Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Keylogger/tracker


  • This topic is locked This topic is locked
10 replies to this topic

#1 sund

sund

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 December 2009 - 11:50 AM

Hello,
Hope You guys can help. I have ran Malwarebyte, Spybot, McAfee and still having passwords changed.
Also made the Attach and the DDS files but could not run RootRepeal keeps locking up the computer.
Its a Alienware computer running windows XP.
Any help would be greatly appericated.
Thanks John Tenda


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:37:00.23 on Tue 12/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2094 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\bigfoot networks\killer driver\KillerTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\BfLLR.dll
Trusted Zone: avsystemcare.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmkhh.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zx2qh2hl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-21 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 Killer Port Manager;Killer Port Manager;c:\program files\bigfoot networks\killer driver\PortManager.exe [2008-1-30 237568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-20 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-20 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-20 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-20 40552]
R3 NetB834x;Killer NIC Gaming Adapter Service;c:\windows\system32\drivers\NetB834x.sys [2008-1-30 102304]
R3 NetbEdge;Killer NIC NDIS-Edge Service;c:\windows\system32\drivers\NetBEdge.sys [2008-1-30 22048]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-20 34248]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

============== File Associations ===============

inifile=gdrwetfgfd.exe %1
txtfile=%windir%\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-12-21 04:12:25 9175 ----a-w- c:\windows\system32\Config.MPF
2009-12-21 04:10:10 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-21 04:10:10 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-21 04:10:10 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-21 04:10:08 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-21 04:09:45 0 d-----w- c:\program files\common files\McAfee
2009-12-21 04:09:44 0 d-----w- c:\program files\McAfee.com
2009-12-21 04:09:39 0 d-----w- c:\program files\McAfee
2009-12-21 04:08:07 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-21 02:58:45 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-21 02:58:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 02:58:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-21 02:58:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 02:58:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 19:02:57 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-11-28 16:04:02 35840 ----a-w- c:\windows\system32\nvconrm.dll
2009-11-28 16:04:02 10240 ----a-w- c:\windows\system32\bdco1ins.dll
2009-11-28 16:04:01 18944 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2009-11-28 16:04:01 1068800 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2009-11-28 16:04:01 10240 ----a-w- c:\windows\system32\bdco1.dll
2009-11-28 15:59:04 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2009-11-28 15:51:49 766 ----a-w- c:\windows\win98Logo.ico
2009-11-28 15:47:36 90112 ------w- c:\windows\SDUnInst.exe
2009-11-28 15:25:04 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-11-28 15:25:04 0 d-----w- c:\program files\CPUID

==================== Find3M ====================

2009-11-21 14:04:15 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 14:04:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-04 21:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 20:40:19 58308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-03-10 22:26:46 0 ----a-w- c:\program files\temp01
2008-02-18 01:42:45 246 ----a-w- c:\program files\common files\labu
2008-11-08 16:05:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat

============= FINISH: 10:37:36.81 ===============
Attached File  Attach.zip   4.53KB   1 downloads

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 AM

Posted 04 January 2010 - 11:00 AM

Hello and welcome to Bleeping Computer! :(

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 sund

sund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 04 January 2010 - 06:48 PM

Here is the requested files--- I think we have got it cleaned up but would appricate a second look to make sure.
We have ran Spybot, Malwarebytes, and Mcafee, and also microsoft security essintals.
We have been running them almost every day with nothing showing up.
Thanks, John


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 18:27:34.89 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2222 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\bigfoot networks\killer driver\KillerTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\BfLLR.dll
Trusted Zone: avsystemcare.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmkhh.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zx2qh2hl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-21 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 Killer Port Manager;Killer Port Manager;c:\program files\bigfoot networks\killer driver\PortManager.exe [2008-1-30 237568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-20 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-20 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-20 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-20 40552]
R3 NetB834x;Killer NIC Gaming Adapter Service;c:\windows\system32\drivers\NetB834x.sys [2008-1-30 102304]
R3 NetbEdge;Killer NIC NDIS-Edge Service;c:\windows\system32\drivers\NetBEdge.sys [2008-1-30 22048]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-20 34248]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

============== File Associations ===============

inifile=gdrwetfgfd.exe %1
txtfile=%windir%\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-12-23 00:21:03 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-23 00:18:59 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-21 04:12:25 11215 ----a-w- c:\windows\system32\Config.MPF
2009-12-21 04:10:10 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-21 04:10:10 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-21 04:10:10 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-21 04:10:08 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-21 04:09:45 0 d-----w- c:\program files\common files\McAfee
2009-12-21 04:09:44 0 d-----w- c:\program files\McAfee.com
2009-12-21 04:09:39 0 d-----w- c:\program files\McAfee
2009-12-21 04:08:07 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-21 02:58:45 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-21 02:58:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 02:58:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-21 02:58:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 02:58:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 19:02:57 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-11-21 14:04:15 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 14:04:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 20:40:19 58308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-03-10 22:26:46 0 ----a-w- c:\program files\temp01
2008-02-18 01:42:45 246 ----a-w- c:\program files\common files\labu
2008-11-08 16:05:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat

============= FINISH: 18:28:29.90 ===============
Attached File  Attach.zip   4.82KB   8 downloads

