Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/browser hijack issues


  • This topic is locked This topic is locked
17 replies to this topic

#1 joepa92

joepa92

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 24 November 2009 - 09:34 PM

This started several days ago. Mcafee lists 2 outbound events:
C:\Program Files\Common Files\MIcrosoft Shared\DW\DW20.EXE
and C:\Documents and Settings\Peter\Local Settings\Temp\c72bb6b4.exe.

The second is when it hit the fan. Mcafee then removed Html\FakeAV(trojan), but my system was hijacked (background, task manager etc)
-I ran Malwarebytes (twice), Dr Web, (twice) and SAS. All logs attached.
-I was still having browser hijacking issues, so I deleated several add ons, unfortunately I can not list what I removed.
-It seems as if my sent packets are still much higher than what I previously remember, although I'm probably paying more attention to it now. Looking for some help on if I'm clean or if there are next steps. Attaching DDS log and rootkit.

Any help would be greatly appreciated.

-----Malwarebytes logs---
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 9
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
----Malware 2----

Files Infected:
C:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
---Dr Web----
Process in memory: C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe:168;;BackDoor.Tdss.565;Eradicated.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1133;Cured.;
and
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;
----SAS---
Memory items scanned : 484
Memory threats detected : 0
Registry items scanned : 597
Registry threats detected : 0
File items scanned : 11084
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\Peter\Cookies\peter@insightexpressai[2].txt
C:\Documents and Settings\Peter\Cookies\peter@specificclick[1].txt
C:\Documents and Settings\Peter\Cookies\peter@bs.serving-sys[1].txt
C:\Documents and Settings\Peter\Cookies\peter@tribalfusion[1].txt
C:\Documents and Settings\Peter\Cookies\peter@content.yieldmanager[3].txt
C:\Documents and Settings\Peter\Cookies\peter@rambler[1].txt
C:\Documents and Settings\Peter\Cookies\peter@ads.pointroll[2].txt
C:\Documents and Settings\Peter\Cookies\peter@questionmarket[1].txt
C:\Documents and Settings\Peter\Cookies\peter@pointroll[2].txt
C:\Documents and Settings\Peter\Cookies\peter@serving-sys[1].txt
C:\Documents and Settings\Peter\Cookies\peter@trafficmp[1].txt
C:\Documents and Settings\Peter\Cookies\peter@cdn4.specificclick[1].txt
C:\Documents and Settings\Peter\Cookies\peter@kodakimagingnetwork.122.2o7[1].txt
C:\Documents and Settings\Peter\Cookies\peter@a1.interclick[2].txt
C:\Documents and Settings\Peter\Cookies\peter@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\Peter\Cookies\peter@richmedia.yahoo[1].txt
C:\Documents and Settings\Peter\Cookies\peter@specificmedia[2].txt
C:\Documents and Settings\Peter\Cookies\peter@d.mediaforceads[1].txt
C:\Documents and Settings\Peter\Cookies\peter@apmebf[1].txt
C:\Documents and Settings\Peter\Cookies\peter@revsci[2].txt
C:\Documents and Settings\Peter\Cookies\peter@ad.yieldmanager[1].txt
C:\Documents and Settings\Peter\Cookies\peter@eas.apm.emediate[2].txt
C:\Documents and Settings\Peter\Cookies\peter@statcounter[1].txt
C:\Documents and Settings\Peter\Cookies\peter@content.yieldmanager[2].txt
C:\Documents and Settings\Peter\Cookies\peter@2o7[2].txt
C:\Documents and Settings\Peter\Cookies\peter@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Peter\Cookies\peter@collective-media[1].txt
C:\Documents and Settings\Peter\Cookies\peter@interclick[2].txt
C:\WINDOWS\Temp\Cookies\peter@media.adrevolver[1].txt
C:\WINDOWS\Temp\Cookies\peter@questionmarket[2].txt
C:\WINDOWS\Temp\Cookies\peter@imrworldwide[2].txt
C:\WINDOWS\Temp\Cookies\peter@adrevolver[1].txt
C:\WINDOWS\Temp\Cookies\peter@insightexpressai[2].txt
C:\WINDOWS\Temp\Cookies\peter@trafficmp[1].txt
----DDS---
DDS (Ver_09-11-24.02) - NTFSx86
Run by Peter at 21:01:01.09 on Tue 11/24/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1952 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\eHome\ehmsas.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Peter\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.onemorelevel.com/monkeymaze.php"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: cnet.com\download
Trusted Zone: live.com\onecare
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [2005-8-29 485888]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\visorusb.sys --> c:\windows\system32\drivers\VisorUsb.sys [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-12-9 13088]

