Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Closed TopicStart new topic > Infected by various malware. Help !!, Malware pop ups and could not open link from search engine result


  • This topic is locked This topic is locked
17 replies to this topic

#1 oceanandmountain

oceanandmountain

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 January 2010 - 08:37 PM

Please reopen the case:

http://www.bleepingcomputer.com/forums/t/278792/infected-by-various-malware-help/


Original message, posted on December 14, 2009:

My computer is infected by malwares. Earlier I got help from bleepingcomputer staff under topic malware and has tried to use these software to clean my infected computer but still to no avail. The volunteer who helped me earlier asked me to use hijackthis and paste the logs on this forum.

Malwarebytes Anti-Malware (v1.41)
TFC by Old Timer
Kaspersky Virus Removal Tool
Eset Online Antiivirus Scanner.
Kaspersky Online Virus Scanner.
Sophos Anti-rootkit
Norman Malware Cleaner

The problems are:
- When I use Internet Explorer or Mozilla, sometimes another window open automatically that mentions google hiring, websurvey, etc
- When I use search engine to find something, I could not click the link to bring me to the shown result that I want, instead it brings me to an unfamiliar site. I have to copy and paste the web address to open it. If I click the link, sometimes it brings me to an anti-virus ad that force me to download the software (it would not allow me to close the browser) so I have to end the whole internet session forcefully.




----------------------------------------------------------------------------------------------------------------------------------------------

LOGFILE IS ATTACHED

Logfile of random's system information tool 1.06 (written by random/random)
Run by USER1 at 2010-01-07 19:27:45
Microsoft Windows XP Professional Service Pack 3
System drive C: has 13 GB (34%) free of 38 GB
Total RAM: 1023 MB (9% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:51 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\USER1\Desktop\RSIT.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\USER1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Cingular Communication Manager] C:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\OMNIQU~1\acappaa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O9 - Extra button: Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://pcm.mfrpc.com/dwa8W.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: welejofeb - {f9b4cf24-b70a-47ab-a7a4-297123c8e494} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14409 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\ParetoLogic Registration.job
C:\WINDOWS\tasks\ParetoLogic Update Version2.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{57B81AEA-A51F-42CB-932C-17311FE50504}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll [2009-09-19 1172280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-11-18 1082880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-10-02 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-02 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-11-04 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-12-04 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-12-04 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll [2009-09-19 158008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll [2009-09-19 1172280]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-10-30 385024]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-05-12 344064]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2005-12-15 839680]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2008-04-23 483328]
"Cingular Communication Manager"=C:\Program Files\Cingular\Communication Manager\CingularCCM.exe [2006-07-18 19456]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 159744]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
"Lexmark 1200 Series"=C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [2006-07-12 57344]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-03 111856]
"ResumeQuickupDownload"=C:\PROGRA~1\OMNIQU~1\acappaa.exe [2008-02-09 46456]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-02 185896]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-12-04 149280]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2009-07-07 1176808]
"tsnp2std"=C:\WINDOWS\tsnp2std.exe [2005-11-03 106496]
"snp2std"=C:\WINDOWS\vsnp2std.exe [2005-08-16 339968]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Messenger (Yahoo!)"=C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe [2009-11-10 5244216]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-03 111856]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-18 21633320]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-03 111856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Wireless Configuration Utility.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-05-12 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-09-07 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]
welejofeb - {f9b4cf24-b70a-47ab-a7a4-297123c8e494}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau
"notification packages"=scecli
gerabuse.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"="C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Documents and Settings\USER1\Local Settings\Temp\b.exe"="C:\Documents and Settings\USER1\Local Settings\Temp\b.exe:*:Enabled:b"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2010-01-07 19:27:45 ----D---- C:\rsit
2009-12-26 18:37:06 ----A---- C:\WINDOWS\WindowsXP-KB822603-x86.exe
2009-12-26 18:37:05 ----A---- C:\WINDOWS\tsnp2std.exe
2009-12-26 18:37:04 ----A---- C:\WINDOWS\vsnp2std.exe
2009-12-26 18:37:03 ----A---- C:\WINDOWS\snp2std.ini
2009-12-26 18:36:59 ----D---- C:\Program Files\Common Files\snp2std
2009-12-26 18:36:59 ----A---- C:\WINDOWS\usnp2std.exe
2009-12-26 18:36:59 ----A---- C:\WINDOWS\system32\vsnp2std.dll
2009-12-26 18:36:59 ----A---- C:\WINDOWS\system32\rsnp2std.dll
2009-12-26 18:36:59 ----A---- C:\WINDOWS\system32\csnp2std.dll
2009-12-18 14:36:53 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-18 14:08:31 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-14 10:11:16 ----A---- C:\RootRepeal report 12-14-09 (10-11-16).txt
2009-12-10 12:54:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-10 12:43:18 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-10 12:32:52 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-09 20:03:41 ----A---- C:\WINDOWS\system32\MRT.exe
2009-12-08 22:50:16 ----D---- C:\WINDOWS\system32\URTTEMP
2009-12-08 22:49:46 ----SHD---- C:\Config.Msi
2009-12-08 20:42:42 ----D---- C:\Program Files\Sophos
2009-12-08 10:05:58 ----D---- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2009-12-08 09:55:23 ----D---- C:\Program Files\Common Files\McAfee
2009-12-08 09:55:17 ----D---- C:\Program Files\McAfee.com
2009-12-08 09:54:58 ----D---- C:\Program Files\McAfee