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:42 AM

Posted 05 January 2010 - 10:11 AM

Hello and welcome to BleepingComputer from me as well! :(

I will be helping you with this issue. :( The logs still show a couple of entries left by malware. I would like to do some further poking and will need the following logs:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
As well as a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please post back the logs from OTL and the log from gmer in your next reply.

regards mytri

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 sund

sund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 05 January 2010 - 06:44 PM

Mytri ,
Here are the three files you asked me to get.
Thanks John


OTL logfile created on: 1/5/2010 4:09:25 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 131.70 Gb Free Space | 56.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SARAALIEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/05 16:06:49 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2009/11/21 09:03:09 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/21 09:03:07 | 01,184,912 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2009/10/28 11:50:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/07/08 20:22:24 | 05,134,864 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/05/02 02:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 02:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/05 01:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/10/25 14:30:02 | 00,401,408 | ---- | M] (Bigfoot Networks, Inc.) -- C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe
PRC - [2007/10/22 15:32:20 | 00,237,568 | ---- | M] () -- C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe
PRC - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2007/08/30 17:13:06 | 00,319,488 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint II\SetPointII.exe
PRC - [2006/11/23 15:10:42 | 00,056,928 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2006/02/27 04:28:16 | 16,005,120 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2005/12/28 11:05:30 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010/01/05 16:06:49 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2009/07/12 01:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/05/02 02:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2003/02/26 22:27:44 | 00,036,864 | ---- | M] (Stardock.Net, Inc) -- C:\WINDOWS\system32\wbsys.dll
MOD - [2003/02/26 22:24:32 | 00,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\AlienGUIse\wbhelp.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/21 09:03:07 | 01,184,912 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/08/30 14:17:30 | 03,407,412 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/07/08 20:22:22 | 00,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/05/02 02:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007/12/05 01:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/10/22 15:32:20 | 00,237,568 | ---- | M] () [Auto | Running] -- C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe -- (Killer Port Manager)
SRV - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2007/01/20 07:22:05 | 00,167,936 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo) Cyberlink RichVideo Service(CRVS)
SRV - [2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/23 07:55:23 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/06/18 18:48:04 | 00,142,832 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/07/04 10:22:36 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 03:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:48 | 00,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/12/05 01:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/05 15:43:26 | 00,102,304 | ---- | M] (Bigfoot Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NetB834x.sys -- (NetB834x)
DRV - [2007/10/05 15:43:26 | 00,022,048 | ---- | M] (Bigfoot Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NetBEdge.sys -- (NetbEdge)
DRV - [2007/09/04 19:26:32 | 00,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2006/07/01 22:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/03/22 13:24:02 | 00,018,944 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/22 12:24:00 | 00,052,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/03/16 17:51:38 | 00,081,536 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/03/16 17:51:32 | 00,099,840 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/03/16 17:51:32 | 00,099,840 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/02/27 05:47:00 | 04,241,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/28 11:05:09 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/06/21 12:40:48 | 00,051,088 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2004/06/21 12:40:48 | 00,021,744 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/06/21 12:40:48 | 00,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2002/11/20 19:45:50 | 00,002,218 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vncdrv.sys -- (vncdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-456262375-886904950-3945187725-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-456262375-886904950-3945187725-1003\S-1-5-21-456262375-886904950-3945187725-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/17 17:38:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/17 17:38:29 | 00,000,000 | ---D | M]