=============== Created Last 30 ================

2009-11-24 01:50:43 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-24 01:50:33 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 01:50:33 0 d-----w- c:\docume~1\peter\applic~1\SUPERAntiSpyware.com
2009-11-24 01:49:46 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-22 20:51:07 0 d-----w- c:\program files\Trend Micro
2009-11-21 02:34:18 0 d-----w- c:\documents and settings\peter\DoctorWeb
2009-11-18 22:43:37 0 d-----w- c:\docume~1\peter\applic~1\Malwarebytes
2009-11-18 22:43:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 22:43:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 22:43:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-18 22:43:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-25 01:48:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2008-12-17 02:16:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121620081217\index.dat

============= FINISH: 21:02:08.37 ===============

Attached Files

  • Attached File  ark.txt   2.74KB   0 downloads


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 29 November 2009 - 03:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 29 November 2009 - 04:58 PM

Thanks for responding. Still here, I haven't done much since my post, just hoping for help to see if I'm still infected. The only thing I didn't mention in my first post is that Defender kept finding Win32/Renos, it would repair it, then reoccur every time I started up. This has stopped since my Malwarebytes run. I download OTL and ran it, then while it was running, my windows update ran so I reran it. Only the OTL file came out with the second run. I'm posting the second OTL file with the original extras.

----
OTL logfile created on: 11/29/2009 4:45:20 PM - Run 2
OTL by OldTimer - Version 3.1.11.2 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.95 Gb Available Physical Memory | 97.74% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 19.86 Gb Free Space | 13.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/29 16:32:09 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/25 01:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2006/11/03 18:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005/12/09 14:37:42 | 00,081,920 | ---- | M] (Logitech Inc.) -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
PRC - [2005/12/09 14:32:18 | 00,225,280 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
PRC - [2005/04/22 13:00:00 | 00,102,400 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
PRC - [2005/04/22 12:45:38 | 00,290,816 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
PRC - [2005/03/30 04:57:08 | 00,360,448 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/03/22 23:20:44 | 00,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\STSYSTRA.EXE
PRC - [2004/12/06 01:05:00 | 00,127,035 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2004/11/01 16:22:22 | 00,262,144 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\ElkCtrl.exe
PRC - [2004/07/27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2009/11/29 16:32:09 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.exe
MOD - [2005/12/09 14:37:42 | 00,086,016 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2008/12/09 16:24:58 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/09 12:37:02 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/12/09 14:37:42 | 00,081,920 | ---- | M] (Logitech Inc.) -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/03/30 04:57:08 | 00,360,448 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/03/03 22:11:32 | 00,466,944 | ---- | M] (Dell) -- C:\WINDOWS\System32\dlbtcoms.exe -- (dlbt_device)