======List of files/folders modified in the last 1 months======

2010-01-07 19:28:10 ----D---- C:\WINDOWS\temp
2010-01-07 19:28:09 ----D---- C:\Documents and Settings\USER1\Application Data\Skype
2010-01-07 19:27:36 ----D---- C:\WINDOWS\Prefetch
2010-01-07 18:44:15 ----A---- C:\WINDOWS\RTacDbg.txt
2010-01-07 18:31:18 ----D---- C:\Program Files\Mozilla Firefox
2010-01-07 18:18:43 ----D---- C:\Documents and Settings\USER1\Application Data\skypePM
2010-01-07 18:17:42 ----D---- C:\WINDOWS
2010-01-07 00:38:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-03 21:14:03 ----SHD---- C:\WINDOWS\CSC
2009-12-30 21:27:50 ----RHD---- C:\Documents and Settings\USER1\Application Data\yahoo!
2009-12-30 17:38:53 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-12-30 17:31:50 ----SHD---- C:\WINDOWS\Installer
2009-12-30 17:30:57 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-30 17:30:56 ----D---- C:\WINDOWS\WinSxS
2009-12-30 15:53:26 ----D---- C:\WINDOWS\system32
2009-12-29 23:09:25 ----AC---- C:\WINDOWS\lexstat.ini
2009-12-29 19:54:04 ----D---- C:\Program Files\Internet Explorer
2009-12-26 18:45:15 ----HD---- C:\WINDOWS\inf
2009-12-26 18:45:06 ----D---- C:\WINDOWS\system32\drivers
2009-12-26 18:44:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-26 18:37:25 ----A---- C:\WINDOWS\win.ini
2009-12-26 18:37:04 ----D---- C:\WINDOWS\twain_32
2009-12-26 18:36:59 ----D---- C:\Program Files\Common Files
2009-12-26 18:36:53 ----HD---- C:\Program Files\InstallShield Installation Information
2009-12-26 06:44:42 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-21 15:53:47 ----D---- C:\temp
2009-12-21 15:08:45 ----D---- C:\Insurance
2009-12-18 15:37:52 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-18 14:12:19 ----A---- C:\WINDOWS\imsins.BAK
2009-12-17 18:25:20 ----D---- C:\KKIH choir
2009-12-12 15:08:40 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-12-11 16:20:19 ----D---- C:\TCEQ
2009-12-10 13:01:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 16:28:13 ----RD---- C:\Program Files
2009-12-09 16:28:09 ----D---- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2009-12-09 15:52:31 ----D---- C:\Documents and Settings\USER1\Application Data\Move Networks
2009-12-08 22:50:15 ----RSD---- C:\WINDOWS\assembly
2009-12-08 20:19:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-08 12:09:41 ----D---- C:\Program Files\Common Files\AVSMedia
2009-12-08 12:09:34 ----D---- C:\Program Files\AVS4YOU
2009-12-08 10:02:19 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-08 09:56:03 ----SD---- C:\WINDOWS\Tasks
2009-12-08 09:28:40 ----D---- C:\Program Files\Omniquad Anti-Virus

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 tcpipBM;Bytemobile Kernel Network Provider; C:\WINDOWS\system32\drivers\tcpipBM.sys [2006-07-25 18432]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2004-08-31 11354]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-05-12 1132544]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 GTIPCI21;GTIPCI21; C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-11-04 34248]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-13 163584]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RimSerPort;RIM Virtual Serial Port; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 18432]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2005-09-21 8816128]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-21 3210496]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\1B.tmp []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys [2008-04-13 22016]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NWUSBModem;Novatel Wireless USB Modem Driver; C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys [2005-04-01 65152]
S3 NWUSBPort;Novatel Wireless USB Status Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser.sys [2005-04-01 65152]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP); C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 27520]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP); C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 41728]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP); C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 39808]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver; C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 58240]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WmaCDriverV32;WmaCDriverV32; C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-01-30 513152]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-05-12 364544]
R2 bmwebcfg;Bytemobile Web Configurator; C:\WINDOWS\system32\bmwebcfg.exe [2006-07-25 118784]
R2 Capture Device Service;Capture Device Service; C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe [2007-03-06 198168]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-09-07 86016]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-04 153376]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2006-04-17 311296]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-10-29 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-10-02 26640]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2005-12-15 380928]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 NwSapAgent;SAP Agent; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-09-07 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-09-07 360521]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2004-09-07 225353]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
R3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-08-10 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 14 January 2010 - 02:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please tell me if you wish to continue in this topic or have the other one reopened.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 January 2010 - 05:29 PM

Hi there,

Thanks for the reply.
The problem I have is several things:
- the computer runs slow
- I cannot go to safe mode after turning off my computer
- When I search something using a search engine, I cannot click the link to go to the http address I want, it directs me to go to an unfamiliar site so I have to copy the address of the link and open a new tab and paste the address

These are the logfiles:

