thx.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 01 December 2009 - 11:53 AM

Hi,

please let me know if you get the notification for this post. Please also check your spam folder. You will only get notifications for posts that were made after you subscribed to the thread. For example the one I am just posting.

I would prefer getting a log from gmer, in any case I would need the entire log. But if it takes too long, please provide a log from RootRepeal instead:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Please make sure you also run mbr from my previous post (that is a quick scan).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 11:56 AM

Of course, as I get back up to this computer to check the scan, it is done, with a warning notice that it detected changes with the ROOTKIT, or something along those lines.

Here are the two scan results you requested, I look forward to your reply:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 11:46:29
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\mdali\AppData\Local\Temp\pgldipog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8DA6179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8DA61738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8DA6174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8DA617DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8DA6181F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8DA61710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8DA61724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8DA617B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8DA61847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8DA61833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8DA6178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8DA61776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8DA6180B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8DA617F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8DA617C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8DA61762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82274982 5 Bytes JMP 8DA617CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 824085B5 5 Bytes JMP 8DA61823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82412B82 5 Bytes JMP 8DA61766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82439D5D 5 Bytes JMP 8DA6180F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82459446 7 Bytes JMP 8DA617E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82459709 5 Bytes JMP 8DA617F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8245D474 5 Bytes JMP 8DA6177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82462E7D 4 Bytes JMP 8DA617B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory + 5 82462E82 2 Bytes [90, 90] {NOP ; NOP }
PAGE ntkrnlpa.exe!NtOpenThread 8246509A 5 Bytes JMP 8DA61728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82469B48 5 Bytes JMP 8DA61714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8248AD59 5 Bytes JMP 8DA617A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8249B7B2 5 Bytes JMP 8DA61837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8249C9B6 5 Bytes JMP 8DA6184B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 824DA74B 5 Bytes JMP 8DA6173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 824DA796 7 Bytes JMP 8DA61750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 824DB253 5 Bytes JMP 8DA6178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C00C340, 0x39C537, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[672] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 009B00E1
.text C:\Windows\system32\services.exe[672] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 009B00BC
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 009B0F80
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 009B010D
.text C:\Windows\system32\services.exe[672] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 009B0086
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 009B0FDB
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 009B002C
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 009B0F91
.text C:\Windows\system32\services.exe[672] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 009B0FA2
.text C:\Windows\system32\services.exe[672] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 009B004E
.text C:\Windows\system32\services.exe[672] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 009B005F
.text C:\Windows\system32\services.exe[672] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 009B003D
.text C:\Windows\system32\services.exe[672] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 009B0097
.text C:\Windows\system32\services.exe[672] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 009B013C
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 009B001B
.text C:\Windows\system32\services.exe[672] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 009B0000
.text C:\Windows\system32\services.exe[672] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 009B00F2
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00020FCA
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 0002005B
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00020FEF
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 0002006C
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00020FB9
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 0002001B
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0002000A
.text C:\Windows\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00020036
.text C:\Windows\system32\services.exe[672] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 009D0064
.text C:\Windows\system32\services.exe[672] msvcrt.dll!system 7761804B 5 Bytes JMP 009D0049
.text C:\Windows\system32\services.exe[672] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 009D0FE3
.text C:\Windows\system32\services.exe[672] msvcrt.dll!_open 7761D106 5 Bytes JMP 009D0000
.text C:\Windows\system32\services.exe[672] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 009D0038
.text C:\Windows\system32\services.exe[672] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 009D001D
.text C:\Windows\system32\services.exe[672] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\services.exe[672] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 009A000A
.text C:\Windows\system32\services.exe[672] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 009A0FD4
.text C:\Windows\system32\services.exe[672] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 009A0FC3
.text C:\Windows\system32\services.exe[672] WS2_32.dll!socket 774736D1 5 Bytes JMP 009C0FE5
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00140F18
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00140F33
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00140EF6
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00140083
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0014004A
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00140FDE
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 0014002F
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00140F44
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00140F7C
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00140FA8
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00140F97
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00140FC3
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 00140F55
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 0014009E
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00140014
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00140FEF
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00140F07
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 0012004A
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00120025
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00120FEF
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00120FA8
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00120F83
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00120FDE
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00120014
.text C:\Windows\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00120FC3
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00900FAD
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!system 7761804B 5 Bytes JMP 00900FBE
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00900FE3
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!_open 7761D106 5 Bytes JMP 00900000
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00900038
.text C:\Windows\system32\lsass.exe[684] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00900011
.text C:\Windows\system32\lsass.exe[684] WS2_32.dll!socket 774736D1 5 Bytes JMP 004C0000
.text C:\Windows\system32\lsass.exe[684] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00130000
.text C:\Windows\system32\lsass.exe[684] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 0013001B
.text C:\Windows\system32\lsass.exe[684] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00130FDB
.text C:\Windows\system32\lsass.exe[684] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00130FC0
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00890F43
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00890089
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00890F21
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 008900B8
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0089004C
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00890FB9
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 0089006E
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00890F72
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00890F83
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 0089002F
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00890F94
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 0089005D
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 008900DD
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00890FD4
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00890FE5
.text C:\Windows\system32\svchost.exe[688] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00890F32
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 008B005D
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!system 7761804B 5 Bytes JMP 008B0FC8
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 008B002E
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!_open 7761D106 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 008B0FD9
.text C:\Windows\system32\svchost.exe[688] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 008B001D
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00380F57
