Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by richtx64.exe file (bogus popups)


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mvet

Mvet

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 03 January 2010 - 08:39 AM

Previous cleanup post http://www.bleepingcomputer.com/forums/ind...=282902&hl=

Items ran; Rkill, MBAM, ATFcleaner, SAS, RootRepeal, Win32kDiag

It appears that the infection is mostly gone. Everything seems to be running ok, even the restore function is working again but all the old restore points are gone. Things are occasionally slow, even when just switching windows on the desktop area, the refreshes are slow.

Some suspicious files appeared in the ROOTREPEAL report. I am posting here as requested.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Papa at 6:37:00.04 on Sun 01/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1547 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPER\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Documents and Settings\Papa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\super\SUPERAntiSpyware.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\office\office\OSA9.EXE
IE: {722FE9B2-6895-42D9-9984-F4CB26616023} - {722FE9B2-6895-42D9-9984-F4CB26616023} - c:\program files\cosmi\perfect pdf creator essentials\pdfshell.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214971900939
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5846/mcfscan.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\super\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\super\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\papa\applic~1\mozilla\firefox\profiles\typevo6t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.egroupweb.com/Group/home/default.asp|http://dsl.sbc.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R1 SASKUTIL;SASKUTIL;c:\program files\super\SASKUTIL.SYS [2009-12-16 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-2 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-2 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-2 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-2 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-2 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-2 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-2 40552]
S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\super\sasdifsv.sys --> c:c:\program files\super\SASDIFSV.SYS [?]
S2 0273261262441317mcinstcleanup;McAfee Application Installer Cleanup (0273261262441317);c:\docume~1\papa\locals~1\temp\027326~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\papa\locals~1\temp\027326~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-2 34248]
S3 SASENUM;SASENUM;\??\c:\??\c:\program files\super\sasenum.sys --> c:c:\program files\super\SASENUM.SYS [?]
S3 WPEServ;soft Xpansion Print2Document;c:\program files\common files\wpe\wpeserv.exe [2008-12-9 323584]

=============== Created Last 30 ================

2010-01-02 14:49:11 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-02 14:10:52 7363 ----a-w- c:\windows\system32\Config.MPF
2010-01-02 14:08:47 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-02 14:08:47 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-02 14:08:47 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-02 14:08:44 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-02 14:08:13 0 d-----w- c:\program files\common files\McAfee
2010-01-02 14:08:12 0 d-----w- c:\program files\McAfee.com
2010-01-02 14:05:09 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-01-01 00:56:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 00:56:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 00:56:48 0 d-----w- c:\program files\MBAM
2009-12-31 11:42:42 2148 ----a-w- c:\windows\system32\wpa.dbl
2009-12-30 14:30:30 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 05:49:09 0 d-----w- c:\windows\McAfee.com
2009-12-29 20:52:25 0 d-----w- c:\program files\McAfee
2009-12-29 18:28:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-29 18:28:32 0 d-----w- c:\program files\SUPER
2009-12-29 18:28:32 0 d-----w- c:\docume~1\papa\applic~1\SUPERAntiSpyware.com
2009-12-29 18:27:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-29 16:23:16 0 d-----w- c:\docume~1\papa\applic~1\Malwarebytes
2009-12-29 16:13:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-20 12:10:31 0 d-----w- c:\docume~1\papa\applic~1\McAfee
2009-12-20 12:09:46 0 d-----w- C:\Virus Stuff
2009-12-19 13:11:14 0 d-----w- c:\windows\Crap Preload

==================== Find3M ====================

2009-12-29 20:52:49 10410 ----a-w- c:\program files\PLs.txt
2009-11-07 11:43:46 5120 ----a-w- c:\windows\system32\BReWErS.dll
2009-11-04 22:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-03 23:48:55 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-03 23:48:47 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-24 12:17:33 22328 ----a-w- c:\docume~1\papa\applic~1\PnkBstrK.sys
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 6:37:31.99 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/03 06:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD17C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9C2B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_uo69qx3qcckvo9q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_x1k8hya3vba5ohn
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_nhur5ehqis8lrki
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_pqekggzfrj4raph
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ctbwof5rbrttns6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPER\SASKUTIL.sys" at address 0xad3ae0b0

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:59 AM

Posted 11 January 2010 - 11:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Mvet

Mvet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 12 January 2010 - 03:58 PM

Thanks myrti for the assist,

My computer seems to be running ok but slow. I am assuming its slower because MBAM is still running but I'm not sure.