OTL logfile created on: 1/16/2010 4:11:37 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\USER1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.18 Gb Total Space | 12.49 Gb Free Space | 33.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: USER1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/16 16:11:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER1\Desktop\OTL.exe
PRC - [2010/01/12 09:54:51 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/12/04 06:38:51 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/04 06:38:51 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/10 15:39:26 | 05,244,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/03 07:15:18 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/18 16:31:04 | 21,633,320 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2008/11/18 16:31:04 | 00,076,744 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/09/02 15:10:47 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/04/23 01:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/10 06:43:00 | 00,634,880 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
PRC - [2007/03/06 10:35:02 | 00,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
PRC - [2006/10/30 09:36:36 | 00,256,576 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2006/10/25 18:58:18 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2006/07/25 13:54:48 | 00,118,784 | ---- | M] (Bytemobile, Inc.) -- C:\WINDOWS\system32\bmwebcfg.exe
PRC - [2006/07/12 23:33:14 | 00,053,248 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
PRC - [2006/07/12 23:22:50 | 00,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
PRC - [2006/04/17 11:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2006/04/17 11:41:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2005/12/15 09:44:52 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
PRC - [2005/12/15 09:44:40 | 00,839,680 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2005/11/03 10:12:44 | 00,106,496 | ---- | M] () -- C:\WINDOWS\tsnp2std.exe
PRC - [2005/08/16 21:54:10 | 00,339,968 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2std.exe
PRC - [2005/05/12 20:43:50 | 00,364,544 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/05/12 20:00:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2004/10/30 13:59:54 | 00,385,024 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2004/09/07 15:12:32 | 00,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 15:08:02 | 00,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 15:05:10 | 00,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2004/09/07 15:02:40 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/09/07 15:02:04 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


========== Modules (SafeList) ==========

MOD - [2010/01/16 16:11:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER1\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/12/04 06:38:51 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/04/13 18:12:02 | 00,065,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\nwwks.dll -- (NWCWorkstation)
SRV - [2008/04/13 18:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2007/03/06 10:35:02 | 00,198,168 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)
SRV - [2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/08/10 18:38:51 | 00,069,632 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2006/07/25 13:54:48 | 00,118,784 | ---- | M] (Bytemobile, Inc.) [Auto | Running] -- C:\WINDOWS\System32\bmwebcfg.exe -- (bmwebcfg)
SRV - [2006/04/17 11:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2005/12/15 09:44:52 | 00,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2005/11/14 00:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/05/12 20:43:50 | 00,364,544 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004/09/07 15:12:32 | 00,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)
SRV - [2004/09/07 15:05:10 | 00,360,521 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/09/07 15:02:40 | 00,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/09/07 15:02:04 | 00,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)


========== Driver Services (SafeList) ==========

DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/06/20 05:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/04/13 12:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 12:34:12 | 00,163,584 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nwrdr.sys -- (NWRDR)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/19 00:40:08 | 00,264,576 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2007/04/30 18:30:14 | 00,058,240 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCWWAN.sys -- (PTDCWWAN)
DRV - [2007/04/01 04:45:30 | 00,039,808 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCVsp.sys -- (PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP)
DRV - [2007/04/01 04:45:26 | 00,041,728 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCMdm.sys -- (PTDCMdm) PANTECH PC Card Drivers (UDP)
DRV - [2007/04/01 04:45:22 | 00,027,520 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCBus.sys -- (PTDCBus) PANTECH PC Card Composite Device Driver (UDP)
DRV - [2007/01/30 14:16:08 | 00,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmaCDriverV32.sys -- (WmaCDriverV32)
DRV - [2006/09/19 15:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/07/25 13:54:54 | 00,018,432 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2006/07/25 13:54:50 | 00,017,359 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2005/09/21 13:31:50 | 08,816,128 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)
DRV - [2005/08/16 12:02:54 | 00,018,432 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimSerPort)
DRV - [2005/08/12 15:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/31 10:46:26 | 00,087,936 | R--- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2005/05/12 20:46:20 | 01,132,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/04/01 17:59:00 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2005/04/01 17:59:00 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2005/03/21 19:48:30 | 00,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2005/03/10 15:56:06 | 00,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 14:56:04 | 03,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/08/31 07:53:04 | 00,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 13:49:30 | 00,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 07:44:04 | 00,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 06:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 06:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 06:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2002/10/03 00:57:12 | 00,013,532 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2001/08/22 07:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 11:10:28 | 00,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\S-1-5-21-1614895754-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/02 15:11:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/26 08:38:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/12 09:55:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/12 09:55:02 | 00,000,000 | ---D | M]