[2008/09/15 14:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/01/04 09:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx2qh2hl.default\extensions
[2009/09/08 19:19:45 | 00,002,254 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx2qh2hl.default\searchplugins\askcom.xml
[2008/09/15 14:25:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/06/28 12:06:49 | 00,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: (319333 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 10952 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-456262375-886904950-3945187725-1003..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launch KillerTray.exe.lnk = C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe (Bigfoot Networks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetPointII.lnk = C:\Program Files\Logitech\SetPoint II\SetPointII.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\..Trusted Domains: avsystemcare.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.242 68.87.71.226
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (wbsys.dll) - C:\WINDOWS\System32\wbsys.dll (Stardock.Net, Inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\khffdef: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\wapoadzv: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\WB: DllName - C:\Program Files\AlienGUIse\fastload.dll - C:\Program Files\AlienGUIse\fastload.dll (Stardock)
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\pmkhh.dll) - C:\WINDOWS\System32\pmkhh.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/19 10:47:43 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/27 23:47:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Rawr v2.3.4
[2009/12/22 19:21:03 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/12/22 19:18:59 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2009/12/20 23:16:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/20 23:10:10 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/12/20 23:10:10 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/12/20 23:10:10 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/12/20 23:10:08 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/12/20 23:09:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/12/20 23:09:44 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/12/20 23:09:39 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/12/20 23:08:07 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/12/20 23:06:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/12/20 21:58:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/12/20 21:58:41 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/20 21:58:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/20 21:58:39 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/20 21:58:39 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/11 14:02:57 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/03/07 09:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/24 09:30:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NVIDIA Corporation
[2008/04/03 17:40:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2008/02/17 19:42:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2008/02/17 19:26:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2008/02/17 19:26:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Google
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/05 16:05:01 | 00,043,008 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Check Register.xls
[2010/01/05 15:34:09 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Budget.xls
[2010/01/05 15:27:58 | 00,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/01/05 15:22:01 | 00,000,270 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/01/05 12:21:32 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Accounts Payable.xls
[2010/01/05 12:21:07 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/05 12:21:06 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/05 12:16:48 | 00,011,215 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/05 12:15:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/05 12:15:41 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/04 23:42:54 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/04 23:42:53 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/01/04 14:44:45 | 00,000,020 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\aionmemo_26895a57.dat
[2010/01/01 01:20:01 | 00,000,318 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/22 19:19:00 | 00,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2009/12/22 19:18:52 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/22 12:28:08 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/12/20 23:11:52 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/12/20 23:09:56 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/20 23:08:31 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2009/12/20 21:58:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 12:09:59 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/09 18:25:14 | 00,591,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/09 18:25:14 | 00,491,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/09 18:25:14 | 00,089,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/09 15:38:52 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/22 19:24:09 | 00,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/22 19:19:00 | 00,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2009/12/22 12:28:08 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/12/20 23:12:25 | 00,011,215 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/20 23:11:52 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/12/20 23:09:55 | 00,000,340 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/20 23:09:55 | 00,000,318 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/20 21:58:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/17 14:40:57 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2009/05/19 12:13:54 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\setup_ldm.iss
[2009/02/13 14:17:50 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2008/03/10 17:26:46 | 00,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/03/10 11:43:32 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/09 14:10:37 | 00,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/02/22 17:56:46 | 00,000,368 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/02/17 19:25:15 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/02/17 18:14:01 | 00,000,246 | ---- | C] () -- C:\Program Files\Common Files\labu
[2008/02/05 18:42:33 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\menu.new
[2008/02/05 18:42:33 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\menu.bfm
[2008/01/30 09:18:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/30 08:18:15 | 00,000,056 | ---- | C] () -- C:\WINDOWS\wb.ini
[2008/01/30 08:05:50 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/01/18 17:43:53 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/18 17:43:53 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/18 17:43:52 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/18 17:43:52 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/01/18 17:43:51 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/03/12 12:01:30 | 00,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2005/12/28 11:01:34 | 00,002,374 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/05 13:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Files - Unicode (All) ==========
[2009/04/01 03:57:52 | 00,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
[2009/04/01 03:57:52 | 00,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
[2008/02/18 18:43:23 | 00,000,000 | ---D | M](C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity
[2008/02/18 18:43:23 | 00,000,000 | ---D | M](C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity
(C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
(C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E91ADC66
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2D4B33E
@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8134D8F
@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6881EE7
@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:19F08842
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A96D3F23
@Alternate Data Stream - 3552 bytes -> C:\WINDOWS\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86148D88
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80E965A3
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC2762B9
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:417B6FAC
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B9E79B3
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8DB81DC
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BABA07C2
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A5FC8FA1
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FBFC061F
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF794BCD
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B6285236
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:554C6431
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9EEB760
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E50C1C9
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9ACB70D7
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2A5A561
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89C2A42C
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7F4DB476
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6AF67671
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8F4E260C
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8247A199
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6677D85A
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4C49306C
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:162E02F7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81653DC8
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E1D818F7
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E6B8D68
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28CCFEFB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BE6DC701
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8EDA76B4
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47A24D4B
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B9D528D
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E412AAF2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C3B5FCD5
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B646CCF6
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98AE08EA
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:275AA066
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAC36972
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E41267F2
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:969C0C96
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8AA99C0C
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A6D6CB4
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5E4BCD5
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:10D98D98
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7B98566
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BFAD7A5D
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89E1BAF5
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4EF94CF3
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33611CFB
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:269C0B5C
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8182692
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A0C7D68A
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94F67F32
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8140CB50
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:439E3411
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FECEF728
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A561576B
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1C88C8E5
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA004D25
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:461BD06D
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9547F1DB
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:31D2961C
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02A78DF6
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DDEB08FD
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:538B96B5
< End of report >


OTL Extras logfile created on: 1/5/2010 4:09:25 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 131.70 Gb Free Space | 56.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SARAALIEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.ini [@ = inifile] -- gdrwetfgfd.exe %1