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00380F8D
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00380FEF
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00380F7C
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00380F46
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00380FC3
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00380FD4
.text C:\Windows\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00380FA8
.text C:\Windows\system32\svchost.exe[688] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00880FE5
.text C:\Windows\system32\svchost.exe[688] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 00880FD4
.text C:\Windows\system32\svchost.exe[688] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00880FB9
.text C:\Windows\system32\svchost.exe[688] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 0088000A
.text C:\Windows\system32\svchost.exe[688] WS2_32.dll!socket 774736D1 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00A5009D
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00A5008C
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00A50F28
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00A500BF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 00A50F72
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00A5001B
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00A50FCA
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00A50071
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00A50F83
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00A50FAF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00A50F94
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00A50036
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 00A50F61
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00A500D0
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00A50FE5
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00A5000A
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00A500AE
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00A70067
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!system 7761804B 5 Bytes JMP 00A70042
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00A7000C
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_open 7761D106 5 Bytes JMP 00A70FEF
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00A70027
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00A70FDE
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00A30051
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00A30FCA
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00A30FAF
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00A30F8A
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00A30025
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00A30036
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00A4000A
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 00A40FEF
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00A40FD4
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00A40FC3
.text C:\Windows\system32\svchost.exe[908] WS2_32.dll!socket 774736D1 5 Bytes JMP 00A60FEF
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 0065009C
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 0065008B
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00650F23
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00650F34
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0065007A
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 0065000A
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 0065001B
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00650F60
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00650069
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 0065003D
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 0065004E
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 0065002C
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 00650F7B
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00650F08
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00650FD4
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00650FEF
.text C:\Windows\system32\svchost.exe[980] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00650F45
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 0067004E
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!system 7761804B 5 Bytes JMP 0067003D
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00670011
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_open 7761D106 5 Bytes JMP 00670FEF
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00670022
.text C:\Windows\system32\svchost.exe[980] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00670000
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00520051
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00520FAF
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00520FEF
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00520036
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00520F9E
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 0052001B
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0052000A
.text C:\Windows\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00520FCA
.text C:\Windows\system32\svchost.exe[980] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00540FEF
.text C:\Windows\system32\svchost.exe[980] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 0054000A
.text C:\Windows\system32\svchost.exe[980] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00540025
.text C:\Windows\system32\svchost.exe[980] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00540036
.text C:\Windows\system32\svchost.exe[980] WS2_32.dll!socket 774736D1 5 Bytes JMP 00660000
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 017100B2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 017100A1
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 01710F1B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77041C28 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 01710F2C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0171007F
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 0171001B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 01710FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 01710F76
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 01710062
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 01710047
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 01710FA5
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 01710036
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 01710090
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 017100D7
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 01710FE5
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 01710000
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 01710F47
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 02070F7F
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 7761804B 5 Bytes JMP 02070F90
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 02070FB5
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7761D106 5 Bytes JMP 02070FEF
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 02070000
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 02070FD2
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00DE0F94
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00DE001B
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00DE0FE5
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00DE002C
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00DE0051
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00DE0000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00DE0FD4
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00DE0FA5
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 01140000
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 01140FEF
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 01140FD4
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 0114001B
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 774736D1 5 Bytes JMP 02060000
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 01260F5E
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 01260F83
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 01260F21
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 01260F32
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 01260093
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 0126001B
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 0126002C
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 01260F9E
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 01260078
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 01260FAF
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 0126005B
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 01260FC0
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 012600AE
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 01260F10
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 01260000
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 01260FE5
.text C:\Windows\System32\svchost.exe[1204] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 01260F43
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 016C001B
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!system 7761804B 5 Bytes JMP 016C0F9A
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 016C0FC6
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!_open 7761D106 5 Bytes JMP 016C0000
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 016C0FAB
.text C:\Windows\System32\svchost.exe[1204] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 016C0FE3
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 01080047
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 01080036
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 01080FEF
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 01080FAF
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 01080F8A
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 01080FDE
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 01080014
.text C:\Windows\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 01080025
.text C:\Windows\System32\svchost.exe[1204] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 01110000
.text C:\Windows\System32\svchost.exe[1204] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 01110FE5
.text C:\Windows\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 0111001B
.text C:\Windows\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 01110FD4
.text C:\Windows\System32\svchost.exe[1204] WS2_32.dll!socket 774736D1 5 Bytes JMP 01270000
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 01160F1C