[2009/05/06 21:13:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\USER1\Application Data\Mozilla\Extensions
[2010/01/15 08:25:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions
[2009/12/04 10:29:36 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/01 13:54:42 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/01/12 19:09:25 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/12/09 23:11:23 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Cingular Communication Manager] C:\Program Files\Cingular\Communication Manager\CingularCCM.exe (Cingular Wireless)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [ResumeQuickupDownload] C:\Program Files\Omniquad Anti-Virus\acappaa.exe (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe ()
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O9 - Extra Button: Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - Reg Error: Key error. File not found
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Reg Error: Key error. File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O15 - HKLM\..Trusted Domains: 40 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 40 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 40 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1614895754-1425521274-839522115-1003\..Trusted Domains: 45 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} http://pcm.mfrpc.com/dwa8W.cab (Domino Web Access 8 Control)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O21 - SSODL: welejofeb - {f9b4cf24-b70a-47ab-a7a4-297123c8e494} - CLSID or File not found.
O24 - Desktop WallPaper: E:\jesus-crowd.jpg
O24 - Desktop BackupWallPaper: C:\Documents and Settings\USER1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/22 13:57:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{25c5c665-d1e7-11de-9b0c-00166f7397e0}\Shell\AutoRun\command - "" = E:\e9naq.exe -- File not found
O33 - MountPoints2\{25c5c665-d1e7-11de-9b0c-00166f7397e0}\Shell\open\Command - "" = E:\e9naq.exe -- File not found
O33 - MountPoints2\{c21e7a06-859f-11dc-99d4-00166f7397e0}\Shell - "" = AutoRun
O33 - MountPoints2\{c21e7a06-859f-11dc-99d4-00166f7397e0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fc4636c2-826b-11dc-99d3-00166f7397e0}\Shell - "" = AutoRun
O33 - MountPoints2\{fc4636c2-826b-11dc-99d3-00166f7397e0}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 16:10:59 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\USER1\Desktop\OTL.exe
[2010/01/07 19:27:45 | 00,000,000 | ---D | C] -- C:\rsit
[2009/12/30 15:44:59 | 00,417,592 | ---- | C] (Yahoo! Inc.) -- C:\Documents and Settings\USER1\Desktop\msgr10us.exe
[2009/12/26 18:37:06 | 00,349,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\WindowsXP-KB822603-x86.exe
[2009/12/26 18:37:04 | 00,339,968 | ---- | C] (Sonix) -- C:\WINDOWS\vsnp2std.exe
[2009/12/26 18:37:03 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sncamd.sys
[2009/12/26 18:36:59 | 00,073,728 | ---- | C] (Sonix) -- C:\WINDOWS\System32\vsnp2std.dll
[2009/12/26 18:36:59 | 00,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2std.dll
[2009/12/26 18:36:59 | 00,045,056 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll
[2009/12/26 18:36:59 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\snp2std
[2009/12/26 17:53:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\USER1\My Documents\ATT
[2009/12/23 14:42:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/05/14 20:18:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/03/31 20:45:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/30 07:33:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/06/12 08:17:02 | 05,592,008 | ---- | C] (ParetoLogic Inc. ) -- C:\Program Files\Pareto_PC_Setup2.exe
[2007/01/03 01:25:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2007/01/03 01:25:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2006/08/06 06:16:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2006/06/22 14:01:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/06/22 13:57:45 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[5 C:\Documents and Settings\USER1\My Documents\*.tmp files -> C:\Documents and Settings\USER1\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/16 16:16:58 | 00,006,001 | ---- | M] () -- C:\Documents and Settings\USER1\Desktop\sean.jpeg
[2010/01/16 16:11:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER1\Desktop\OTL.exe
[2010/01/16 09:36:59 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{57B81AEA-A51F-42CB-932C-17311FE50504}.job
[2010/01/16 04:11:23 | 00,021,364 | ---- | M] () -- C:\Documents and Settings\USER1\My Documents\ISACA - CISA Renewal.pdf
[2010/01/16 03:55:23 | 00,000,442 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/01/16 00:33:03 | 00,000,416 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job
[2010/01/15 16:30:01 | 00,012,349 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/15 08:15:51 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/01/15 08:13:44 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/15 01:00:00 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/01/14 21:48:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/14 21:48:07 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/14 21:48:03 | 10,731,43808 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/14 21:47:05 | 08,912,896 | -H-- | M] () -- C:\Documents and Settings\USER1\NTUSER.DAT
[2010/01/14 21:46:21 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\USER1\ntuser.ini
[2010/01/14 21:12:33 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/13 21:16:59 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/10 16:04:51 | 00,000,714 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2010/01/07 19:26:01 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\USER1\Desktop\RSIT.exe
[2010/01/07 18:57:28 | 00,036,009 | ---- | M] () -- C:\Documents and Settings\USER1\Desktop\untitled.jpg
[2010/01/05 14:54:15 | 04,097,279 | ---- | M] () -- C:\Documents and Settings\USER1\Desktop\DSC_0010.JPG
[2010/01/04 21:34:29 | 00,053,751 | ---- | M] () -- C:\Documents and Settings\USER1\My Documents\Southwest Airlines - Lusi - 25 Jan 09 - 320PM.pdf
[2010/01/01 01:00:01 | 00,000,318 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/30 17:34:23 | 00,000,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/30 15:45:17 | 00,417,592 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\USER1\Desktop\msgr10us.exe
[2009/12/26 18:37:25 | 00,000,749 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/22 13:57:50 | 04,825,700 | -H-- | M] () -- C:\Documents and Settings\USER1\Local Settings\Application Data\IconCache.db
[2009/12/18 15:37:53 | 00,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/18 15:37:53 | 00,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/18 15:37:52 | 00,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/17 18:34:33 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\USER1\Desktop\Bricks qty.xls
[5 C:\Documents and Settings\USER1\My Documents\*.tmp files -> C:\Documents and Settings\USER1\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/16 16:16:50 | 00,006,001 | ---- | C] () -- C:\Documents and Settings\USER1\Desktop\sean.jpeg
[2010/01/16 04:11:23 | 00,021,364 | ---- | C] () -- C:\Documents and Settings\USER1\My Documents\ISACA - CISA Renewal.pdf
[2010/01/13 21:16:59 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/07 19:26:00 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\USER1\Desktop\RSIT.exe
[2010/01/07 18:57:25 | 00,036,009 | ---- | C] () -- C:\Documents and Settings\USER1\Desktop\untitled.jpg
[2010/01/05 14:53:41 | 04,097,279 | ---- | C] () -- C:\Documents and Settings\USER1\Desktop\DSC_0010.JPG
[2010/01/04 21:34:29 | 00,053,751 | ---- | C] () -- C:\Documents and Settings\USER1\My Documents\Southwest Airlines - Lusi - 25 Jan 09 - 320PM.pdf
[2009/12/30 17:34:23 | 00,000,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/12/26 18:37:05 | 00,106,496 | ---- | C] () -- C:\WINDOWS\tsnp2std.exe
[2009/12/26 18:37:04 | 00,013,022 | ---- | C] () -- C:\WINDOWS\snp2std.src
[2009/12/26 18:37:03 | 00,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2009/12/26 18:37:00 | 08,816,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2009/12/26 18:36:59 | 00,020,480 | ---- | C] () -- C:\WINDOWS\usnp2std.exe
[2009/12/17 18:34:33 | 00,013,824 | ---- | C] () -- C:\Documents and Settings\USER1\Desktop\Bricks qty.xls
[2009/11/26 10:05:24 | 00,001,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/05/14 20:17:29 | 00,006,929 | ---- | C] () -- C:\Documents and Settings\USER1\Application Data\PrimoPDFSet.xml
[2009/05/13 21:33:34 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/12/11 21:31:54 | 00,000,198 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/07/21 00:34:55 | 00,000,389 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/16 06:51:47 | 00,000,000 | ---- | C] () -- C:\WINDOWS\sensor.INI
[2007/04/14 21:25:34 | 00,000,306 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2007/04/14 21:13:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2006/12/15 20:04:56 | 00,000,185 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/12/15 20:04:53 | 00,000,714 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/12/15 20:04:24 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006/12/15 20:03:44 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2006/10/13 12:01:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/10/13 12:01:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/10/13 12:01:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/10/13 12:01:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2006/10/13 11:59:08 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2006/10/13 11:59:08 | 00,000,340 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2006/10/04 21:54:43 | 00,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2006/09/25 12:57:23 | 00,000,004 | ---- | C] () -- C:\WINDOWS\todo.sys
[2006/09/01 23:24:21 | 00,016,384 | ---- | C] () -- C:\Documents and Settings\USER1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/12 23:13:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/23 10:12:13 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/06/22 14:24:51 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2004/08/12 07:44:10 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