[HKEY_USERS\S-1-5-21-456262375-886904950-3945187725-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- gdrwetfgfd.exe %1
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inifile [open] -- gdrwetfgfd.exe %1
piffile [open] -- "%1" %*
regfile [edit] -- gdrwetfgfd.exe %1
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\Curse\CurseClient.exe" = C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C2AF762-0565-4C91-9F55-B8B53BB82A38}" = Microsoft Office Accounting 2008 Equifax Addin
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{12DCDE3D-5C8E-4C5E-A7E4-CEF30F578179}" = Catz 5
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18039280-98B7-4C5E-AAC0-10EBC9731033}" = Nero 7 Essentials
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{270940EA-C235-40D9-B2AE-2D450356DF8E}" = Microsoft Office Accounting 2008
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2BB34316-5C68-45C0-9656-64DF7F34F6BA}" = Map Button (Windows Live Toolbar)
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{2F71F2BA-B513-4113-969C-18A84D238E27}" = 1310
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{31EF8B2A-1332-4A0E-8B35-2E3491727922}" = EverQuest II: Play the Fae
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = Logitech Registration
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FE03663-FEE7-4D25-9E3E-52F97784F2A0}" = G9 Device Package
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}" = Microsoft Security Essentials
"{49A141D3-78CF-45EA-93A8-541E08FDB719}" = Killer Driver
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}" = HP Unload DLL Patch
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B59BE72-68EF-400B-B08A-2860283A4FE3}" = Smart Menus (Windows Live Toolbar)
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"{80413011-029C-4D6B-B3AD-725DDE60B81C}" = 1310Trb
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A4D41F3-3EDA-4DAC-9403-839708EA0667}" = Install(US)2
"{8A64032F-FF5E-4AC9-ADF7-84E548B7C2B4}" = Highlight Viewer (Windows Live Toolbar)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B391EECE-DFEA-4FC5-9D40-47FA43E2DBE6}" = Microsoft Office Accounting 2008 PayPal Addin
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B5E04B4D-258F-46FC-8CEE-2AA259236C03}" = EverQuest II: Rise of Kunark
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}" = Windows Live Toolbar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3120436-1358-4253-9EB2-257FFE8CE1D9}" = Logitech SetPoint 5.00
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E21658D0-8C83-4ADD-937B-6ED07F335ABA}" = 1310Tour
"{E3DF6916-2472-43D9-8B3C-9F2F0AAB01B5}" = Microsoft Office Accounting 2008 Fixed Asset Manager
"{E90BEB5B-CFA0-418E-9ABB-4C4A7B0D9483}" = 1310_Help
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{EE614F8D-267D-49CC-805B-FC08D94EDFE5}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online™: Mines of Moria™ v02.02.02.8117
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"7-Zip" = 7-Zip 4.65
"9E140F48C9836B9B78539C08FB2B17146BDB3F65" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AlienGUIse Theme Manager" = AlienGUIse Theme Manager
"BFG-3 Stars of Destiny" = 3 Stars of Destiny
"BFG-Alice Greenfingers 2" = Alice Greenfingers 2
"BFG-Amelie's Cafe" = Amelie's Cafe
"BFG-Believe in Sandy - Holiday Story" = Believe in Sandy: Holiday Story
"BFG-Burger Shop 2" = Burger Shop 2
"BFGC" = Big Fish Games Client
"BFG-Cake Mania 2" = Cake Mania 2
"BFG-DQ Tycoon" = DQ Tycoon
"BFG-Kuros" = Kuros
"BFG-Midnight Mysteries - The Edgar Allan Poe Conspiracy" = Midnight Mysteries: The Edgar Allan Poe Conspiracy
"BFG-Pet Playground" = Pet Playground
"BFG-Pet Show Craze" = Pet Show Craze
"BFG-Wandering Willows" = Wandering Willows
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.52.2
"CurseClient" = Curse Client
"EQ2MAP Updater" = EQ2MAP Updater 1.0.16
"F3B506E1FDAEA4DC6669B53B2D3F0B68FBA20C2D" = Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Office Accounting 2008" = Microsoft Office Accounting 2008
"Microsoft Security Essentials" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSC" = McAfee SecurityCenter
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PFPortChecker" = PFPortChecker 1.0.31
"PROR" = Microsoft Office Professional 2007 Trial
"uTorrent" = µTorrent
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"World of Warcraft" = World of Warcraft
"Wrath of the Lich King Beta" = Wrath of the Lich King Beta

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-456262375-886904950-3945187725-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/29/2009 4:35:25 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3856 (0xf10) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\DOCUME~1\Owner\LOCALS~1\Temp\HouseCall\housecall.bin

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 12/31/2009 2:34:41 AM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 516 (0x204) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 1/1/2010 12:32:21 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 2852 (0xb24) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\792248d6ad421d577132c2b648bbed45_scc_trial_na.exe

by C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe 4(0)(0) 4(0)(0) 7200(0)(0)
7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 1/3/2010 5:21:16 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 2640 (0xa50) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\WINDOWS\Explorer.EXE 4(0)(0) 4(0)(0)

7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 1/3/2010 5:59:45 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 4436 (0x1154) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\DOCUME~1\Owner\LOCALS~1\Temp\HouseCall\housecall.bin

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 1/4/2010 11:20:43 AM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3896 (0xf38) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 1/5/2010 12:30:29 AM | Computer Name = SARAALIEN | Source = Application Error | ID = 1000
Description = Faulting application launcher.exe, version 2.1.1.1374, faulting module
launcher.exe, version 2.1.1.1374, fault address 0x000a26f8.

Error - 1/5/2010 1:37:51 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3864 (0xf18) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 1/5/2010 2:51:15 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 4768 (0x12a0) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\WINDOWS\Explorer.EXE 4(0)(0) 4(0)(0)

7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 1/5/2010 2:55:57 PM | Computer Name = SARAALIEN | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 5520 (0x1590) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Owner\My
Documents\Downloads\EtherSaga_v81_XP.exe by C:\WINDOWS\Explorer.EXE 4(0)(0) 4(0)(0)

7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

[ OSession Events ]
Error - 4/16/2009 2:48:36 PM | Computer Name = SARAALIEN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 3942
seconds with 3780 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/31/2009 2:34:49 AM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/1/2010 12:32:22 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/3/2010 5:21:18 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/3/2010 5:59:49 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 2 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/4/2010 11:20:50 AM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/5/2010 1:16:10 PM | Computer Name = SARAALIEN | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Send To OneNote 2007 share
name Printer.

Error - 1/5/2010 1:37:53 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/5/2010 2:51:26 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 2 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 1/5/2010 2:55:58 PM | Computer Name = SARAALIEN | Source = Service Control Manager | ID = 7034
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 3 time(s).