========== Driver Services (SafeList) ==========

DRV - [2009/11/11 10:44:50 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/11 10:44:48 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/11 10:44:46 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/11/20 14:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 13:45:34 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:40:30 | 00,096,512 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/03/08 21:18:00 | 00,008,320 | ---- | M] (GARMIN Corp.) -- C:\WINDOWS\system32\drivers\grmnusb.sys -- (grmnusb)
DRV - [2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/12/30 16:28:18 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\system32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/12/09 14:37:42 | 02,400,256 | ---- | M] () -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (lvmvdrv)
DRV - [2005/12/09 14:37:42 | 00,016,768 | ---- | M] () -- C:\WINDOWS\system32\drivers\LVPrcMon.sys -- (LVPrcMon)
DRV - [2005/12/09 14:35:54 | 02,174,464 | ---- | M] () -- C:\WINDOWS\system32\drivers\Lvckap.old.sys -- (Lvckap)
DRV - [2005/12/05 22:28:38 | 00,014,080 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2005/12/05 22:28:33 | 01,103,488 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 5000(UVC)
DRV - [2005/12/05 22:26:54 | 02,010,240 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2005/12/05 22:26:16 | 00,039,424 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2005/08/29 22:20:29 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/06/29 14:49:44 | 00,425,984 | ---- | M] (Pinnacle Systems) -- C:\WINDOWS\system32\drivers\MarvinUsb.sys -- (PinnacleMarvinUsb)
DRV - [2005/06/02 18:28:38 | 00,171,008 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/03/31 19:22:16 | 00,180,096 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/03/30 05:03:06 | 01,035,264 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/02/23 17:40:26 | 00,011,264 | ---- | M] (VOB Computersysteme GmbH) -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2005/02/09 11:59:00 | 00,014,165 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2004/12/06 01:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/11/02 15:12:14 | 00,019,456 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2004/10/14 20:30:46 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2004/08/10 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/28 02:43:00 | 00,485,888 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\atinewp2.sys -- (atinewp2)
DRV - [2004/07/14 11:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/16 03:52:40 | 00,061,157 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 04:15:34 | 00,647,929 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 04:14:42 | 01,233,525 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 04:13:38 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2002/11/08 19:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2002/05/22 12:42:42 | 00,015,326 | ---- | M] (Palm, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2001/08/30 09:15:36 | 00,007,812 | ---- | M] () -- C:\WINDOWS\system32\visorusb.dll -- (VisorUsb)
DRV - [2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\S-1-5-21-3256905171-1493133729-3034488767-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/01/18 11:28:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Mozilla\Extensions
[2009/01/18 11:28:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Dell Photo AIO Printer 922] C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe ()
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DLBTCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.DLL ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\STSYSTRA.EXE (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla\4.0 ( File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2007/11/04 19:43:09 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2007/11/04 19:43:09 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2007/11/04 19:43:09 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2007/11/04 19:43:09 | 00,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 75 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 75 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 75 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 75 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\..Trusted Domains: cnet.com ([download] http in Trusted sites)
O15 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\..Trusted Domains: live.com ([onecare] http in Trusted sites)
O15 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3256905171-1493133729-3034488767-1005\..Trusted Domains: 77 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab (DwnldGroupMgr Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.134 68.87.72.134
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/21 15:57:12 | 00,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bb8a5636-e57c-11dd-a02b-00123f9e77a3}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/29 16:31:51 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.exe
[2009/11/24 21:06:49 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Peter\Desktop\RootRepeal.exe
[2009/11/23 20:50:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/23 20:50:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
[2009/11/23 20:50:33 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/23 20:49:46 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/11/22 16:31:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\My Documents\adoption
[2009/11/22 15:51:07 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/22 15:10:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\My Documents\ProcessExp
[2009/11/20 21:34:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\DoctorWeb
[2009/11/18 17:43:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\Malwarebytes