OTL Extras logfile created on: 1/16/2010 4:11:37 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\USER1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.18 Gb Total Space | 12.49 Gb Free Space | 33.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: USER1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE" = C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Documents and Settings\USER1\Local Settings\Temp\b.exe" = C:\Documents and Settings\USER1\Local Settings\Temp\b.exe:*:Enabled:b -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:explorer -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{356407C3-DFE0-404B-BF30-20941B7D5265}" = IDEA 8.0
"{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47FBF7F9-FBD3-43EF-823B-7684D56C1962}" = Tabbed Browsing (Windows Live Toolbar)
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}" = InterVideo DeviceService
"{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar)
"{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}" = Form Fill (Windows Live Toolbar)
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{66A7A386-6F35-41A7-A731-101F0C0153C8}" = Popup Blocker (Windows Live Toolbar)
"{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{75438C0E-9925-412E-AD85-D0E71C6CE2ED}" = USB2.0 PC Camera (SN9C201&202)
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PUBLISHERR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PUBLISHERR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PUBLISHERR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PUBLISHERR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PUBLISHERR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PUBLISHERR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91120000-0019-0000-0000-0000000FF1CE}" = Microsoft Office Publisher 2007
"{91120000-0019-0000-0000-0000000FF1CE}_PUBLISHERR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0019-0000-0000-0000000FF1CE}_PUBLISHERR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97D5EEB1-0CF3-4250-AB89-E3FB7BF2D9E0}" = Cingular Communication Manager
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4526249-944F-4108-B686-A435B4A62BA5}" = TI_Inst
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43421C0-0DCB-4F26-8A3B-BF16155F9879}" = TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D21635EA-7A89-4881-86A9-0C1DCBCD1317}" = Sony Ericsson PC Suite 1.20.237
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DB6F07FF-A436-453a-B685-F6C1F4F09D22}" = PANTECH PC Card Software
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1BA3CD5-89DC-4273-8603-A75F33E9B335}" = Nokia Connectivity Adapter Cable DKU-5
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"iLuminaPT" = iLumina Gold Parents & Teachers Edition
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{A4526249-944F-4108-B686-A435B4A62BA5}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"InstallShield_{C43421C0-0DCB-4F26-8A3B-BF16155F9879}" = TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility
"Lexmark 1200 Series" = Lexmark 1200 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MSC" = McAfee SecurityCenter
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"oggcodecs" = oggcodecs 0.71.0946
"ProInst" = Intel® PROSet/Wireless Software
"PUBLISHERR" = Microsoft Office Publisher 2007 Trial
"QuickTime DirectShow Filter for WMP" = QuickTime DirectShow Filter for WMP
"RealPlayer 6.0" = RealPlayer
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"ST6UNST #1" = Expert System Builder 4.3
"Where in the USA is Carmen Sandiego?" = Where in the USA is Carmen Sandiego?
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Customizations" = Yahoo! Browser Services
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1614895754-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/30/2009 6:00:49 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/30/2009 6:25:05 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3623, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/3/2010 11:21:27 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/3/2010 11:21:28 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/5/2010 5:28:49 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/7/2010 8:16:23 PM | Computer Name = DELL | Source = Application Error | ID = 1004
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ole32.dll, version 5.1.2600.5512, fault address 0x00120f2f.

Error - 1/9/2010 12:52:13 AM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/10/2010 5:33:05 PM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/12/2010 1:03:24 AM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/12/2010 11:50:52 AM | Computer Name = DELL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/16/2010 9:29:04 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:30:00 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:30:37 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:46:31 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:46:38 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:46:45 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:47:58 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:48:08 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:49:01 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 9:49:46 AM | Computer Name = DELL | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 16 January 2010 - 05:51 PM

Hi,

please try to run gmer next:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 17 January 2010 - 08:10 PM

Hi there,

This is the gmer log. Kindly advise me what to do next.
Thanks for your help.