Error - 1/5/2010 3:20:02 PM | Computer Name = SARAALIEN | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...p;threatid=9940

User:
SARAALIEN\Owner Name: Program:Win32/PowerRegScheduler ID: 9940 Severity: Medium Category:
Potentially Unwanted Software Path: Action: %%808 Error Code: 0x80508023 Error description:
The program could not find the spyware and other potentially unwanted software
on this computer. Status: Signature Version: AV: 1.71.1772.0, AS: 1.71.1772.0 Engine
Version: 1.1.5302.0


< End of report >


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-05 18:29:48
Windows 5.1.2600 Service Pack 3
Running: 1pbznsnq.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtyapoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA91887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA918BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB50D678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB50D6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB50D674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB50D6837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB50D6863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB50D68D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB50D68BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB50D67CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB50D68FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB50D680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB50D6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB50D6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB50D679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB50D6939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB50D68A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB50D688F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB50D684D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB50D6925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB50D6911]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB50D6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB50D6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB50D67F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB50D68E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB50D67E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB50D67B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B50D67B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B50D678E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B50D67CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B50D67E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B50D67A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B50D6714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B50D6728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B50D6766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B50D6750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 2 Bytes JMP B50D673C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess + 3 805D11FD 2 Bytes [B0, 34] {MOV AL, 0x34}
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B50D677A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B50D67FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP B50D6893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP B50D68EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP B50D68A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP B50D6851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP B50D683B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP B50D6867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP B50D68D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP B50D68BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP B50D6811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP B50D693D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP B50D6915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP B50D6929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP B50D6901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB83F7380, 0x346307, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B1006E
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1005D
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10F83
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F9E
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10040
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F43
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F5E
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B100C1
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B100A6
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10F17
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10FAF
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10089
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FCA
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B10F32
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FDB
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00F87
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00022
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B0004E
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B0003D
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FC0
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0070
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0055
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0029
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0044
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007C0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F52
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0051
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F77
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F94
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F09
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F1A
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF006C
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0ED3
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0087
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F41
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF0EEE
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760FA8
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760065
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760FB9
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88]
.text C:\WINDOWS\system32\svchost.exe[608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760040
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750FA8
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750029
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00750018
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FC3
.text C:\WINDOWS\system32\svchost.exe[608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750FDE
.text C:\WINDOWS\system32\svchost.exe[608] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\svchost.exe[608] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00730FE5
.text C:\WINDOWS\system32\svchost.exe[608] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0073001B
.text C:\WINDOWS\system32\svchost.exe[608] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00730FCA
.text C:\WINDOWS\system32\svchost.exe[608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F88
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070093
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700D0
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F1C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F57
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCD
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F72
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005F
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050029
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01560000
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0156009D
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01560FA8
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01560076
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01560065
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0156004A
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01560F7C
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01560F8D
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01560F50
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01560F61
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01560104
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01560FC3
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01560FEF
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015600AE
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01560FDE
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0156002F
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015600DF
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01550FC3
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0155005E
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01550FDE
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01550014
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01550043
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01550FEF
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01550FA1
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [75, 89] {JNZ 0xffffffffffffff8b}
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01550FB2
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0031
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FA6
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FC1
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\lsass.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 36820FE5
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 36820062
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 36820047
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 36820F6D
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 36820036
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 36820FB9
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 36820084
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 36820073
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 36820F06
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 36820F17
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 368200BA
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 36820F9E
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 3682000A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 36820F48
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 36820FCA
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 3682001B
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 36820095
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 36800FC8
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 36800053
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 3680001D
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 36800FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 36800038
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 36800000
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 36810FD4
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 3681006C
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 36810025
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 36810FE5
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 3681005B
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 36810000
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 3681004A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 36810FC3
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1204] WS2_32.dll!socket 33EA4211 5 Bytes JMP 367F0FE5
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20076
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F81
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20F92
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20FAF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E20047
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20F49
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E20F5A
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F2E
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E200C7
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E200E2
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20FC0
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E20091
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20025
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E200AC
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10025
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F94
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E10FB9
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E1005B
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10036
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F9C
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FB7
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0000C
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FE3
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E0001D
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FD2
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0000
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018B0FEF
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 018B0F81
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 018B0F92
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 018B006C
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 018B0FAF
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 018B0036
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018B00B3
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 018B00A2
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018B00E9
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018B00CE
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 018B0F35
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 018B0051
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 018B0FD4
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 018B0091
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 018B001B
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 018B000A
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 018B0F50
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 018A001E
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 018A0054
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 018A0FC3
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 018A0FDE
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 018A0043
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 018A0FEF
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 018A0FA1
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AA, 89]
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 018A0FB2
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01890F9C
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 01890FAD
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0189001D
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01890FEF
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01890FC8
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0189000C
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01390000
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01390FE5
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01390011
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0139002C
.text C:\WINDOWS\Explorer.EXE[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02220FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020F8A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020FA5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020073
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010200B5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F6D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01020F48
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010200E1
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010200F2
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010200A4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0102002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010200D0
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01010025
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010F79
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010F8A
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FAF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010036
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0031
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FA6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02460FE5
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02460F74
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02460069
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02460058
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02460047
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02460FA5
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02460097
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02460F4F
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02460F16
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024600B9
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024600D4
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02460036
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02460FD4
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0246007A
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02460011
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02460000
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024600A8
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02450FD4
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02450F97
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02450025
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02450014
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0245004A
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02450FEF
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02450FA8
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [65, 8A]
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02450FC3
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022C0F70
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 022C0F8B
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022C0FB7
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022C0FEF
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022C0FA6
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022C0FD2
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022B0FEF
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02290FE5
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02290000
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02290FCA
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0229001B
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC006C
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC005B
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F8D
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC004A
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC00A4
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F52
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0F15
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0F30
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC00C9
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FA8
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC000A
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC007D
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0025
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0F41
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0F83
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0FC8
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FD9
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA002E
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0049
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA001D
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90078
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F8D
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F9E
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E9005B
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90093
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F57
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F26
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900BF
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900D0
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90F68
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[2696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900A4
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80FBC
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8003C
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FCD
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F7F
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E80F90
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [08, 89]
.text C:\WINDOWS\system32\svchost.exe[2696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FAB
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70F9E
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70033
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70022
.text C:\WINDOWS\system32\svchost.exe[2696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[2696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F61
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F7C
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90039
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F18
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F33
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90EE2
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C9007B
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90ED1
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F50
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[2712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F07
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80065
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C8004A
.text C:\WINDOWS\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80039
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70033
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FBC
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[2712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F77
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F94
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F2E
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F4B
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500C7
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500AC
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F500D8
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F5C
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\dllhost.exe[2808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50091
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FCF
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F3005A
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30038
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30049
.text C:\WINDOWS\system32\dllhost.exe[2808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F3001D
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FA8
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40F68
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F40014
.text C:\WINDOWS\system32\dllhost.exe[2808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40F8D
.text C:\WINDOWS\system32\dllhost.exe[2808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F79
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A006E
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007F
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F43
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00A4
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EFA
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0047
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F54
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F26
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290047
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290095
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029002C
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290084
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290073
.text C:\WINDOWS\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290058
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F9A
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E001B
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FB5
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E000A
.text C:\WINDOWS\System32\svchost.exe[3240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\System32\svchost.exe[3240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:42 AM