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 01160F37
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 01160098
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 01160087
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 01160047
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 01160FD1
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 01160FB6
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 01160F48
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 01160036
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 01160F94
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 01160F79
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 01160FA5
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 01160058
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 011600B3
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 01160011
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 01160000
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 01160F0B
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 0118004E
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!system 7761804B 5 Bytes JMP 0118003D
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 01180FC3
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_open 7761D106 5 Bytes JMP 01180FEF
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 01180018
.text C:\Windows\system32\svchost.exe[1236] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 01180FDE
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 0110006C
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 0110005B
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 01100FEF
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 01100FD4
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 0110007D
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 01100025
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0110000A
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 01100036
.text C:\Windows\system32\svchost.exe[1236] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 01150000
.text C:\Windows\system32\svchost.exe[1236] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 01150025
.text C:\Windows\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 01150036
.text C:\Windows\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 01150FDB
.text C:\Windows\system32\svchost.exe[1236] WS2_32.dll!socket 774736D1 5 Bytes JMP 01170000
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00890082
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00890067
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 008900AE
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00890F17
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0089003B
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00890FC0
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00890FAF
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00890F3C
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00890F61
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00890F83
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00890F72
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00890F94
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 0089004C
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 008900C9
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00890FE5
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 0089009D
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 008F0038
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!system 7761804B 5 Bytes JMP 008F0FAD
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 008F0FD2
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_open 7761D106 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 008F0027
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 008F000C
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00020F9E
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00020FB9
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00020040
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00020F83
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00020025
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0002000A
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[1328] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00880FEF
.text C:\Windows\system32\svchost.exe[1328] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 00880FD4
.text C:\Windows\system32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00880FB9
.text C:\Windows\system32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00880F9E
.text C:\Windows\system32\svchost.exe[1328] WS2_32.dll!socket 774736D1 5 Bytes JMP 008A0FE5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 01830F26
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 0183006C
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 01830F0B
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 018300A2
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 01830F77
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 01830FB9
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 01830F9E
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 01830F4B
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 0183005B
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 0183002F
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 01830040
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 01830014
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 01830F5C
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 018300BD
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 01830FCA
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 01830FE5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 01830091
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 01890FB7
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!system 7761804B 5 Bytes JMP 01890FC8
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 01890027
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_open 7761D106 5 Bytes JMP 01890000
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 01890038
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 01890FE3
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 01650054
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 0165002F
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 01650FEF
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 01650FB2
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 01650065
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 01650014
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 01650FD4
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 01650FC3
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 017E0FEF
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 017E000A
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 017E0FD4
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 017E0FB9
.text C:\Windows\system32\svchost.exe[1436] WS2_32.dll!socket 774736D1 5 Bytes JMP 01880000
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 01C90F7C
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 01C900C2
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 01C90F50
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 01C900E7
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 01C90078
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 01C90FDB
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 01C90036
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 01C9009D
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 01C90F9E
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 01C90FAF
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 01C90051
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 01C90FC0
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 01C90F8D
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 01C90F35
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 01C90011
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 01C90000
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 01C90F6B
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 01CF0FA6
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!system 7761804B 5 Bytes JMP 01CF0FB7
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 01CF001D
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_open 7761D106 5 Bytes JMP 01CF0FEF
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 01CF0FD2
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 01CF0000
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 01BA0F97
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 01BA001E
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 01BA0FEF
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 01BA002F
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 01BA004A
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 01BA0FCD
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 01BA0FDE
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 01BA0FBC
.text C:\Windows\system32\svchost.exe[1552] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 01C40FEF
.text C:\Windows\system32\svchost.exe[1552] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 01C40000
.text C:\Windows\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 01C40FCA
.text C:\Windows\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 01C40FB9
.text C:\Windows\system32\svchost.exe[1552] WS2_32.dll!socket 774736D1 5 Bytes JMP 01CE0FEF
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00050F67
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 000500AD
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 000500DC
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00050F3B
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 0005007A
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00050022
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00050033
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 0005009C
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 0005005F
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00050FB3
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00050FA2
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00050044
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 0005008B
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00050F20
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00050011
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00050000
.text C:\Windows\Explorer.EXE[1736] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00050F4C
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00070076
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00070040