I believe Flash was updated through Firefox since the last fixes but I am not positive.

I did have some problems downloading the OTL program, had to click save as, change the type to all files and change the extension, then rename it to .exe then right click on it and change it to Unblock (or something simular) inorder to get it to run. I believe this is partially due to the security settings of IE but I'm again not possitive.

Here are the reports.

*************************************************************************

OTL logfile created on: 1/12/2010 2:42:30 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Papa\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 131.92 Gb Free Space | 67.55% Space Free | Partition Type: NTFS
Drive D: | 74.46 Gb Total Space | 5.50 Gb Free Space | 7.39% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OLD-STYLE-KEG
Current User Name: Papa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/12 14:42:13 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Papa\Desktop\OTL.exe
PRC - [2010/01/07 05:34:22 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPER\SUPERAntiSpyware.exe
PRC - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/11/03 17:48:55 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2009/10/28 11:50:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/07/27 18:19:10 | 00,199,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/07 23:30:22 | 00,192,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSM\McSmtFwk.exe
PRC - [2009/01/23 10:46:14 | 00,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/12/01 14:38:44 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/09/02 10:48:12 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/09/02 10:40:46 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/07/12 03:58:02 | 01,397,760 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2006/02/19 04:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PRC - [2006/02/19 03:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/02/10 06:56:12 | 00,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2005/07/08 16:24:46 | 00,871,424 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/12 14:42:13 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Papa\Desktop\OTL.exe
MOD - [2009/01/23 10:46:18 | 00,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (LiveUpdate)
SRV - File not found [Disabled | Stopped] -- -- (Automatic LiveUpdate Scheduler)
SRV - [2009/12/17 16:37:52 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/11/03 17:48:55 | 00,066,872 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/27 08:50:12 | 00,316,312 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Documents and Settings\Papa\Local Settings\Temp\0273261262441317mcinst.exe -- (0273261262441317mcinstcleanup) McAfee Application Installer Cleanup (0273261262441317)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/01/23 10:46:14 | 00,203,280 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2008/12/01 14:38:44 | 00,598,016 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/12/01 13:35:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/05/08 15:30:48 | 00,323,584 | ---- | M] (soft Xpansion) [On_Demand | Stopped] -- C:\Program Files\Common Files\WPE\wpeserv.exe -- (WPEServ)
SRV - [2005/07/08 16:24:46 | 00,871,424 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2005/05/20 09:37:12 | 00,081,920 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE -- (HP Port Resolver)
SRV - [2004/10/16 04:31:06 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE -- (HP Status Server)


========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPER\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/12/01 16:13:42 | 03,452,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/13 12:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2008/04/13 10:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/04/11 15:33:14 | 00,028,688 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2007/04/11 15:32:58 | 00,036,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/04/11 15:32:52 | 00,034,832 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2006/07/12 03:58:02 | 00,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/10/21 19:58:58 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2005/10/21 19:58:52 | 00,049,920 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2005/10/21 19:52:48 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/08/19 02:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/07/18 11:24:06 | 00,037,760 | R--- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P2k.sys -- (P2k)
DRV - [2005/07/08 16:17:54 | 00,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/07/08 16:17:36 | 00,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/09/03 11:23:38 | 00,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 07:36:20 | 00,098,176 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NBF.SYS -- (Nbf)
DRV - [2004/08/12 07:26:42 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/04/09 11:41:30 | 00,612,352 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/04/01 12:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



IE - HKU\S-1-5-21-329068152-562591055-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-329068152-562591055-1801674531-1003\S-1-5-21-329068152-562591055-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-329068152-562591055-1801674531-1003\S-1-5-21-329068152-562591055-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.egroupweb.com/Group/home/default.asp|http://dsl.sbc.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.8
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.60
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.8

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/12 09:20:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 05:34:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 05:34:28 | 00,000,000 | ---D | M]