#6 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 17 January 2010 - 08:12 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 19:08:46
Windows 5.1.2600 Service Pack 3
Running: mkv2rdyr.exe; Driver: C:\DOCUME~1\USER1\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF02FB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF02FB821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF02FB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF02FB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF02FB835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF02FB861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF02FB8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF02FB8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF02FB7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF02FB8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF02FB80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF02FB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF02FB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF02FB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF02FB937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF02FB8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF02FB88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF02FB84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF02FB923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF02FB90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF02FB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF02FB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF02FB877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF02FB7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF02FB8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF02FB7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF02FB7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP F02FB7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP F02FB78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP F02FB7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP F02FB7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP F02FB7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1324 5 Bytes JMP F02FB714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15B0 5 Bytes JMP F02FB728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE2 5 Bytes JMP F02FB766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP F02FB750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP F02FB73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B8 5 Bytes JMP F02FB77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP F02FB7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061856A 7 Bytes JMP F02FB891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP F02FB87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE2 7 Bytes JMP F02FB8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619480 7 Bytes JMP F02FB8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP F02FB84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 5 Bytes JMP F02FB825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP F02FB839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP F02FB865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB72 7 Bytes JMP F02FB8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADDC 7 Bytes JMP F02FB8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 5 Bytes JMP F02FB811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA2A 7 Bytes JMP F02FB93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCEA 5 Bytes JMP F02FB913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3DE 5 Bytes JMP F02FB927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4F8 5 Bytes JMP F02FB8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73DC7A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0091
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F3F
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00AC
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F13
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0EF8
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F5C
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F24
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0042
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0027
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FD2
.text C:\WINDOWS\system32\svchost.exe[148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\svchost.exe[148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[148] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BB0014
.text C:\WINDOWS\system32\svchost.exe[148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D006C
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F81
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D005B
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D004A
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D002F
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F5C
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00AE
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00DA
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F4B
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F30
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F9E
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FD4
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0087
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0014
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FC3
.text C:\Program Files\Messenger\msmsgs.exe[172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D00C9
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0047
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FBC
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FD7
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C002C
.text C:\Program Files\Messenger\msmsgs.exe[172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0011
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FE5
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0076
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D002C
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0FAF
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D000A
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0FC0
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\Program Files\Messenger\msmsgs.exe[172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0047
.text C:\Program Files\Messenger\msmsgs.exe[172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002E000A
.text C:\Program Files\Messenger\msmsgs.exe[172] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002F0FEF
.text C:\Program Files\Messenger\msmsgs.exe[172] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002F0FDE
.text C:\Program Files\Messenger\msmsgs.exe[172] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002F0FC3
.text C:\Program Files\Messenger\msmsgs.exe[172] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002F0FB2
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F6F
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0064
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0053
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F8A
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FAF
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00AB
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE009A
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F23
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F3E
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0F12
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE007F
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00BC
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FCD
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C9006F
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90039
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80038
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80FAD
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FC8
.text C:\WINDOWS\system32\svchost.exe[248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\svchost.exe[248] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[248] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[248] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[248] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00680FE5
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00680F5C
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00680F6D
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00680F8A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00680047
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00680FA5
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00680089
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00680F41
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00680F1C
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006800B5
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006800DA
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00680036
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00680000
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0068006C
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00680011
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00680FCA
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0068009A
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00670FC0
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00670F76
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00670FDB
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00670011
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00670F91
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0067003D
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00670022
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660F86
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00660FBC
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660FA1
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\svchost.exe[688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0065000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C008A
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F95
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C006F
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C005E
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00DD
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C00C2
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F7A
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0109
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F69
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FB2
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C00A5
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C002F
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00F8
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B006F
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B001B
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FC3
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B004A
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00400FB5
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00400036
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00400FC6
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00400FEF
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0040001B
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00400000
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00710FD4
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00710011
.text C:\WINDOWS\System32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0034
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F49
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F5A
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F75
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0F97
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0EF3
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0045
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0060
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0EC7
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0EAC
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0F86
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F24
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0ED8
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FB4
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FCF
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060038
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060049
.text C:\WINDOWS\system32\services.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006001D
.text C:\WINDOWS\system32\services.exe[1248] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1248] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1248] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[1248] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0120000A
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012000C4
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012000A9
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01200098
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0120007D
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01200062
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012000E6
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01200FAA
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01200123
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01200112
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01200F6F
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01200FDB