Posted 08 January 2010 - 05:10 PM

Hi,

sorry for the delay. Please run the following fix and let me know if things improve:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :otl
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\khffdef: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
    O20 - Winlogon\Notify\wapoadzv: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\WB: DllName - C:\Program Files\AlienGUIse\fastload.dll - C:\Program Files\AlienGUIse\fastload.dll (Stardock)
    O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\pmkhh.dll) - C:\WINDOWS\System32\pmkhh.dll File not found
    
    O15 - HKU\S-1-5-21-456262375-886904950-3945187725-1003\..Trusted Domains: avsystemcare.com ([]http in Trusted sites)
    
    [2009/12/20 23:08:31 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
    
    [2009/04/01 03:57:52 | 00,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
    [2009/04/01 03:57:52 | 00,000,000 | ---D | M](C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
    [2008/02/18 18:43:23 | 00,000,000 | ---D | M](C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity
    [2008/02/18 18:43:23 | 00,000,000 | ---D | M](C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity
    (C:\Program Files\Common Files\??crosoft.NET) -- C:\Program Files\Common Files\Μіcrosoft.NET
    (C:\Documents and Settings\Owner\Application Data\??curity) -- C:\Documents and Settings\Owner\Application Data\ѕеcurity
    
    @Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E91ADC66
    @Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2D4B33E
    @Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8134D8F
    @Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6881EE7
    @Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:19F08842
    @Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A96D3F23
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86148D88
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80E965A3
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC2762B9
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:417B6FAC
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B9E79B3
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8DB81DC
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BABA07C2
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A5FC8FA1
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FBFC061F
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF794BCD
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B6285236
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:554C6431
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9EEB760
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E50C1C9
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9ACB70D7
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2A5A561
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89C2A42C
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7F4DB476
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6AF67671
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8F4E260C
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8247A199
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6677D85A
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4C49306C
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:162E02F7
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81653DC8
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E1D818F7
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E6B8D68
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28CCFEFB
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BE6DC701
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8EDA76B4
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47A24D4B
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B9D528D
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E412AAF2
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C3B5FCD5
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B646CCF6
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98AE08EA
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:275AA066
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAC36972
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E41267F2
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:969C0C96
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8AA99C0C
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A6D6CB4
    @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5E4BCD5
    @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:10D98D98
    @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7B98566
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BFAD7A5D
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89E1BAF5
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4EF94CF3
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33611CFB
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:269C0B5C
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8182692
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A0C7D68A
    @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94F67F32
    @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8140CB50
    @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE
    @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:439E3411
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FECEF728
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A561576B
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1C88C8E5
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA004D25
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:461BD06D
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9547F1DB
    @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:31D2961C
    @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02A78DF6
    @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DDEB08FD
    @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:538B96B5
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\edit\command]
    ""="%systemroot%\system32\notepad.exe %1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command]
    ""="%systemroot%\system32\notepad.exe %1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\edit\command]
    ""="%systemroot%\system32\notepad.exe %1"
    :commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTListIt.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 sund

sund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 09 January 2010 - 10:35 AM

Hello Mytri,
Here are the txt files from the scans you requested.