[2008/07/04 10:13:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Papa\Application Data\Mozilla\Extensions
[2010/01/10 06:34:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Papa\Application Data\Mozilla\Firefox\Profiles\typevo6t.default\extensions
[2010/01/08 05:44:37 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Papa\Application Data\Mozilla\Firefox\Profiles\typevo6t.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/12/03 05:39:45 | 00,000,000 | ---D | M] () -- C:\Documents and Settings\Papa\Application Data\Mozilla\Firefox\Profiles\typevo6t.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2009/10/28 05:20:51 | 00,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Papa\Application Data\Mozilla\Firefox\Profiles\typevo6t.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/01/05 06:06:25 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Papa\Application Data\Mozilla\Firefox\Profiles\typevo6t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/01/10 06:34:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe File not found
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-329068152-562591055-1801674531-1003..\Run: [PowerBar] File not found
O4 - HKU\S-1-5-21-329068152-562591055-1801674531-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPER\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk = C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-562591055-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to 'Perfect PDF Creator Essentials' - {722FE9B2-6895-42D9-9984-F4CB26616023} - C:\Program Files\Cosmi\Perfect PDF Creator Essentials\pdfshell.dll (soft Xpansion)
O9 - Extra 'Tools' menuitem : Send to 'Perfect PDF Creator Essentials' - {722FE9B2-6895-42D9-9984-F4CB26616023} - C:\Program Files\Cosmi\Perfect PDF Creator Essentials\pdfshell.dll (soft Xpansion)
O15 - HKU\S-1-5-21-329068152-562591055-1801674531-1003\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-329068152-562591055-1801674531-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-329068152-562591055-1801674531-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1214971900939 (WUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPER\SASWINLO.dll - C:\Program Files\SUPER\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPER\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 21:41:53 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/12 14:40:19 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Papa\Desktop\OTL.exe
[2010/01/12 14:37:43 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/12 08:19:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/05 06:06:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2010/01/05 06:06:50 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/01/03 06:36:38 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Papa\Desktop\RootRepeal.exe
[2010/01/02 08:49:11 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/02 08:08:47 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/01/02 08:08:47 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/01/02 08:08:47 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/01/02 08:08:44 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/01/02 08:08:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/01/02 08:08:12 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/01/02 08:05:09 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/12/31 18:56:50 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/31 18:56:48 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/31 18:56:48 | 00,000,000 | ---D | C] -- C:\Program Files\MBAM
[2009/12/30 08:30:30 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/12/29 23:49:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2009/12/29 14:52:25 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/12/29 13:59:29 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/12/29 12:28:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/29 12:28:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Papa\Application Data\SUPERAntiSpyware.com
[2009/12/29 12:28:32 | 00,000,000 | ---D | C] -- C:\Program Files\SUPER
[2009/12/29 12:27:58 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/29 10:23:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Papa\Application Data\Malwarebytes
[2009/12/29 10:13:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/20 20:36:42 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Papa\Desktop\22mbam-setup.exe
[2009/12/20 08:46:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Papa\Desktop\Test hold
[2009/12/20 06:10:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Papa\Application Data\McAfee
[2009/12/20 06:09:46 | 00,000,000 | ---D | C] -- C:\Virus Stuff
[2009/12/20 05:27:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Papa\Local Settings\Application Data\wswdsq
[2009/12/19 07:11:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\Crap Preload
[2009/04/01 15:23:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2008/08/26 02:00:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/07/01 22:33:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/07/01 21:46:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/07/01 21:44:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/02/19 02:28:56 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/12 14:42:13 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Papa\Desktop\OTL.exe
[2010/01/06 05:41:50 | 00,008,027 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/05 06:25:43 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\jxpiinstall-rv.exe
[2010/01/05 06:06:51 | 00,000,715 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan.lnk
[2010/01/05 06:06:51 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
[2010/01/03 06:42:01 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\settings.dat
[2010/01/03 06:35:12 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\dds.scr
[2010/01/02 09:13:20 | 00,002,148 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/02 09:11:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/02 09:11:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/02 09:11:00 | 04,456,448 | -H-- | M] () -- C:\Documents and Settings\Papa\NTUSER.DAT
[2010/01/02 09:10:58 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Papa\ntuser.ini
[2010/01/02 08:10:34 | 00,000,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/01/02 08:10:27 | 00,000,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee EasyNetwork.lnk