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00070FE5
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 0007005B
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00070091
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00070FD4
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0007000A
.text C:\Windows\Explorer.EXE[1736] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00070025
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00080F9C
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!system 7761804B 5 Bytes JMP 00080027
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00080FD2
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!_open 7761D106 5 Bytes JMP 0008000C
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00080FB7
.text C:\Windows\Explorer.EXE[1736] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00080FEF
.text C:\Windows\Explorer.EXE[1736] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00140FEF
.text C:\Windows\Explorer.EXE[1736] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 00140FDE
.text C:\Windows\Explorer.EXE[1736] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00140014
.text C:\Windows\Explorer.EXE[1736] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00140025
.text C:\Windows\Explorer.EXE[1736] WS2_32.dll!socket 774736D1 5 Bytes JMP 01790FEF
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 02650F2F
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 02650F54
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 026500AB
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 0265009A
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 02650F8A
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 0265000A
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 02650025
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 02650F65
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 02650064
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 02650FAF
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 02650047
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 02650036
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 02650075
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 026500BC
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 02650FDE
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 02650FEF
.text C:\Windows\system32\svchost.exe[1888] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 02650F1E
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 026C0F9A
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!system 7761804B 5 Bytes JMP 026C001B
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 026C0FC6
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_open 7761D106 5 Bytes JMP 026C0000
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 026C0FAB
.text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 026C0FE3
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 02630062
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 02630FC0
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 02630FE5
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 02630047
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 02630073
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 0263001B
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0263000A
.text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 0263002C
.text C:\Windows\system32\svchost.exe[1888] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 02640FE5
.text C:\Windows\system32\svchost.exe[1888] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 02640000
.text C:\Windows\system32\svchost.exe[1888] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 02640FCA
.text C:\Windows\system32\svchost.exe[1888] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 02640FB9
.text C:\Windows\system32\svchost.exe[1888] WS2_32.dll!socket 774736D1 5 Bytes JMP 026B0FEF
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00A00F72
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00A000AE
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00A000F8
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00A000D3
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 00A0006E
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00A00011
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00A00FC0
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00A0009D
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00A00051
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00A00F9E
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00A00040
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00A00FAF
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 00A00F83
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00A00109
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00A00000
.text C:\Windows\system32\svchost.exe[2088] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00A00F57
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00DA0042
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!system 7761804B 5 Bytes JMP 00DA0FB7
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00DA0FC8
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!_open 7761D106 5 Bytes JMP 00DA000C
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00DA0027
.text C:\Windows\system32\svchost.exe[2088] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00DA0FE3
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 009E0F79
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 009E0F9B
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 009E0FE5
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 009E0F8A
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 009E0F68
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 009E0000
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 009E0FD4
.text C:\Windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 009E0011
.text C:\Windows\system32\svchost.exe[2088] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 009F0FEF
.text C:\Windows\system32\svchost.exe[2088] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 009F000A
.text C:\Windows\system32\svchost.exe[2088] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 009F0025
.text C:\Windows\system32\svchost.exe[2088] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 009F0036
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2368] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2368] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00780F7C
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00780F8D
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00780F3C
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 007800DD
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 00780FA8
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00780036
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00780051
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 007800C2
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00780082
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00780FD4
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00780FB9
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00780FE5
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 0078009D
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00780F2B
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00780025
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 0078000A
.text C:\Windows\System32\svchost.exe[2664] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00780F61
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 007A0038
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!system 7761804B 5 Bytes JMP 007A0FAD
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 007A001D
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!_open 7761D106 5 Bytes JMP 007A0000
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 007A0FBE
.text C:\Windows\System32\svchost.exe[2664] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 007A0FEF
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00760F8D
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00760FB9
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00760000
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00760F9E
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00760F72
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00760FCA
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00760FDB
.text C:\Windows\System32\svchost.exe[2664] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 0076001B
.text C:\Windows\System32\svchost.exe[2664] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 00770FEF
.text C:\Windows\System32\svchost.exe[2664] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 00770000
.text C:\Windows\System32\svchost.exe[2664] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 00770FC0
.text C:\Windows\System32\svchost.exe[2664] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 00770FAF
.text C:\Windows\System32\svchost.exe[2664] WS2_32.dll!socket 774736D1 5 Bytes JMP 00790FEF
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 00C40F48
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 00C40F59
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 00C40F0B
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 00C40F26
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 00C40F8F
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 00C40FCA
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 00C4001B
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 00C40F6A
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 00C40069
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 00C4003D
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 00C40058
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 00C4002C
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 00C40084
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 00C400BD
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 00C40000
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 00C40FE5
.text C:\Windows\System32\svchost.exe[2900] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 00C40F37
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00C6003A
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!system 7761804B 5 Bytes JMP 00C60029
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00C60FC3
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!_open 7761D106 5 Bytes JMP 00C60FEF
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00C60018
.text C:\Windows\System32\svchost.exe[2900] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00C60FDE