[2009/11/18 17:43:20 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/18 17:43:17 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/18 17:43:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/18 17:43:16 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/29 16:47:57 | 00,524,198 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/29 16:47:57 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/29 16:47:57 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/29 16:46:43 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/29 16:44:16 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/29 16:44:09 | 00,028,047 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/11/29 16:43:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/29 16:43:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/29 16:43:31 | 26,824,08960 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/29 16:43:30 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/11/29 16:42:10 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Peter\NTUSER.DAT
[2009/11/29 16:42:10 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Peter\ntuser.ini
[2009/11/29 16:41:43 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/29 16:32:09 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.exe
[2009/11/29 07:13:24 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\Best Man Speech.doc
[2009/11/24 21:07:30 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\settings.dat
[2009/11/24 21:07:01 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Peter\Desktop\RootRepeal.exe
[2009/11/24 21:00:16 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\dds.scr
[2009/11/23 20:50:38 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/23 20:49:06 | 07,375,392 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\SUPERAntiSpyware.exe
[2009/11/22 18:27:17 | 00,000,737 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/22 18:27:17 | 00,000,243 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/22 18:27:17 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/11/22 16:28:16 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/11/22 15:51:07 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\HijackThis.lnk
[2009/11/21 06:39:25 | 00,000,102 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\DrWeb2.csv
[2009/11/20 22:18:27 | 00,000,172 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\DrWeb1.csv
[2009/11/18 17:43:24 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/16 14:23:09 | 00,001,289 | ---- | M] () -- C:\WINDOWS\VFO.INI
[2009/11/13 15:07:38 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/11/13 07:23:35 | 00,000,945 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2009/11/11 12:24:13 | 00,234,368 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/03 19:56:40 | 00,202,752 | ---- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/02 20:42:06 | 00,195,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/11/02 16:49:59 | 00,870,128 | ---- | M] () -- C:\WINDOWS\System32\mcs.rma
[2009/11/02 16:49:59 | 00,000,004 | ---- | M] () -- C:\WINDOWS\System32\DA3ED0
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/25 15:44:07 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Peter\My Documents\Best Man Speech.doc
[2009/11/24 21:07:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\settings.dat
[2009/11/24 21:00:05 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\dds.scr
[2009/11/24 20:48:55 | 26,824,08960 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/23 20:50:38 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/23 20:48:59 | 07,375,392 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\SUPERAntiSpyware.exe
[2009/11/22 15:51:07 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\HijackThis.lnk
[2009/11/21 06:39:25 | 00,000,102 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\DrWeb2.csv
[2009/11/20 22:18:27 | 00,000,172 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\DrWeb1.csv
[2009/11/18 17:43:24 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/26 16:12:00 | 00,000,015 | ---- | C] () -- C:\WINDOWS\qtw.ini
[2008/01/18 17:33:18 | 00,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini
[2007/06/04 20:51:02 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/25 20:22:22 | 00,000,643 | ---- | C] () -- C:\WINDOWS\program.ini
[2007/02/25 20:08:49 | 00,070,144 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2007/02/25 20:08:49 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\VORBIS.DLL
[2007/02/25 20:08:49 | 00,018,944 | ---- | C] () -- C:\WINDOWS\System32\VCEDIT.DLL
[2007/02/25 20:08:49 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2007/02/25 20:08:48 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\OGG.DLL
[2007/02/25 20:08:45 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/02/11 13:44:54 | 00,000,120 | ---- | C] () -- C:\Documents and Settings\Peter\Application Data\FixVTS.ini
[2006/05/21 17:11:54 | 00,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2006/05/21 16:11:16 | 00,194,248 | ---- | C] () -- C:\WINDOWS\System32\LTRFD13n.DLL
[2006/05/21 15:42:17 | 00,001,289 | ---- | C] () -- C:\WINDOWS\VFO.INI
[2006/05/21 15:42:16 | 00,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll
[2006/05/21 15:42:16 | 00,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2006/05/21 15:42:16 | 00,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll
[2006/05/21 15:42:16 | 00,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll
[2006/05/21 15:42:16 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2006/04/17 18:38:18 | 00,000,196 | ---- | C] () -- C:\Documents and Settings\Peter\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2006/04/08 14:08:14 | 00,013,126 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/04/08 13:05:02 | 00,000,719 | R--- | C] () -- C:\WINDOWS\System32\InstExec.ini
[2006/03/04 13:33:59 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/02/26 18:51:26 | 00,021,075 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/12/09 14:37:42 | 02,400,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVMVdrv.sys
[2005/12/09 14:37:42 | 00,016,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPrcMon.sys
[2005/12/09 14:35:54 | 02,174,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.old.sys
[2005/09/18 08:00:03 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/09/04 11:40:19 | 00,000,945 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/09/03 19:51:32 | 00,007,812 | ---- | C] () -- C:\WINDOWS\System32\visorusb.dll
[2005/09/03 12:43:53 | 00,202,752 | ---- | C] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/09/03 12:27:13 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/03 11:15:14 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\fusioncache.dat