[2010/01/02 08:08:26 | 00,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/01/02 08:08:25 | 00,000,316 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/01/02 07:47:04 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Virtual Technician.lnk
[2010/01/01 22:58:16 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Papa\Desktop\RootRepeal.exe
[2010/01/01 05:07:58 | 04,240,656 | -H-- | M] () -- C:\Documents and Settings\Papa\Local Settings\Application Data\IconCache.db
[2009/12/31 18:56:52 | 00,000,589 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 06:06:20 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/12/31 06:01:01 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\rkill.scr
[2009/12/31 06:01:01 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\Copy of rkill.scr
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/30 10:24:46 | 00,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/30 08:29:28 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Papa\Local Settings\Application Data\housecall.guid.cache
[2009/12/29 06:25:50 | 00,001,943 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/26 21:31:50 | 00,144,896 | ---- | M] () -- C:\Documents and Settings\Papa\Desktop\Files List .doc
[2009/12/20 21:54:01 | 00,000,000 | ---- | M] () -- C:\WINDOWS\lgfwup.ini
[2009/12/20 21:52:24 | 00,520,908 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/20 21:52:24 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/20 21:52:24 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/20 20:36:49 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Papa\Desktop\22mbam-setup.exe
[2009/12/20 05:50:14 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/19 06:51:58 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/12/18 18:11:16 | 00,000,649 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/18 18:11:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/12/18 18:11:16 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/18 14:47:21 | 00,014,895 | ---- | M] () -- C:\WINDOWS\System32\config.mpf.old
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/05 06:25:43 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\jxpiinstall-rv.exe
[2010/01/05 06:06:51 | 00,000,715 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan.lnk
[2010/01/05 06:06:51 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
[2010/01/03 06:42:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\settings.dat
[2010/01/03 06:36:24 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\dds.scr
[2010/01/02 08:10:52 | 00,008,027 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/02 08:10:34 | 00,000,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/01/02 08:10:27 | 00,000,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee EasyNetwork.lnk
[2010/01/02 08:08:25 | 00,000,338 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/01/02 08:08:25 | 00,000,316 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/01/02 07:47:04 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Virtual Technician.lnk
[2009/12/31 18:56:52 | 00,000,589 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 06:01:16 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\Copy of rkill.scr
[2009/12/31 06:01:00 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\rkill.scr
[2009/12/31 05:42:42 | 00,002,148 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/30 08:29:28 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Papa\Local Settings\Application Data\housecall.guid.cache
[2009/12/29 12:28:33 | 00,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 21:31:50 | 00,144,896 | ---- | C] () -- C:\Documents and Settings\Papa\Desktop\Files List .doc
[2009/12/18 18:12:49 | 00,001,815 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/12/18 18:12:49 | 00,001,764 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/12/18 18:12:49 | 00,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2009/12/18 18:12:49 | 00,000,805 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2009/12/18 14:36:08 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/11/04 17:35:41 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\BReWErS.dll
[2009/10/24 06:17:33 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/10/24 06:17:33 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Papa\Application Data\PnkBstrK.sys
[2009/10/24 06:17:10 | 00,000,273 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/08/18 18:10:17 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/08/02 13:47:25 | 00,001,092 | ---- | C] () -- C:\WINDOWS\ATICIM.INI
[2009/03/31 19:22:32 | 00,007,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/01/14 20:36:13 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2008/10/15 19:33:30 | 00,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2008/08/31 09:04:36 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/08/06 06:00:27 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/08/05 13:27:38 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/07/21 18:53:11 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/21 18:53:11 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/07/19 13:47:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2008/07/19 13:41:55 | 00,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2008/07/12 05:47:43 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\Papa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/08 18:29:41 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/07/08 18:27:08 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/07/08 18:27:08 | 00,000,101 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/07/04 07:03:15 | 00,010,440 | ---- | C] () -- C:\Program Files\PWs.txt
[2008/07/03 05:21:31 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Papa\Local Settings\Application Data\fusioncache.dat
[2008/07/03 04:58:07 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/07/03 04:57:54 | 00,000,161 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2008/07/03 04:57:17 | 00,000,735 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2008/07/03 04:54:13 | 00,005,435 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2001/07/07 02:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/04/08 14:47:00 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\FViGxDS1.dll
[1997/11/21 17:03:20 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1997/09/30 13:30:02 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Papa\Desktop\OTL.exe:SummaryInformation
< End of report >