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0120001B
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012000D5
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01200047
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0120002C
.text C:\WINDOWS\system32\lsass.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01200101
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011F000A
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011F0036
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011F0FC3
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011F0FD4
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011F001B
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011F0FE5
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 011F0F83
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3F, 89]
.text C:\WINDOWS\system32\lsass.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011F0F9E
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011E0053
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 011E0038
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011E001D
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011E0FEF
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011E0FC8
.text C:\WINDOWS\system32\lsass.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011E000C
.text C:\WINDOWS\system32\lsass.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011D0000
.text C:\WINDOWS\system32\lsass.exe[1260] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01140000
.text C:\WINDOWS\system32\lsass.exe[1260] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0114001B
.text C:\WINDOWS\system32\lsass.exe[1260] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0114002C
.text C:\WINDOWS\system32\lsass.exe[1260] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01140FDB
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025F0F70
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025F0065
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025F0054
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025F0F97
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025F002F
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025F0F27
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025F0F38
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025F00A8
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025F0F05
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025F0EF4
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025F0FA8
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025F0FDE
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025F0F55
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025F0014
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025F0FC3
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025F0F16
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FB2
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00980F61
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00980FCD
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00980FDE
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00980028
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00980F86
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 88]
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00980F97
.text C:\WINDOWS\system32\svchost.exe[1456] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 025B000A
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00970FC1
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00970FD2
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00970038
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00970FE3
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00950FE5
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00950FAF
.text C:\WINDOWS\system32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01120FEF
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01120F46
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01120031
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01120F57
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0112000A
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01120F8D
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01120060
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01120F18
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01120EE2
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0112007B
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01120EC7
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01120F72
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01120FD4
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01120F35
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01120F9E
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01120FAF
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!WinExec 7C86250D 3 Bytes JMP 01120EF3
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!WinExec + 4 7C862511 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01110FB9
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01110047
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01110FCA
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01110FE5
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01110036
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01110F9E
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [31, 89]
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01110025
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FC6
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FAB
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[1568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03D50FE5
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03D50F48
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03D50F59
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03D5003D
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03D5002C
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03D50FA5
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03D50073
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03D50F37
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03D5009F
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03D50F06
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03D500BA
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03D50F8A
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03D50FD4
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03D50062
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03D50011
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03D50000
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03D50084
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03D40036
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03D4007D
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03D40FE5
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03D40011
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03D40062
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03D40000
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03D40FC0
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 8B]
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03D40051
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03D30016
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!system 77C293C7 5 Bytes JMP 03D30F8B
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03D30FC1
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03D30FEF
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03D30FA6
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03D30FDE
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02560000
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02560011
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02560FDB
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0256002C
.text C:\WINDOWS\System32\svchost.exe[1720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03A90000
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0056
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F61
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F7C
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0039
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F3F
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0087
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F02
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F13
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0EE7
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F97
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F50
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0014
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F24
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0F89
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F9A
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC6
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FAB
.text C:\WINDOWS\system32\wuauclt.exe[3148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FD7
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D002C
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0073
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D000A
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D0058
.text C:\WINDOWS\system32\wuauclt.exe[3148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0047
.text C:\WINDOWS\system32\wuauclt.exe[3148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\wuauclt.exe[3148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00990025
.text C:\WINDOWS\system32\wuauclt.exe[3148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00990036
.text C:\WINDOWS\system32\wuauclt.exe[3148] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00990047
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F59
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90058
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90022
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D9007F
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F37
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90EF0
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F01
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90ED5
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90F9B
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F48
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FB6
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[3552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90F1C
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D8001E
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D8005B
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FCD
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D8004A
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D80FB2
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F8, 88]
.text C:\WINDOWS\system32\svchost.exe[3552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D8002F
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FB0
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FC1
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FE3
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FD2
.text C:\WINDOWS\system32\svchost.exe[3552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7001D
.text C:\WINDOWS\system32\svchost.exe[3552] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[3552] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\svchost.exe[3552] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[3552] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D6002F
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C00A2
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0091
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0080
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C006F
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FCD
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F77
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F88
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F52
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00EB
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00FC
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C004A
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C00B3
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0039
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0014
.text C:\WINDOWS\Explorer.EXE[4060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00DA
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B005B
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0036
.text C:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B001B
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C004E
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0029
.text C:\WINDOWS\Explorer.EXE[4060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0018
.text C:\WINDOWS\Explorer.EXE[4060] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0000
.text C:\WINDOWS\Explorer.EXE[4060] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E001B
.text C:\WINDOWS\Explorer.EXE[4060] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FE5
.text C:\WINDOWS\Explorer.EXE[4060] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0036
.text C:\WINDOWS\Explorer.EXE[4060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe[2316] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B6D62D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8709B618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 17 January 2010 - 08:34 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 18 January 2010 - 08:27 PM