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00890FB6
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00890047
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00890000
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00890058
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00890F9B
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00890022
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00890011
.text C:\Windows\System32\svchost.exe[2900] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00890FDB
.text C:\Windows\System32\svchost.exe[2900] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 008A0FE5
.text C:\Windows\System32\svchost.exe[2900] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 008A000A
.text C:\Windows\System32\svchost.exe[2900] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 008A0025
.text C:\Windows\System32\svchost.exe[2900] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 008A0FD4
.text C:\Windows\System32\svchost.exe[2900] WS2_32.dll!socket 774736D1 5 Bytes JMP 00C50000
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 008F0F5C
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 008F00A2
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 008F0F0B
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 008F0F26
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 008F0062
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 008F0014
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 008F0025
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 008F0087
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 008F0051
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 008F0FAF
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 008F0F94
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 008F0036
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 008F0F77
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 008F0EF0
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 008F0FD4
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[2928] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 008F0F4B
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00950F78
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!system 7761804B 5 Bytes JMP 00950F93
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00950FB5
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!_open 7761D106 5 Bytes JMP 00950FEF
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00950FA4
.text C:\Windows\system32\svchost.exe[2928] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00950FD2
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00020065
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 0002002F
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 0002004A
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00020076
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00020FDE
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 00020014
.text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 00020FC3
.text C:\Windows\system32\svchost.exe[2928] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[2928] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 008D0FD4
.text C:\Windows\system32\svchost.exe[2928] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 008D0014
.text C:\Windows\system32\svchost.exe[2928] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 008D0025
.text C:\Windows\system32\svchost.exe[2928] WS2_32.dll!socket 774736D1 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 009F0F44
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 009F008A
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 009F00B6
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 009F00A5
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 009F0F5F
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 009F0FCA
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 009F0FB9
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 009F0065
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 009F0F70
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 009F0F97
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 009F0039
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 009F0FA8
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 009F0054
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 009F00C7
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 009F0FDB
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[2984] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 009F0F29
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 00A10FBE
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!system 7761804B 5 Bytes JMP 00A1003F
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 00A1002E
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!_open 7761D106 5 Bytes JMP 00A10000
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 00A10FCF
.text C:\Windows\system32\svchost.exe[2984] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 00A1001D
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 00930F8A
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 00930FAF
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 00930036
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 00930F79
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 00930FCA
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[2984] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 0093001B
.text C:\Windows\system32\svchost.exe[2984] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 009A0FE5
.text C:\Windows\system32\svchost.exe[2984] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 009A0FCA
.text C:\Windows\system32\svchost.exe[2984] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 009A0FB9
.text C:\Windows\system32\svchost.exe[2984] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 009A0000
.text C:\Windows\system32\svchost.exe[2984] WS2_32.dll!socket 774736D1 5 Bytes JMP 00A00000
.text C:\Program[2996] USER32.dll!SetScrollRange 77C1D185 8 Bytes JMP 01C100D9
.text C:\Program[2996] USER32.dll!SetScrollInfo 77C271D8 8 Bytes JMP 01C10000
.text C:\Program[2996] USER32.dll!SetScrollPos 77C43602 8 Bytes JMP 01C101CA
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!GetStartupInfoW 77041929 5 Bytes JMP 007C0F0E
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!GetStartupInfoA 770419C9 5 Bytes JMP 007C004A
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateProcessW 77041BF3 5 Bytes JMP 007C0EE9
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateProcessA 77041C28 5 Bytes JMP 007C0080
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!VirtualProtect 77041DC3 5 Bytes JMP 007C0F55
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateNamedPipeA 77042EF5 5 Bytes JMP 007C0FC3
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateNamedPipeW 77045C0C 5 Bytes JMP 007C000A
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreatePipe 77068E6E 5 Bytes JMP 007C0F29
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!LoadLibraryExW 77069109 5 Bytes JMP 007C0F7C
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!LoadLibraryW 77069362 5 Bytes JMP 007C0F97
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!LoadLibraryExA 770694B4 5 Bytes JMP 007C0039
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!LoadLibraryA 770694DC 5 Bytes JMP 007C0FA8
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!VirtualProtectEx 7706DBDA 5 Bytes JMP 007C0F3A
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!GetProcAddress 7708903B 5 Bytes JMP 007C0ED8
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateFileW 7708AECB 5 Bytes JMP 007C0FD4
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!CreateFileA 7708CE5F 5 Bytes JMP 007C0FE5
.text C:\Windows\System32\svchost.exe[3088] kernel32.dll!WinExec 770D5CF7 5 Bytes JMP 007C0065
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!_wsystem 77617F2F 5 Bytes JMP 007D0F75
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!system 7761804B 5 Bytes JMP 007D0F86
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!_creat 7761BBE1 5 Bytes JMP 007D0FC6
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!_open 7761D106 5 Bytes JMP 007D0FEF
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!_wcreat 7761D326 5 Bytes JMP 007D0FAB
.text C:\Windows\System32\svchost.exe[3088] msvcrt.dll!_wopen 7761D501 5 Bytes JMP 007D0000
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegCreateKeyExA 763839AB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegCreateKeyExA 763839AB 5 Bytes JMP 002E0FAF
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegCreateKeyA 76383BA9 5 Bytes JMP 002E0051
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegOpenKeyA 763889C7 5 Bytes JMP 002E000A
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegCreateKeyW 7639391E 5 Bytes JMP 002E0FC0
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegCreateKeyExW 763941F1 5 Bytes JMP 002E0F9E
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegOpenKeyExA 76397C42 5 Bytes JMP 002E0025
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegOpenKeyW 7639E2B5 5 Bytes JMP 002E0FEF
.text C:\Windows\System32\svchost.exe[3088] ADVAPI32.dll!RegOpenKeyExW 763A7BA1 5 Bytes JMP 002E0040
.text C:\Windows\System32\svchost.exe[3088] WININET.dll!InternetOpenA 7645D690 5 Bytes JMP 002F0FE5
.text C:\Windows\System32\svchost.exe[3088] WININET.dll!InternetOpenW 7645DB09 5 Bytes JMP 002F0FD4
.text C:\Windows\System32\svchost.exe[3088] WININET.dll!InternetOpenUrlA 7645F3A4 5 Bytes JMP 002F000A
.text C:\Windows\System32\svchost.exe[3088] WININET.dll!InternetOpenUrlW 764A6DDF 5 Bytes JMP 002F0FAF
.text C:\Windows\System32\svchost.exe[3088] WS2_32.dll!socket 774736D1 5 Bytes JMP 00980FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ADBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ACF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ACE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ADDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ACFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ACFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ACD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85005369
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [2996] 0x00400000
Library C:\Program (*** hidden *** ) @ C:\Program [2996] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197dfe5618
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197dfe5618@00e09173fc3c 0xDD 0xC6 0x10 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197dfe5618 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197dfe5618@00e09173fc3c 0xDD 0xC6 0x10 0x36 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85005369]<<
kernel: MBR read successfully
user & kernel MBR OK