************************************************************************************
OTL Extras logfile created on: 1/12/2010 2:42:31 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Papa\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 131.92 Gb Free Space | 67.55% Space Free | Partition Type: NTFS
Drive D: | 74.46 Gb Total Space | 5.50 Gb Free Space | 7.39% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OLD-STYLE-KEG
Current User Name: Papa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-329068152-562591055-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\PROGRA~1\INTERN~1\IEXPLO~1.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00020409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Standard
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02096E39-B6E4-A370-7F9E-E37F7EDB161F}" = Catalyst Control Center Localization Korean
"{02C2F0BB-B480-4121-BE86-33B70E53070B}" = Perfect PDF Creator Essentials
"{037F48E3-13FF-1809-66EB-0CE972EA1F13}" = CCC Help German
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{13E80FCE-B691-B5D6-B061-0CD52BE68CCF}" = Catalyst Control Center Localization Italian
"{159F5927-9E49-43A2-4471-5AEA9A32A7AF}" = Catalyst Control Center Localization Turkish
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{1A9DEF19-760C-4e01-958F-D9B8E6C61B90}" = c5100_Help
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{1FEE7522-C65F-43A8-64A4-292934E93AFF}" = ccc-core-static
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{23D683DD-93C6-48E6-B84E-78B57778F126}" = Oblivion - Construction Set
"{279D22E7-F4FF-344A-7E9C-27E7BAEB5C23}" = CCC Help Chinese Standard
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{39ADDC4A-3167-4043-17A4-00F39365E47D}" = Catalyst Control Center Localization Hungarian
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{47BE58EA-9792-9706-4150-7A1BAF76052E}" = Catalyst Control Center Localization Portuguese
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4C70B129-BDA1-8684-013D-1C06ABC308FD}" = Catalyst Control Center Graphics Full New
"{4C956AB5-2850-4EA6-DAAA-F8B9BF793CB7}" = ccc-utility
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53CDAAAB-6D41-4A36-BAA4-90261DE31B13}" = NetZero For Cosmi
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5A4DAE31-2CCE-E8DB-D51A-472A71F33E71}" = CCC Help Italian
"{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
"{61C3245C-40EF-4284-B59E-B1394BB47A6B}" = Media Downloader
"{6688119C-6931-505B-F848-0D81645F1066}" = Catalyst Control Center Graphics Previews Common
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68111D00-6372-4531-4A63-FC3C00CAC16C}" = CCC Help Japanese
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{74BC5C3F-FB90-2E6F-950E-EAE8B2CBA5E9}" = Catalyst Control Center Graphics Full Existing
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7D4018F6-9D7F-CAD3-64D6-F8C2EC69D484}" = Catalyst Control Center Core Implementation
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{81773B4D-6662-1B1C-DC24-003C99E59C6F}" = Catalyst Control Center Localization French
"{819D728C-71AF-EF69-222A-DF06525851D2}" = Catalyst Control Center Localization Chinese Standard
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9265F28B-6782-A8E5-BBC2-902984740C0F}" = CCC Help Portuguese
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9D4A51AB-287D-653E-3DDF-4151448637C6}" = CCC Help Spanish
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E900FD-A496-8286-A469-C7A5A3405B8E}" = ccc-core-preinstall
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABD96CD8-7D48-DC4F-DE59-C33883D4D663}" = Catalyst Control Center Localization Chinese Traditional
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B3B9BC18-2A09-4728-9B46-12E85FF3F628}" = C5100
"{B5DB0394-5D1D-255B-E1AF-0AE871538CA9}" = Skins
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B82AB6E8-1A67-9C66-F369-1715D7756BF7}" = CCC Help Chinese Traditional
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C2B38EE0-1DBA-11A7-1CA5-A911FAF521AD}" = Catalyst Control Center Graphics Light
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1
"{D2F619FA-9904-11C3-1BC9-36DFEBECD80B}" = CCC Help French
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D81FBA6E-5492-4C46-BAE3-3A9242C27210}" = TaxCut Basic + Efile 2008
"{DA2DF231-D6AB-8712-09F9-1C4CC9C39123}" = CCC Help Hungarian
"{DB2BF6CE-6584-5293-D7A5-DE40C237F714}" = CCC Help Korean
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E481DB0E-52F2-4EE0-9BDA-9EE173FA6EA2}" = Catalyst Control Center - Branding
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E54A8977-22E8-4A64-BF2C-E60FE122733A}" = Micrografx Designer 9.0
"{EC67F478-4621-984C-D103-74C55854D18F}" = Catalyst Control Center Localization Japanese
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F8102E51-AE00-2EA9-ED0C-09647D9D2BCD}" = CCC Help Turkish
"{F826ACD8-B6BD-F292-F4C1-483EF8E47D66}" = Catalyst Control Center Localization Spanish
"{F8B820F2-39D0-C7A6-0673-A033160279CB}" = Catalyst Control Center Localization German
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FC788B78-9A40-8949-6558-9635477468C0}" = CCC Help English
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Freelancer 1.0" = Freelancer
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InCD!UninstallKey" = InCD
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSC" = McAfee SecurityCenter
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"PokerStars" = PokerStars
"ST6UNST #1" = Weapons File Editor
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = The GIMP 2.2.15
"WinGTK-2_is1" = GTK+ 2.10.11 runtime environment
"WT015792" = FATE
"Yahoo! Applications" = AT&T Yahoo! Applications