Hi,

I decide to try to clean my computer first, but I cannot run the combofix file. I managed to download it but when I double click, it says "Some installation files are corrupt. Please download a fresh copy and retry the installation."

Is there any other way that I can run the ComboFix?
Thanks a lot.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 19 January 2010 - 11:59 AM

Hi,

there was a problem with the combofix download yesterday. This is fixed now, please try to download a new copy, it should run fine.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 19 January 2010 - 01:52 PM

Hi myrti,

Please find below the ComboFix log. Please advice next step.
Thanks.

ComboFix 10-01-18.03 - USER1 01/19/2010 11:47:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.328 [GMT -6:00]
Running from: c:\documents and settings\USER1\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-14 03:16 . 2010-01-14 03:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-08 04:12 . 2010-01-08 04:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-08 04:08 . 2010-01-08 04:10 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-08 01:27 . 2010-01-08 01:29 -------- d-----w- C:\rsit
2009-12-27 00:37 . 2005-01-26 21:45 349472 ----a-w- c:\windows\WindowsXP-KB822603-x86.exe
2009-12-27 00:37 . 2005-11-03 16:12 106496 ----a-w- c:\windows\tsnp2std.exe
2009-12-27 00:37 . 2005-08-17 03:54 339968 ----a-w- c:\windows\vsnp2std.exe
2009-12-27 00:37 . 2005-09-21 19:59 24576 ----a-w- c:\windows\system32\drivers\sncamd.sys
2009-12-27 00:37 . 2005-09-21 19:31 8816128 ----a-w- c:\windows\system32\drivers\snp2sxp.sys
2009-12-27 00:36 . 2009-12-27 00:37 -------- d-----w- c:\program files\Common Files\snp2std
2009-12-27 00:36 . 2005-08-30 16:55 73728 ----a-w- c:\windows\system32\vsnp2std.dll
2009-12-27 00:36 . 2005-08-25 23:26 49152 ----a-w- c:\windows\system32\rsnp2std.dll
2009-12-27 00:36 . 2005-06-29 16:17 45056 ----a-w- c:\windows\system32\csnp2std.dll
2009-12-27 00:36 . 2004-12-24 00:14 20480 ----a-w- c:\windows\usnp2std.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 18:00 . 2009-01-04 06:52 -------- d-----w- c:\documents and settings\USER1\Application Data\Skype
2010-01-19 17:38 . 2009-01-04 06:54 -------- d-----w- c:\documents and settings\USER1\Application Data\skypePM
2009-12-31 03:27 . 2006-08-10 14:35 -------- d--h--r- c:\documents and settings\USER1\Application Data\yahoo!
2009-12-30 23:38 . 2006-08-10 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-27 00:36 . 2006-06-22 20:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 02:11 . 2009-12-08 15:54 -------- d-----w- c:\program files\McAfee
2009-12-23 20:42 . 2009-12-08 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-12 21:08 . 2006-08-10 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-09 22:28 . 2008-01-08 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-12-09 22:18 . 2009-12-09 22:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-12-09 21:52 . 2007-11-17 05:43 -------- d-----w- c:\documents and settings\USER1\Application Data\Move Networks
2009-12-09 04:31 . 2009-12-09 02:42 -------- d-----w- c:\program files\Sophos
2009-12-09 02:19 . 2009-12-08 05:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 18:09 . 2009-05-15 04:28 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-08 18:09 . 2009-05-15 04:25 -------- d-----w- c:\program files\AVS4YOU
2009-12-08 16:05 . 2009-12-08 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-08 15:56 . 2009-12-08 15:55 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-08 15:55 . 2009-12-08 15:55 -------- d-----w- c:\program files\McAfee.com
2009-12-08 15:28 . 2007-09-16 12:51 -------- d-----w- c:\program files\Omniquad Anti-Virus
2009-12-04 12:38 . 2009-12-04 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-04 12:38 . 2009-12-04 12:38 -------- d-----w- c:\program files\Java
2009-12-04 12:37 . 2009-12-04 12:37 152576 ----a-w- c:\documents and settings\USER1\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-04 12:37 . 2009-12-04 12:37 79488 ----a-w- c:\documents and settings\USER1\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-04 09:20 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 09:20 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-04 04:53 . 2009-12-04 04:53 -------- d-----w- c:\program files\ESET
2009-12-03 22:14 . 2009-12-08 05:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-12-08 05:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 23:33 . 2009-11-30 17:01 -------- d-----w- c:\program files\Angle Interactive
2009-12-01 21:17 . 2008-07-24 06:24 -------- d-----w- c:\documents and settings\USER1\Application Data\SUPERAntiSpyware.com
2009-12-01 05:16 . 2007-09-09 16:27 -------- d-----w- c:\program files\ULEAD
2009-12-01 04:51 . 2009-05-14 03:33 -------- d-----w- c:\program files\Nitro PDF
2009-11-28 06:33 . 2006-06-22 20:29 80792 -c--a-w- c:\documents and settings\USER1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 02:13 . 2008-10-14 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 02:09 . 2006-08-13 05:10 -------- d-----w- c:\program files\Microsoft Works
2009-11-06 15:20 . 2009-12-01 19:54 34112 ----a-w- c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-06 15:20 . 2009-12-01 19:54 32448 ----a-w- c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-06 15:20 . 2009-12-01 19:54 51168 ----a-w- c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-11-04 22:54 . 2009-12-08 15:57 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-12-08 15:57 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-12-08 15:57 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 22:53 . 2009-12-08 15:44 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2008-06-12 14:17 . 2008-06-12 14:17 5592008 -c--a-w- c:\program files\Pareto_PC_Setup2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Cingular Communication Manager"="c:\program files\Cingular\Communication Manager\CingularCCM.exe" [2006-07-18 19456]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ResumeQuickupDownload"="c:\progra~1\OMNIQU~1\acappaa.exe" [2008-02-09 46456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-02 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-04 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-17 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-8-10 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-5-8 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-7-10 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YAHOOM~1.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/8/2009 10:03 AM 93320]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/23/2006 10:17 AM 87936]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1B.tmp --> c:\windows\system32\1B.tmp [?]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [3/22/2008 6:52 AM 58240]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2009 7:56 PM 264576]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/3/2002 12:57 AM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-08 18:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-08 18:22]

2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{57B81AEA-A51F-42CB-932C-17311FE50504}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\cnh8wmfl.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true.
- - - - ORPHANS REMOVED - - - -

SSODL-welejofeb-{f9b4cf24-b70a-47ab-a7a4-297123c8e494} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 12:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,77,ab,a8,4e,90,5f,45,89,26,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,77,ab,a8,4e,90,5f,45,89,26,9d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1272)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-19 12:14:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 18:14
ComboFix2.txt 2008-07-26 18:08

Pre-Run: 13,046,665,216 bytes free
Post-Run: 14,025,879,552 bytes free

- - End Of File - - 586FCB127B39AE35D1C8B3D00A4F5534


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 19 January 2010 - 05:45 PM

Hi,

the combofix log looks good. How is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 20 January 2010 - 10:42 AM

It seems the PC has been back to normal and running fine now.
Thanks.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 20 January 2010 - 03:34 PM

Hi,

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 oceanandmountain

oceanandmountain
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 20 January 2010 - 10:21 PM

Hi myrti,

The scanner did not detect any threats and thereby no logs was displayed?
Thanks

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:25 AM

Posted 21 January 2010 - 06:27 AM

How is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users