[2005/08/29 22:27:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/29 22:22:22 | 00,000,276 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/08/29 21:49:20 | 00,000,375 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/06/22 13:37:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/05 14:50:14 | 00,000,378 | ---- | C] () -- C:\WINDOWS\System32\dlbtplc.ini
[2005/04/15 05:18:44 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\dlbtinsr.dll
[2005/04/15 05:18:38 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\dlbtcur.dll
[2005/04/15 05:18:22 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\dlbtjswr.dll
[2005/04/15 04:57:36 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlbtinsb.dll
[2005/04/15 04:57:32 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\dlbtcub.dll
[2005/04/15 04:57:26 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlbtins.dll
[2005/04/15 04:56:34 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbtcu.dll
[2005/04/15 04:42:34 | 00,397,312 | ---- | C] () -- C:\WINDOWS\System32\dlbtutil.dll
[2005/04/12 21:20:38 | 00,126,976 | ---- | C] () -- C:\WINDOWS\System32\dlbtsnls.dll
[2005/04/12 21:19:58 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlbtcoin.dll
[2005/02/23 21:14:36 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbtvs.dll
[2004/12/20 17:24:03 | 01,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/08/19 16:20:39 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/19 16:01:43 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/03 22:59:44 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[1999/01/27 12:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 06:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
< End of report >
----
OTL Extras logfile created on: 11/29/2009 4:34:00 PM - Run 1
OTL by OldTimer - Version 3.1.11.2 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.83 Gb Available Physical Memory | 91.28% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 19.90 Gb Free Space | 13.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL -- File not found
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems, Inc.)
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile -- ( )
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Disabled:umi -- (Pinnacle Systems, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00020409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Standard
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08E2EC5A-9C9D-4472-AB52-4165774BB8D8}" = Studio 10.5 Patch
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel® PROSafe for Wired Connections
"{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"{3CB05291-F546-458E-A796-B5BCF5A3CDC4}" = Studio 10
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel® PROSafe for Wired Connections
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{625BD732-ACDF-4552-BF22-98EBB413B6F3}" = McAfee Shredder
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.9
"{6A012D9C-2E2E-405A-B87C-E909F5297C3F}" = Studio 10 Bonus DVD
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83C1CC71-704D-4B4D-8382-7C3B53B2FC65}" = G21922EN
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{900A92BA-19EF-4A34-86CF-7B6C85BDD971}" = VC_MergeModuleToMSI
"{90D451F1-1F43-4AEC-8F24-D11972551D0E}" = GMATPrep™
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}" = DiscAPI (Studio 10)
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio module
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{BA0F44C2-A883-11D1-AD0A-006097D15E2C}" = Palm Desktop and Synchronization Software
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C191BE7C-8542-4A61-973A-714EF76C5995}" = Logitech QuickCam Software
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D2A0F8F4-CE50-4857-A21C-3061682B2E87}" = Sansa Media Converter
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DE58B061-6936-4913-AA5C-682E49356D86}" = TurboTax 2008 wmiiper
"{DE659AC8-EEF0-4115-AA0C-6500D194FB10}" = Garmin Training Center v5
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{ED775CE1-E9F7-41C4-BE91-C925E6D5F513}" = Studio 10.5.2 Patch
"{EEECE229-49F6-4851-A73A-99B058221F8C}" = RAPID (Studio 10)
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Comcast Rhapsody" = Comcast Rhapsody
"Dell Photo AIO Printer 922" = Dell Photo AIO Printer 922
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"ESPNMotion" = ESPNMotion
"HijackThis" = HijackThis 2.0.2
"Hollywood FX for Studio" = Pinnacle Hollywood FX for Studio
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"MSC" = McAfee SecurityCenter
"My Amazing Human Body" = My Amazing Human Body
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"PokerStars" = PokerStars
"PokerStars.net" = PokerStars.net
"proDAD-Heroglyph-2.0" = proDAD Heroglyph 2.0
"PROSetDX" = Intel® PRO Network Connections Software v9.2.4.11
"QcDrv" = Logitech® Camera Driver
"RealPlayer 6.0" = RealPlayer Basic
"RipIt4Me" = RipIt4Me
"StatCoder.com STAT Cholesterol_Growth-BP_Cardiac Clearance_JNC 7_GRACE" = StatCoder.com STAT Cholesterol_Growth-BP_Cardiac Clearance_JNC 7_GRACE
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TomTom HOME" = TomTom HOME 2.5.2.60
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3256905171-1493133729-3034488767-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ESPN Java Check" = ESPN Java Check
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:20 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:21 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/25/2009 9:21:21 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/27/2009 9:38:53 AM | Computer Name = OFFICE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 11/27/2009 8:48:17 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/27/2009 9:18:17 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/27/2009 9:48:17 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/27/2009 10:18:17 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/29/2009 7:51:33 AM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/29/2009 8:21:33 AM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/29/2009 8:51:33 AM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/29/2009 9:08:45 AM | Computer Name = OFFICE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/29/2009 9:21:33 AM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