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-329068152-562591055-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/30/2009 7:57:19 PM | Computer Name = OLD-STYLE-KEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/30/2009 7:57:19 PM | Computer Name = OLD-STYLE-KEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/30/2009 7:57:19 PM | Computer Name = OLD-STYLE-KEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/30/2009 7:57:19 PM | Computer Name = OLD-STYLE-KEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/30/2009 7:57:19 PM | Computer Name = OLD-STYLE-KEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/30/2009 9:32:31 PM | Computer Name = OLD-STYLE-KEG | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.32.0.1000, faulting
module superantispyware.exe, version 4.32.0.1000, fault address 0x000a2e15.

Error - 12/30/2009 10:07:31 PM | Computer Name = OLD-STYLE-KEG | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.32.0.1000, faulting
module superantispyware.exe, version 4.32.0.1000, fault address 0x000a2e15.

Error - 12/30/2009 10:14:48 PM | Computer Name = OLD-STYLE-KEG | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.32.0.1000, faulting
module superantispyware.exe, version 4.32.0.1000, fault address 0x000a2e15.

Error - 12/31/2009 7:42:42 AM | Computer Name = OLD-STYLE-KEG | Source = Windows Product Activation | ID = 1010
Description = The Windows license was restored due to a system error. You might
need to reactivate your Windows product.

Error - 12/31/2009 7:49:40 AM | Computer Name = OLD-STYLE-KEG | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.32.0.1000, faulting
module superantispyware.exe, version 4.32.0.1000, fault address 0x000a2e15.

[ System Events ]
Error - 12/30/2009 9:34:52 PM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%123

Error - 12/30/2009 10:00:38 PM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 12/30/2009 10:00:43 PM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7031
Description = The McAfee Proxy Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 12/30/2009 10:00:51 PM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 1/2/2010 9:01:32 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The McAfee Real-time Scanner service failed to start due to the following
error: %%3

Error - 1/2/2010 9:01:32 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The McAfee Personal Firewall Service service failed to start due to
the following error: %%3

Error - 1/2/2010 9:01:32 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV

Error - 1/2/2010 9:02:20 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%123

Error - 1/2/2010 9:02:24 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The SASENUM service failed to start due to the following error: %%123

Error - 1/2/2010 9:48:26 AM | Computer Name = OLD-STYLE-KEG | Source = Service Control Manager | ID = 7000
Description = The McAfee SystemGuards service failed to start due to the following
error: %%3


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:59 AM

Posted 12 January 2010 - 04:41 PM

Hi,

please post the Malwarebytes log once it has finished scanning.

Please also provide a log from gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Mvet

Mvet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 12 January 2010 - 07:44 PM

I stated that MBAM was running but I see now that it is SUPERAnitSpyware instead.

I ran a MBAM full scan and posted it anyway because I figured it wouldn't hurt.