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:Explorer.exe deleted successfully.
C:\WINDOWS\explorer.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khffdef\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\ deleted successfully.
c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wapoadzv\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB\ deleted successfully.
C:\Program Files\AlienGUIse\fastload.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\pmkhh.dll deleted successfully.
Registry key HKEY_USERS\S-1-5-21-456262375-886904950-3945187725-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat moved successfully.
C:\Program Files\Common Files\Μіcrosoft.NET folder moved successfully.
Folder C:\Program Files\Common Files\Μіcrosoft.NET\ not found.
C:\Documents and Settings\Owner\Application Data\ѕеcurity\ѕеcurity folder moved successfully.
C:\Documents and Settings\Owner\Application Data\ѕеcurity folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E91ADC66 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D2D4B33E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D8134D8F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A6881EE7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:19F08842 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A96D3F23 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1713795 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:86148D88 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:80E965A3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EC2762B9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:417B6FAC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1B9E79B3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D8DB81DC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BABA07C2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A5FC8FA1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FBFC061F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EF794BCD deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B6285236 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:554C6431 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B9EEB760 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E50C1C9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9ACB70D7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D2A5A561 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:89C2A42C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7F4DB476 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6AF67671 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8F4E260C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8247A199 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6677D85A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4C49306C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:162E02F7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:81653DC8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E1D818F7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4E6B8D68 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:28CCFEFB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BE6DC701 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8EDA76B4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:47A24D4B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1B9D528D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E412AAF2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C3B5FCD5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B646CCF6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:98AE08EA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:275AA066 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FAC36972 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E41267F2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:969C0C96 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8AA99C0C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0A6D6CB4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F5E4BCD5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:10D98D98 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C7B98566 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BFAD7A5D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:89E1BAF5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4EF94CF3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:33611CFB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:269C0B5C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C8182692 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A0C7D68A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:94F67F32 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8140CB50 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:439E3411 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FECEF728 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A561576B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1C88C8E5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:AA004D25 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:461BD06D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9547F1DB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:31D2961C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:02A78DF6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DDEB08FD deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:538B96B5 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\\""|"%systemroot%\system32\notepad.exe %1" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\\""|"%systemroot%\system32\notepad.exe %1" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\\""|"%systemroot%\system32\notepad.exe %1" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 175670 bytes
->Temporary Internet Files folder emptied: 41239598 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: NetworkService
->Temp folder emptied: 479334 bytes
->Temporary Internet Files folder emptied: 105804911 bytes

User: Owner
->Temp folder emptied: 337145438 bytes
->Temporary Internet Files folder emptied: 159881190 bytes
->FireFox cache emptied: 74033706 bytes
->Apple Safari cache emptied: 1899493 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1225527 bytes
%systemroot%\System32 .tmp files removed: 134673 bytes
Windows Temp folder emptied: 1317750 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10953462 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35466 bytes
RecycleBin emptied: 293376 bytes

Total Files Cleaned = 701.00 mb


OTL by OldTimer - Version 3.1.22.0 log created on 01092010_100637

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_3d8.dat not found!

Registry entries deleted on Reboot...


OTL logfile created on: 1/9/2010 10:14:25 AM - Run 2
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 132.22 Gb Free Space | 56.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SARAALIEN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe (Bigfoot Networks, Inc.)
PRC - C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe ()
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Program Files\Logitech\SetPoint II\SetPointII.exe (Logitech Inc.)
PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
PRC - C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)
MOD - C:\Program Files\Logitech\SetPoint\lgscroll.dll (Logitech, Inc.)
MOD - C:\WINDOWS\system32\wbsys.dll (Stardock.Net, Inc)
MOD - C:\Program Files\AlienGUIse\wbhelp.dll (Stardock.Net, Inc)


========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (MBackMonitor) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (LBTServ) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (Killer Port Manager) -- C:\Program Files\Bigfoot Networks\Killer Driver\PortManager.exe ()
SRV - (nTuneService) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (RichVideo) Cyberlink RichVideo Service(CRVS) -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe ()
SRV - (NBService) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (L8042Kbd) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys (Logitech, Inc.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (NetB834x) -- C:\WINDOWS\system32\drivers\NetB834x.sys (Bigfoot Networks, Inc.)
DRV - (NetbEdge) -- C:\WINDOWS\system32\drivers\NetBEdge.sys (Bigfoot Networks, Inc.)
DRV - (NVR0Dev) -- C:\WINDOWS\nvoclock.sys (NVidia Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (nvraid) NVIDIA nForce™ -- C:\WINDOWS\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (HPZid412) -- C:\WINDOWS\system32\drivers\hpzid412.sys (HP)
DRV - (HPZius12) -- C:\WINDOWS\system32\drivers\HPZius12.sys (HP)
DRV - (HPZipr12) -- C:\WINDOWS\system32\drivers\HPZipr12.sys (HP)
DRV - (vncdrv) -- C:\WINDOWS\system32\drivers\vncdrv.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.7
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 23:29:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 15:24:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 15:24:41 | 00,000,000 | ---D | M]