Error - 11/29/2009 5:27:56 PM | Computer Name = OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service ehSched with
arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 29 November 2009 - 07:15 PM

Hi,

please also provide a rootkit scan from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

You may be infected with a rather nasty rootkit.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 30 November 2009 - 09:13 AM

Running scan this morning, I won't be able to post the log until tonight. In the off chance this will help, here are some of the files it picked up in the quick scan:

SSDT: SASKUTIL.SYS
CODE: systemroot/system32/drivers/mfehidk.sys (about 20 of these)
.text & PAGE: htkrnlpa.exe
Windows/system32/drivers/mohfilt.sys

#6 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 30 November 2009 - 05:50 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 17:47:37
Windows 5.1.2600 Service Pack 3
Running: bgv9s6j4.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\pwtdapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2FB10B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2EF378B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2EF3822]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2EF3739]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2EF374D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2EF3836]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2EF3862]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2EF38D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2EF38BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2EF37CB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2EF38FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2EF380E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2EF3711]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2EF3725]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2EF379F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2EF3938]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2EF38A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2EF388E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2EF384C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2EF3924]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2EF3910]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2EF3777]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2EF3763]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2EF3878]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2EF38E6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2EF37E1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2EF37B5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B2EF37B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2EF378F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B2EF37CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B2EF37E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B2EF37A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B2EF3715 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B2EF3729 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B2EF3767 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B2EF3751 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B2EF373D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B2EF377B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP B2EF3892 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP B2EF387C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP B2EF38EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP B2EF38A8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP B2EF3850 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 2 Bytes JMP B2EF3826 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey + 3 806237B5 2 Bytes [8D, 32] {LEA ESI, [EDX]}
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP B2EF383A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP B2EF3866 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP B2EF38D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP B2EF38BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP B2EF3812 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP B2EF393C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP B2EF3914 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP B2EF3928 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP B2EF3900 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA49B760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F65
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F76
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F91
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FA2
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FC7
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F2D
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0075
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD009A
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F01
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0EE6
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD004E
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F4A
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0022
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F12
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006F
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093004A
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F90
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB5
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FC0
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007006F
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005E
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070043
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F6B
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700B3
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700D5
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700C4
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700FA
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070096
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FCD
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FBD
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006007A
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060069
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0006004E
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FC8
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050038
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F66
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D8005B
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F81
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F44
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80F55
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800A7
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F0E
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80EF3
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80080
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F1F
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70025
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70F8A
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70051
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F7, 88]
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D6003A
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D6001D
.text C:\WINDOWS\system32\lsass.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F52
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F63
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F80
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FB6
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90084
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90073
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90EEB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90EFC
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E9009F
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FA5
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90058
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F17
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80062
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70F93
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FA4
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FB5
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FE3
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FD2
.text C:\WINDOWS\system32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30098
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D30087
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30FAD
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30076
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30040
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D300CE
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F88
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30F50
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300E9
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300FA
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D3005B
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D300B3
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F6B
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20051
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20080
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20040
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F7A
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10F95
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FC1
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FB0
.text C:\WINDOWS\system32\svchost.exe[1076] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FDE
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02710FEF
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02710F5C
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02710F6D
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02710F7E
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02710FA5
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0271002C
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02710F2E
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02710F3F
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027100B6
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0271009B
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027100C7
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02710047
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02710FCA
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02710076
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0271001B
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02710000
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02710F13
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F00025
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F0006C
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F0000A
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01F00FD4
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F00051
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F00FE5
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01F00040
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F00FB9
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01EF0036
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 01EF0FA1
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01EF0FCD
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01EF0000
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01EF0FBC
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01EF0011
.text C:\WINDOWS\System32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EE000A
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01ED0FEF
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01ED0FDE
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01ED000A
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01ED002F
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F7E
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F99
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0073
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FDB
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00A1
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0084
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00C6
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F23
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00D7
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FB6
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F63
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0036
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F34
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0022
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0062
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FD1
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0011
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007A0FA5
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 88]
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FB6
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790055
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790FCA
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790029
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0079003A
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F6D
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F7E
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90062
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90051
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F3A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F4B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900C9
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900B8
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900DA
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F5C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B9009D
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B8008E
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80FD1
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80069
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80058
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FAD
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70038
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FC8
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02A40FEF
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02A40F9E
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02A40FAF
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02A4007D
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02A4006C
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02A40047
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02A400DC
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02A400BF
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02A40F68
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02A40F83
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02A40F4D
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02A40FC0
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02A4000A
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02A400AE
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02A4002C
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02A4001B
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02A40101
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F80FCA
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F80F8D
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F8001B
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01F80FE5
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F80F9E
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F80000
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01F80040
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F80FB9
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01770FA6
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!system 77C293C7 5 Bytes JMP 01770FB7
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01770FD2
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01770FEF
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01770027
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0177000C
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\Explorer.EXE[1944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01740FEF
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40FE5
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40069
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40058
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40F8A
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40097
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40086
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D400C3
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40F2A
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40F0F
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F4F
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D4002C
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40011
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D400A8
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30033
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30F94
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30022
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30FA5
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30FB6
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30FC7
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2006B
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2005A
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D2002E
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D2000C
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20049
.text C:\WINDOWS\system32\svchost.exe[2032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D2001D
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01470FEF
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01470089
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01470078
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01470051
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01470F9E
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01470FB9
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01470F52
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014700A4
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014700DA
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01470F41
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01470F30
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01470040
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0147000A
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01470F79
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01470FCA
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0147001B
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014700B5
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0146000A
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01460051
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01460FB9
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01460FCA
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01460036
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01460FE5
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01460F9E
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [66, 89]
.text C:\WINDOWS\system32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01460025
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01450036
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!system 77C293C7 5 Bytes JMP 01450FAB
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01450FD7
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01450000
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01450FC6
.text C:\WINDOWS\system32\svchost.exe[2220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01450011
.text C:\WINDOWS\system32\svchost.exe[2220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01440FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\Peter\Desktop\bgv9s6j4.exe[584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Peter\Desktop\bgv9s6j4.exe[584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802DB0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Peter\Desktop\bgv9s6j4.exe[584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Peter\Desktop\bgv9s6j4.exe[584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802DC0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003C2F60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003C2DB0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003C2D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003C2DC0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008E2F60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008E2DB0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008E2D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008E2DC0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00D02F60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00D02DB0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00D02D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00D02DC0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dlbtcoms.exe[2260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B02F60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dlbtcoms.exe[2260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B02DB0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dlbtcoms.exe[2260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B02D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dlbtcoms.exe[2260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B02DC0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat AF08CD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 01 December 2009 - 09:26 AM