It didn't hurt except for how long it took :(

***************************************************************

Malwarebytes' Anti-Malware 1.43
Database version: 3465
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/12/2010 6:44:26 PM
mbam-log-2010-01-12 (18-44-26).txt

Scan type: Full Scan (C:\|G:\|H:\|)
Objects scanned: 237011
Time elapsed: 49 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:59 AM

Posted 12 January 2010 - 08:50 PM

Hi,

did superantispyware find and remove anything? Please also provide the log from gmer I asked for.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Mvet

Mvet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 13 January 2010 - 10:51 PM

I downloaded gmer and ran it. It was running for a long time and had a list of maybe 20-30 items in the window. The scan was still going but what I saw in the window looked pretty normal to me. I came back about a hour later and there was a BSOD with an application error (C0000145). I rebooted into safe mode and had it start another scan then I went to bed. When I got up in the morning, the scan showed complete but only the one error that is posted below. I was then suspicious of whether the log was from the complete scan I started the night before or from a possible automatic scan. I wasn't sure so i left it alone until I got home from work. I ran another full scan and watched it complete and again it only had the one entry so I figured that must be all it found during Safe mode. I intend to try running the full scan again once I am done posting this. SUPERAntiSpyware found nothing.

***********************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 06:00:06
Windows 5.1.2600 Service Pack 3
Running: 9h8s8roh.exe; Driver: C:\DOCUME~1\Papa\LOCALS~1\Temp\uxliyuow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

*************************************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 21:33:30
Windows 5.1.2600 Service Pack 3
Running: 9h8s8roh.exe; Driver: C:\DOCUME~1\Papa\LOCALS~1\Temp\uxliyuow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
*************************************************

#8 Mvet

Mvet
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 14 January 2010 - 12:12 AM

Hi,

The computer still runs slow. The desktop takes a long time to change the icons from default icons to the the picture type icons for example, or opening a folder takes a while to populate.

I ran gmer again in normal mode as directed and saved the file as it was scanning. All of the entries came up in the first few minutes then the scan continued to scan all the files.

After about an hour of scanning files the BSOD came up again with the same application error, it said an application failed to initialize.

Here is the log I was able to capture before the BSOD.