#8 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 11:59 AM

Also, I did not receive any notification from your last reply. I checked my email address on file and it is correct, so the simplest answer wasn't the case...

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 01 December 2009 - 11:59 AM

Hi,

that's how things work :( They wait till you turn your back to finish. :(

Anyhow the logs paint a pretty clear picture of the infection.

Could you please try the following:
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types". If you need help doing this, please refer to this tutorial for help: How to see hidden files in Windows

Right click My Computer, left click Explore, then make sure that view is reduced (press the "double-square" symbol upper right hand corner) so you can also see the desktop.

Navigate to the following folder:

C:\Windows\System32\Drivers

If needed go to View and click List, to make the file view easier to look through.

Then locate the following files, right click them, drag thrm to the desktop, release and select Move Here:

atapi.sys
iastor.sys

Then press F5 to refresh the view, and make sure Windows replaced the atapi.sys and iastor.sys file in the Drivers folder. If it did not, let me know here and put the desktop copy back in the Drivers folder by reversing the steps just done.

Either way let me know how you did with that before we move to some next steps.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 12:07 PM

Thanks for the quick replies. I went in to do as suggested and cannot move the atapi.sys file at all. I don't have permission and when I go in to give full control to me as the user/admin, it won't allow the change. Additionally, there is no iastor.sys file there, only iaStorV.sys. Any other suggestions on how to move them?

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 01 December 2009 - 12:16 PM

Hi,

ok, if you can not move atapi.sys then do please do the following:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 12:58 PM

Combofix appears to have unleasehd the devil in the computer. I cannot keep it running in normal mode since it has already crashed with 2 BSODs- one due to some IRQL-xxxx problem and another as result of a page fault. it does come up in safe mode though at least.

The scan had made it past stage 4, I stepped out for a minute and upon my return it was rebooting on it's own already, yet consistently unsuccessfully. what is your suggestion for next steps?

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 AM

Posted 01 December 2009 - 01:05 PM

Hi,

your PC is still booting normally without Combofix though?

Please try the following tool then instead:
  • We are going to run this special tool.
    • Please download TDSSKiller.rar and save it to your desktop.
    • Extract the rar file to your desktop.
    • Double click on TDSSKiller.exe to run it.
    • When it finished press any key to continue.
    • If needed reboot the computer.
  • Go to Start => Run and copy/paste the following line and click OK.

    cmd /c mbr.exe -t >log.txt&start log.txt

    A log file opens. Please post the content to your reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 01:17 PM

I finally got it to stay stable in normal mode and am rying to run combofix again to see if it can complete the scans. I'll repost in about 10 minutes once I see if it either finishes the scan or crashes again. probably will have some issues though since McAfee isnt even in the taskbar but still blocked some file while this combofix scan was running. up to stage 6A so far. if it crashes, I'll try the other special file you suggested above and include log. details to follow soon.

#15 Dalilama

Dalilama
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 December 2009 - 01:46 PM

Ok, ComboFix ran through its entirety and generated a log I am posting here. The scan took about 1/2 hr, so something is up with my rig obviously...