Hi,

the logs are looking good. As a final step I would like to check your system with Eset:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please also run a search for proquota:
Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    proquota.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
In addition, Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 December 2009 - 09:58 AM

Will do this tonight. Thanks. Quick question, when I reconnect to the internet, I get a burst of 500-1000 sent packets. Is this normal? I don't recall it being this way before, but I may not have been looking as closely before this.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 01 December 2009 - 11:29 AM

Hi,

it is difficult to say what is causing those spikes. It may be programs looking for updates.
Once you are connected to the internet, please do the following:
  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
    cmd
  • type netstat -b >log.txt & log.txt
  • a log file will open. Please save that log and post the content in your next reply.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


The log file will show the internet connections established when you connect to the web. This will show if there are any malicious sites among it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 December 2009 - 10:03 PM

OK...continued thanks for your help.

McAfee flagged the OTL.exe file from my desktop today as a trojan...Artemis!E9ED92BC1BC9 (Trojan). It automatically repaired and removed it.

Ran the ESET scan and it did not find anything and didn't give me a log output option probably for that reason.

system look:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:37 on 01/12/2009 by Peter (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\i386\proquota.exe --a--- 50176 bytes [16:49 04/09/2005] [10:00 10/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [01:51 17/12/2008] [10:00 10/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [22:21 03/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Unistalled all Java apps, and installed new version.

Here are a few startup logs from net stat:

----1----

Active Connections

Proto Local Address Foreign Address State PID
TCP Office:1146 localhost:1147 SYN_SENT 276
[iexplore.exe]

TCP Office:1148 origin-codecs.microsoft.com:http SYN_SENT 828
[mcproxy.exe]

TCP Office:1147 localhost:1146 SYN_RECEIVED 828
[mcproxy.exe]

TCP Office:1100 localhost:1101 ESTABLISHED 3400
[iexplore.exe]

TCP Office:1101 localhost:1100 ESTABLISHED 828
[mcproxy.exe]

TCP Office:1128 localhost:1129 ESTABLISHED 276
[iexplore.exe]

TCP Office:1129 localhost:1128 ESTABLISHED 828
[mcproxy.exe]

TCP Office:1131 localhost:1132 ESTABLISHED 276
[iexplore.exe]

TCP Office:1132 localhost:1131 ESTABLISHED 828
[mcproxy.exe]

TCP Office:1134 localhost:1135 ESTABLISHED 276
[iexplore.exe]

TCP Office:1135 localhost:1134 ESTABLISHED 828
[mcproxy.exe]

TCP Office:1102 iw-in-f138.1e100.net:http ESTABLISHED 828
[mcproxy.exe]

TCP Office:1130 ir1.fp.vip.ac4.yahoo.com:http ESTABLISHED 828
[mcproxy.exe]

TCP Office:1133 l9.ycs.vip.a4e.yahoo.com:http ESTABLISHED 828
[mcproxy.exe]

TCP Office:1136 l9.ycs.vip.a4e.yahoo.com:http ESTABLISHED 828
[mcproxy.exe]

TCP Office:1123 localhost:5152 FIN_WAIT_2 276
[iexplore.exe]

TCP Office:5152 localhost:1123 CLOSE_WAIT 3228
[jqs.exe]

TCP Office:1065 localhost:5152 TIME_WAIT 0
TCP Office:1067 localhost:1068 TIME_WAIT 0
TCP Office:1085 localhost:1086 TIME_WAIT 0
TCP Office:1089 localhost:1088 TIME_WAIT 0
TCP Office:1126 localhost:1125 TIME_WAIT 0
TCP Office:1140 localhost:1141 TIME_WAIT 0
TCP Office:1144 localhost:1143 TIME_WAIT 0
TCP Office:1044 72.5.123.29:http TIME_WAIT 0
TCP Office:1046 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1048 72.5.123.29:http TIME_WAIT 0
TCP Office:1049 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1051 72.5.123.29:http TIME_WAIT 0
TCP Office:1052 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1054 72.5.123.29:http TIME_WAIT 0
TCP Office:1055 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1057 72.5.123.29:http TIME_WAIT 0
TCP Office:1058 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1060 72.5.123.29:http TIME_WAIT 0
TCP Office:1061 rdcds2.ord.llnw.net:http TIME_WAIT 0
TCP Office:1075 l9.ycs.vip.a4e.yahoo.com:http TIME_WAIT 0
TCP Office:1078 l9.ycs.vip.a4e.yahoo.com:http TIME_WAIT 0
TCP Office:1087 bs1.ads.vip.ac4.yahoo.com:http TIME_WAIT 0
TCP Office:1142 bs1.ads.vip.ac4.yahoo.com:http TIME_WAIT 0