[2008/09/15 14:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2008/09/15 14:25:35 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/01/08 22:13:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx2qh2hl.default\extensions
[2009/09/03 13:16:27 | 00,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx2qh2hl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/08 19:19:45 | 00,002,254 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx2qh2hl.default\searchplugins\askcom.xml
[2008/09/15 14:25:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/07 15:24:41 | 00,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/01/07 15:24:30 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/01/07 15:24:31 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/01/07 15:24:33 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/06/28 12:06:49 | 00,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009/11/21 09:57:04 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/11/21 09:57:04 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/11/21 09:57:04 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/11/21 09:57:04 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/11/21 09:57:04 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/11/21 09:57:05 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/11/21 09:57:05 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/07/30 02:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/07/30 02:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/11/03 11:57:42 | 00,002,273 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/07/30 02:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/07/30 02:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/07/30 02:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/07/30 02:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/07/30 02:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (319333 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 10952 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launch KillerTray.exe.lnk = C:\Program Files\Bigfoot Networks\Killer Driver\KillerTray.exe (Bigfoot Networks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetPointII.lnk = C:\Program Files\Logitech\SetPoint II\SetPointII.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\bfLLR.dll (Bigfoot Networks, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.242 68.87.71.226
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (wbsys.dll) - C:\WINDOWS\System32\wbsys.dll (Stardock.Net, Inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/19 10:47:43 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/09 10:06:37 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/27 23:47:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Rawr v2.3.4
[2009/12/22 19:21:03 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/12/22 19:18:59 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2009/12/20 23:16:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/20 23:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/20 23:10:10 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/12/20 23:10:10 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/12/20 23:10:10 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/12/20 23:10:08 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/12/20 23:09:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/12/20 23:09:44 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/12/20 23:09:39 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/12/20 23:08:07 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/12/20 23:06:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/12/20 21:58:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/12/20 21:58:41 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/20 21:58:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/20 21:58:39 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/20 21:58:39 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/11 14:02:57 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/03/07 09:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/24 09:30:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NVIDIA Corporation
[2008/04/03 17:40:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2008/02/17 19:42:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2008/02/17 19:26:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2008/02/17 19:26:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Google
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/09 10:13:29 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/09 10:12:25 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/09 10:12:24 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/09 10:12:21 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/09 10:12:20 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/09 10:12:18 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/09 10:09:08 | 00,011,215 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/09 10:08:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/09 10:08:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/09 10:07:34 | 06,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/01/09 10:07:34 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/09 09:41:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/09 09:22:01 | 00,000,270 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/01/08 19:34:18 | 00,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/01/08 16:48:00 | 00,043,520 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Check Register.xls
[2010/01/08 14:30:14 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Budget.xls
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/05 12:21:32 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Accounts Payable.xls
[2010/01/04 14:44:45 | 00,000,020 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\aionmemo_26895a57.dat
[2010/01/01 01:20:01 | 00,000,318 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/22 19:19:00 | 00,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2009/12/22 19:18:52 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/22 12:28:08 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/12/20 23:11:52 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/12/20 23:09:56 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/20 21:58:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 12:09:59 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/09 09:05:55 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/09 09:05:54 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/09 09:05:53 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/09 09:05:52 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/12/22 19:24:09 | 00,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/22 19:19:00 | 00,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2009/12/22 12:28:08 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/12/20 23:12:25 | 00,011,215 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/20 23:11:52 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/12/20 23:09:55 | 00,000,340 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/20 23:09:55 | 00,000,318 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/20 21:58:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/19 12:13:54 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\setup_ldm.iss
[2009/02/13 14:17:50 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2008/03/10 17:26:46 | 00,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/03/10 11:43:32 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/09 14:10:37 | 00,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/02/22 17:56:46 | 00,000,368 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/02/17 19:25:15 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/02/17 18:14:01 | 00,000,246 | ---- | C] () -- C:\Program Files\Common Files\labu
[2008/02/05 18:42:33 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\menu.new
[2008/02/05 18:42:33 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\menu.bfm
[2008/01/30 09:18:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/30 08:18:15 | 00,000,056 | ---- | C] () -- C:\WINDOWS\wb.ini
[2008/01/30 08:05:50 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/01/18 17:43:53 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/18 17:43:53 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/18 17:43:52 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/18 17:43:52 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/01/18 17:43:51 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/03/12 12:01:30 | 00,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2005/12/28 11:01:34 | 00,002,374 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/05 13:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 3552 bytes -> C:\WINDOWS\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
< End of report >
Thanks John (sund)

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:42 AM

Posted 09 January 2010 - 11:02 AM

Hi,

things are looking good. How is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 sund

sund
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 09 January 2010 - 06:32 PM

Hello mytri,
Things seem to be ok with the pc the virus and malware scanners have not picked anything up.
It also seems that no one has hacked the game account so maybe we got it.
Will let ya know in a few days how things are going.
Thanks for your help.
John

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:42 AM

Posted 09 January 2010 - 07:12 PM

Hi,

if everything is working fine, all that is left to do is to remove the programs we used. Please let me know, once you are sure that everything is fine , that you are proceeding with those steps:

Read those last few lines, in order to keep your pc safe and clean:
Please do the following to clean up your PC:
  • Delete the tools used during the disinfection:
    • Download OTC from the following mirrors and save it to your desktop:
    • Double click on Posted Image
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  • If OTC faild to remove all programs from your Desktop, please delete the rest manually.
  • Disable and Enable System Restore.
    You can find instructions on how to disable and reenable system restore here:
    Windows ME System Restore Guide
    Windows XP System Restore Guide
    Windows Vista System Restore Guide

    Note: You should only do this once, not on a regular basis!
    You will not be able to restore computer to any earlier than today!
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:42 AM

Posted 15 January 2010 - 05:13 PM

Since this issue seems to be resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users