****************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 22:02:09
Windows 5.1.2600 Service Pack 3
Running: 9h8s8roh.exe; Driver: C:\DOCUME~1\Papa\LOCALS~1\Temp\uxliyuow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPER\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xACB700B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xACAB278A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xACAB2821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xACAB2738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xACAB274C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xACAB2835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xACAB2861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xACAB28CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xACAB28B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xACAB27CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xACAB28FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xACAB280D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xACAB2710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xACAB2724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xACAB279E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xACAB2937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xACAB28A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xACAB288D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xACAB284B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xACAB2923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xACAB290F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xACAB2776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xACAB2762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xACAB2877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xACAB27F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xACAB28E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xACAB27E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xACAB27B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP ACAB27B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP ACAB278E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP ACAB27CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP ACAB27E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP ACAB27A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1324 5 Bytes JMP ACAB2714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15B0 5 Bytes JMP ACAB2728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE2 5 Bytes JMP ACAB2766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP ACAB2750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP ACAB273C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B8 5 Bytes JMP ACAB277A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP ACAB27FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061856A 7 Bytes JMP ACAB2891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP ACAB287B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE2 7 Bytes JMP ACAB28E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619480 7 Bytes JMP ACAB28A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP ACAB284F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 5 Bytes JMP ACAB2825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP ACAB2839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP ACAB2865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB72 7 Bytes JMP ACAB28D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADDC 7 Bytes JMP ACAB28BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 5 Bytes JMP ACAB2811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA2A 7 Bytes JMP ACAB293B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCEA 5 Bytes JMP ACAB2913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3DE 5 Bytes JMP ACAB2927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4F8 5 Bytes JMP ACAB28FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8F66000, 0x1B601E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F5C
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F6D
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0051
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0040
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0014
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F2D
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0073
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0090
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0EF7
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0EDC
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA002F
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0062
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0FB2
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F12
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90065
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80F9C
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80FB7
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FC8
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80027
.text C:\WINDOWS\system32\svchost.exe[412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070067
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700BA
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007009D
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F3C
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700DF
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070082
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F4D
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA6
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050016
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F79
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80064
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80053
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D800A6
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80089
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800F0
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F4D
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80F3C
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80F9E
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80F5E
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\lsass.exe[548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D800C1
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D7003D
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\lsass.exe[548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60FAB
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60FE3
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\lsass.exe[548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60FD2
.text C:\WINDOWS\system32\lsass.exe[548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90056
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90F61
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90F72
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90F83
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FAF
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900A9
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90098
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F21
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A90F46
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A90F10
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90F9E
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A9007B
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A9001B
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90FCA
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A900BA
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A80047
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80FC0
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A80073
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A80FD1
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A80058
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7005F
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70044
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70029
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F99
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE008E
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE007D
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE003D
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00A9
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F6D
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00DF
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00C4
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F2B
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F88
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F46
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F8A
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F9C
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FB7
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FC8
.text C:\WINDOWS\system32\svchost.exe[804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC001D
.text C:\WINDOWS\system32\svchost.exe[804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D50FE5
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D50051
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D50F5C
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D50F77
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D50036
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D50025
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D5009A
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D50089
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D50F1C
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D500B5
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D50F0B
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D50F94
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D50FD4
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D5006C
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D5000A
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D50FB9
.text C:\WINDOWS\System32\svchost.exe[840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D50F2D
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D40FD4
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D4007D
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D40025
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D40014
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D40062
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D40FEF
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D40051
.text C:\WINDOWS\System32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D40040
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02950038
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 02950027
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0295000C
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02950FEF
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02950FB7
.text C:\WINDOWS\System32\svchost.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02950FD2
.text C:\WINDOWS\System32\svchost.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02940000
.text C:\WINDOWS\System32\svchost.exe[840] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02930000
.text C:\WINDOWS\System32\svchost.exe[840] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02930025
.text C:\WINDOWS\System32\svchost.exe[840] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02930036
.text C:\WINDOWS\System32\svchost.exe[840] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02930FE5
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007800A4
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780093
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780078
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780FCA
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007800ED
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007800D0
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780119
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F80
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F5B
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780051
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007800BF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780011
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780108
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770087
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770FCA
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0077006C
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0076005F
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 0076004E
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FDE
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760033
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760018
.text C:\WINDOWS\system32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B500AE
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50093
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50076
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B5004A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B500DF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50F97
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50101
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B500F0
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50112
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B5005B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B5002F
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50F72
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B40FAF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B40F72
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B40F8D
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B40F9E
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D4, 88] {AAM 0x88}
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30F90
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FC6
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FAB
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30FD7
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F6D
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90062
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F88
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90051
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F2E
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F4B
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900A5
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F0C
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90EF1
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F5C
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F1D
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F97
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093004A
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F9A
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FAB
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012D000A
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012D00B6
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012D009B
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012D008A
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012D0FCD
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012D0065
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012D0FA6
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012D00E2
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012D0F70
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012D0F8B
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012D0124
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012D0FDE
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012D00D1
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012D0040
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012D002F
.text C:\WINDOWS\Explorer.EXE[2112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012D0109
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012C002C
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012C0062
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012C0FD1
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012C0011
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012C0FAF
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012C0000
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 012C0051
.text C:\WINDOWS\Explorer.EXE[2112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012C0FC0
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012B0055
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!system 77C293C7 5 Bytes JMP 012B003A
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012B0018
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012B0029
.text C:\WINDOWS\Explorer.EXE[2112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012B0FDE
.text C:\WINDOWS\Explorer.EXE[2112] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C20000
.text C:\WINDOWS\Explorer.EXE[2112] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\Explorer.EXE[2112] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\Explorer.EXE[2112] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C20FAF
.text C:\WINDOWS\Explorer.EXE[2112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01860FE5
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B009D
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0076
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F69
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F84
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F47
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00E0
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0105
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0FA1
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F58
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A004C
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\wuauclt.exe[2952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B004A
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0025
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00B5
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A008E
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0058
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00E8
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00D7
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F56
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00F9
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F45
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0069
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00C6
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0022
.text C:\WINDOWS\System32\svchost.exe[3508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F7B
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F9B
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290047
.text C:\WINDOWS\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029002C
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E003D
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FB2
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0018
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FC3
.text C:\WINDOWS\System32\svchost.exe[3508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FDE
.text C:\WINDOWS\System32\svchost.exe[3508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Edited by Mvet, 14 January 2010 - 12:19 AM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:59 AM

Posted 14 January 2010 - 07:05 AM

Hi,

your logs do not show signs of infection any longer.

If you want to speed up your PC, maybe try StartupLite:
Download and Run StartupLite
This program will identify and give you the option to remove uneeded startup items to free memory.
  • Download StartupLite.exe by MalwareBytes to your desktop.
  • Double click the icon to start the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • A list of uneeded startup entries will be compiled. Leave all the items as Disabled and click Continue.
  • Restart your computer.
Any improvements?
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:59 AM

Posted 19 January 2010 - 01:23 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users