ComboFix 09-12-01.01 - mdali 12/01/2009 13:12.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1173 [GMT -5:00]
Running from: c:\users\mdali\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\mdali\AppData\Roaming\inst.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\1376939437.dat
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 18:30 . 2009-12-01 18:30 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-01 18:30 . 2009-12-01 18:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-01 14:24 . 2009-12-01 14:24 77312 ----a-w- C:\mbr.exe
2009-11-25 01:19 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 19:52 . 2009-11-24 19:52 0 ----a-w- c:\windows\system32\settings.dat
2009-11-24 19:30 . 2009-11-24 19:30 -------- d-----w- c:\program files\Trend Micro
2009-11-24 19:24 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 19:24 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 18:46 . 2009-09-30 17:11 288096 ----a-r- c:\users\mdali\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-11-24 18:45 . 2009-11-24 18:45 -------- d-----w- c:\users\mdali\AppData\Roaming\McAfee
2009-11-23 02:46 . 2009-11-23 02:46 -------- d-----w- c:\users\mdali\AppData\Roaming\Malwarebytes
2009-11-23 02:46 . 2009-11-23 02:46 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 02:46 . 2009-11-23 02:46 -------- d-----w- c:\programdata\Malwarebytes
2009-11-21 18:12 . 2009-11-23 04:40 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-21 18:11 . 2009-11-21 18:11 -------- d-----w- c:\programdata\PC Tools
2009-11-21 18:11 . 2009-11-23 04:32 28672 d-----w- c:\program files\Spyware Doctor
2009-11-21 18:11 . 2009-11-21 18:11 -------- d-----w- c:\users\mdali\AppData\Roaming\PC Tools
2009-11-21 00:44 . 2009-11-21 00:44 -------- d-----w- c:\users\mdali\AppData\Local\Threat Expert
2009-11-20 19:32 . 2009-11-20 19:32 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-20 19:32 . 2009-11-20 19:32 -------- d-----w- c:\program files\Lavasoft(83)
2009-11-11 06:38 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 06:38 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 18:00 . 2007-07-01 18:57 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-30 23:48 . 2007-05-11 20:23 4096 d-----w- c:\program files\Google
2009-11-29 22:55 . 2007-09-08 15:37 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-26 15:31 . 2007-04-30 23:54 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-24 18:44 . 2009-08-17 01:30 4096 d-----w- c:\program files\McAfee
2009-11-24 18:44 . 2009-08-17 01:15 4096 d-----w- c:\programdata\McAfee
2009-11-23 13:11 . 2007-04-30 21:33 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-23 05:30 . 2009-09-10 23:56 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-23 05:06 . 2007-08-01 02:37 4096 d-----w- c:\program files\Java
2009-11-23 04:39 . 2008-11-15 18:51 4096 d-----w- c:\programdata\HP Product Assistant
2009-11-23 04:39 . 2008-06-08 14:29 -------- d-----w- c:\program files\Lavasoft
2009-11-23 04:39 . 2007-05-01 02:42 4096 d-----w- c:\program files\IrfanView
2009-11-20 14:37 . 2007-08-26 21:16 -------- d-----w- c:\users\mdali\AppData\Roaming\Vso
2009-11-13 04:00 . 2008-01-11 20:59 8192 d-----w- c:\users\mdali\AppData\Roaming\Azureus
2009-11-13 03:41 . 2009-09-14 02:49 4096 d-----w- c:\users\mdali\AppData\Roaming\HpUpdate
2009-11-12 00:36 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 14:47 . 2007-05-01 01:01 24576 d-----w- c:\programdata\Microsoft Help
2009-11-06 20:08 . 2009-09-19 03:55 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-11-02 17:47 . 2007-05-25 16:51 4096 d-----w- c:\users\mdali\AppData\Roaming\Image Zone Express
2009-11-01 03:15 . 2007-09-29 15:25 8192 d-----w- c:\program files\DivX
2009-10-31 19:29 . 2007-11-09 19:02 4096 d-----w- c:\users\mdali\AppData\Roaming\Skype
2009-10-30 15:49 . 2009-10-30 15:49 -------- d-----w- c:\programdata\3DVIA
2009-10-29 03:34 . 2009-10-29 03:34 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-29 03:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-29 03:33 . 2009-10-29 03:33 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 03:31 . 2009-10-29 03:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 03:11 . 2007-07-01 18:42 4096 d-----w- c:\program files\Common Files\LogiShrd
2009-10-29 03:10 . 2007-04-30 23:35 -------- d-----w- c:\programdata\Logitech
2009-10-26 23:23 . 2007-05-03 00:44 80689 ----a-w- c:\users\mdali\AppData\Roaming\nvModes.dat
2009-10-26 21:57 . 2009-10-26 21:57 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-10-26 21:56 . 2009-10-26 21:56 746760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-10-26 21:56 . 2009-10-26 21:56 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-10-14 17:40 . 2009-10-14 17:40 296280 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\VMSEF.dll
2009-10-14 17:37 . 2009-10-14 17:37 6781272 ----a-w- c:\programdata\LogiShrd\LQCVFX\Filters\MMSEF.dll
2009-10-11 09:17 . 2008-12-30 01:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 18:40 . 2008-08-08 13:16 4096 d-----w- c:\users\mdali\AppData\Roaming\MiniLyrics
2009-10-08 21:08 . 2009-10-29 00:44 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-29 00:44 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-29 00:44 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 12:49 . 2009-10-07 12:49 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2009-10-07 12:48 . 2009-10-07 12:48 539160 ----a-w- c:\windows\system32\LVUI2RC.dll
2009-10-07 12:48 . 2009-10-07 12:48 539160 ----a-w- c:\windows\system32\LVUI2.dll
2009-10-07 12:47 . 2009-10-07 12:47 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys
2009-10-07 12:46 . 2009-10-07 12:46 114712 ----a-w- c:\windows\system32\drivers\lvpopflt.sys
2009-10-07 12:43 . 2009-10-07 12:43 199192 ----a-w- c:\windows\system32\lvci12101110.dll
2009-10-07 12:43 . 2009-10-07 12:43 416280 ----a-w- c:\windows\system32\lvcodec2.dll
2009-10-07 12:24 . 2009-10-07 12:24 34068 ----a-w- c:\windows\system32\Repository.reg
2009-10-07 05:46 . 2009-10-07 05:46 25752 ----a-w- c:\windows\system32\drivers\LVPr2Mon.sys
2009-10-07 05:25 . 2009-10-07 05:25 85302 ----a-w- c:\windows\system32\drivers\LVFeL102.cfg
2009-10-07 05:25 . 2009-10-07 05:25 69592 ----a-w- c:\windows\system32\drivers\LVFaL100.cfg
2009-10-07 05:25 . 2009-10-07 05:25 227172 ----a-w- c:\windows\system32\drivers\LVFeL100.cfg
2009-10-07 05:25 . 2009-10-07 05:25 146680 ----a-w- c:\windows\system32\drivers\LVFeL101.cfg
2009-10-07 05:23 . 2009-10-07 05:23 13584 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2009-10-05 23:13 . 2007-08-18 19:40 4096 d-----w- c:\program files\Common Files\Remote Control Software Common
2009-10-03 14:12 . 2007-05-01 00:13 16384 d-----w- c:\programdata\DVD Shrink
2009-10-01 01:02 . 2009-10-29 00:47 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-29 00:47 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-29 00:47 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-29 00:47 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-29 00:47 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-29 00:47 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-29 00:47 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-29 00:47 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-29 00:47 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-29 00:47 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-29 00:47 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-29 00:47 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-29 00:47 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-29 00:47 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-29 00:47 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-29 00:47 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 02:10 . 2009-10-29 00:48 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-29 00:48 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-29 00:48 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-29 00:48 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-29 00:48 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-29 00:48 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-29 00:48 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-29 00:48 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-29 00:48 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-29 00:48 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-29 00:48 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-29 00:48 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-29 00:48 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-29 00:48 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-29 00:48 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-29 00:48 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-29 00:48 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-29 00:48 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-29 00:48 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-29 00:48 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-29 00:48 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-29 00:48 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-29 00:48 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:57 . 2006-11-22 14:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2009-03-07 571056]
"GFI Backup 2009 - Home Edition"="c:\progra~1\GFI\GFIBAC~1\GFIAgent.exe" [2009-09-05 1669416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-11 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-01-12 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-31 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^mdali^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\mdali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:ec,f5,37,d3,51,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3131491969-3378533542-3382806781-1000]
"EnableNotificationsRef"=dword:00000001