----2----

Active Connections

Proto Local Address Foreign Address State PID
TCP Office:1518 localhost:1519 ESTABLISHED 1280
[iexplore.exe]

TCP Office:1519 localhost:1518 ESTABLISHED 1252
[mcproxy.exe]

TCP Office:1520 iw-in-f138.1e100.net:http ESTABLISHED 1252
[mcproxy.exe]

TCP Office:1525 us.mcafee.com:https ESTABLISHED 3388
[mcupdmgr.exe]

TCP Office:1526 us.mcafee.com:https ESTABLISHED 3388
[mcupdmgr.exe]

TCP Office:1523 us.mcafee.com:https TIME_WAIT 0
TCP Office:ingreslock us.mcafee.com:https TIME_WAIT 0
----3----

Active Connections

Proto Local Address Foreign Address State PID
TCP Office:1520 iw-in-f138.1e100.net:http TIME_WAIT 0
TCP Office:1523 us.mcafee.com:https TIME_WAIT 0
TCP Office:ingreslock us.mcafee.com:https TIME_WAIT 0
TCP Office:1525 us.mcafee.com:https TIME_WAIT 0
TCP Office:1528 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1529 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1530 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1531 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1532 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1533 a96-17-151-96.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP Office:1549 iw-in-f138.1e100.net:http TIME_WAIT 0
TCP Office:1558 iw-in-f138.1e100.net:http TIME_WAIT 0

forgot to attach system look

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:37 on 01/12/2009 by Peter (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\i386\proquota.exe --a--- 50176 bytes [16:49 04/09/2005] [10:00 10/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [01:51 17/12/2008] [10:00 10/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [22:21 03/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Edited by joepa92, 01 December 2009 - 10:05 PM.


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 02 December 2009 - 05:32 PM

Hi,

you didn't forget to attach the log, it was the first thing in your reply. :(

The logs from netstat look legit to me. It seems that the connections are made by McAfee trying to phone home, probably in order to check for updates and Internet Explorer.

Please run the following command to restore proquota.exe into your system32 folder:
  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
    copy C:\WINDOWS\ServicePackFiles\i386\proquota.exe C:\windows\systme32
  • It should say 1 file(s) copied.. If it does not please let me know.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


Please also update your software:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Let me know if you had any trouble with this.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 02 December 2009 - 08:04 PM

I did the java yesterday. My file had everthing but the -p extendion, but its 6 version 17
Copied the proquota ok
updated adobe.

What about macafee flagging otl.exe...

And now I have a red circle with a white x in my tray that says...warning you have exceeded your profile space by 2312651 kb. What is this?!

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 02 December 2009 - 08:14 PM

Hi,

recently many anti virus programs have flagged OTL. I don't know why they would do such a thing, but I can tell you that this is a false positive.The site and the downloaded file are clean and trustworthy.
In fact geekstogo.com is a big and known anti-malware community just like bleepingcomputer.com and the author of OTL, OldTimer is a well respected member of our and other forums and has been helping us fighting malware for years.
Since we do not need OTL any longer, I guess it is not an issue, otherwise I would have asked you to download it once more.


The disk quota message should be disabled as follows:
Go to my computer. Right click on the hard drive and go to properties. There is a quota tab. Then uncheck disk quota.

Let me know if that works,
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 joepa92

joepa92
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 02 December 2009 - 08:18 PM

Ok, just was curious.

The enable disk quota is already unchecked. I went to shut down and it stopped me...then a pop up came up and its including every file in My Documents in my profile. Telling me to move them to a local drive. Is this related to the proquota.exe copy?

Edited by joepa92, 02 December 2009 - 08:25 PM.


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:58 AM

Posted 02 December 2009 - 08:37 PM

Hi,

Yes, it is related to the copying. The malware you had deleted the clean copy of proquota.exe and put itself in that place. Afterwards it enabled disk quota management to be executed.
The malicious proquota.exe was deleted some time ago, but disk quota management wasn't disabled and when we now restored the clean copy the disk quota management finally started working.
  • Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).
  • Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableProfileQuota"=-
  • It should look like this ->Posted Image
  • Doubleclick fix.reg, when a window pops up and ask if this information should be merged, press Yes and ok.
let me know if that fixes your problem.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users