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [7/5/2009 9:57 PM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [7/5/2009 9:57 PM 1238824]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/16/2009 8:34 PM 210216]
S2 0275071258036288mcinstcleanup;McAfee Application Installer Cleanup (0275071258036288);c:\windows\TEMP\027507~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\027507~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9a43bf3d0f2e0;Google Update Service (gupdate1c9a43bf3d0f2e0);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2009 7:29 PM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [9/11/2008 1:23 AM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 00:29]

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 00:29]

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3131491969-3378533542-3382806781-1000Core.job
- c:\users\mdali\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:01]

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3131491969-3378533542-3382806781-1000UA.job
- c:\users\mdali\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:01]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-15 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-15 16:22]

2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{D88FCACD-209C-4626-9A27-D763806BD310}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: interpublic.com\mail
Trusted Zone: mcafee.com
DPF: Photobucket Publisher - hxxp://pic.photobucket.com/plugins/csve/photobucket_publisher.CAB
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/vista/prog/CLVistaGenie.cab
FF - ProfilePath - c:\users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\mdali\AppData\Roaming\Mozilla\Firefox\Profiles\5h1fdi1t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npphbkpublish2.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\users\mdali\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\mdali\AppData\Local\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 13:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85002369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fa2d24
\Driver\ACPI -> acpi.sys @ 0x8069fd68
\Driver\atapi -> ataport.SYS @ 0x807bba2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-01 13:38
ComboFix-quarantined-files.txt 2009-12-01 18:38

Pre-Run: 17,059,155,968 bytes free
Post-Run: 17,084,596,224 bytes free

- - End Of File - - 42C508AC0074D6B150C8226749FDC47C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users