Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuous DEP window from Generic.dx!kdh Trojan deletion?


  • This topic is locked This topic is locked
17 replies to this topic

#1 kaap

kaap

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 11 January 2010 - 11:31 PM

McAfee caught two files and deleted them. Generic.dx!kdh Trojan and another trojan, but I cannot find the name in the McAfee logs. I turned off System Restore. Subsequent MalwareBytes Anti-malware scans in safe mode, Spybot S&D scans in safe mode, and McAfee scans in safe mode revealed no infected files. However, upon reboot a Data Execution Prevention (DEP) window persisted claiming to shut down Windows Media Sharing Service. Dismissing the window only spawned another DEP pop-up window with the same message. Rebooting, disk error checking, defragging did not clean anything up. This DEP window would not go away.

I successfully ran DDS (log below). RootRepeal could not complete an entire scan. My first RootRepeal scan lasted 8 hours before my computer rebooted. During this scan, before the reboot, I did notice what looked like an in-progress result on the File tab regarding Dc36.txt. However, the scan did not complete and no log file was created.

I read somewhere that this persistent DEP window could be the result of a recycler issue (i.e., it's looking for a file but cannot find it because it was deleted). I ran ComboFix. After ComboFix, I could dismiss the DEP window, and it has not returned.

To verify apparent cleanliness, I tried another RootRepeal scan. The second RootRepeal scan lasted over 36 hours before my system rebooted. This time I noticed an in-progress File tab entry about quicktime player - something about being locked to the API (I could have that comment mixed up, but it was about quicktime). Again, the scan did not complete and a log file was not created. Apart from those slow RootRepeal scans, my system does not appear to be slowing down or acting terribly unusual.

So, is the Generic.dx!kdh Trojan really gone? Is my system really clean? RootRepeal log not available (I tried, sorry). I can post ComboFix log if desired.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Rene at 14:51:29.10 on Sat 01/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2374 [GMT -6:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe
E:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
E:\PROGRA~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
E:\ProgramFilesE\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\ProgramFilesE\iTunes\iTunesHelper.exe
E:\ProgramFilesE\VMware\VMware Player\hqtray.exe
E:\ProgramFilesE\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe
C:\WINDOWS\system32\ctfmon.exe
E:\ProgramFilesE\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
E:\ProgramFilesE\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Rene\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\rene\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] e:\programfilese\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Acrobat Assistant 8.0] "e:\programfilese\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\programfilese\itunes\iTunesHelper.exe"
mRun: [VMware hqtray] "e:\programfilese\vmware\vmware player\hqtray.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [LoadMSvcmm] "e:\programfilese\blockbuster\blockbustermovielink\Movielink User.exe"
StartupFolder: c:\docume~1\rene\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\rene\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\programfilese\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\programfilese\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save with Download Manager... - file://e:\programfilese\road runner music\DMDownload.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
LSP: e:\programfilese\vmware\vmware player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229476459452
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://mwnotescluster.caci.com/dwa7W.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.caci.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rene\applic~1\mozilla\firefox\profiles\rnqjddjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\rene\application data\mozilla\firefox\profiles\rnqjddjk.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;e:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-7-1 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;e:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-7-1 1410856]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-23 10384]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-27 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-1-24 54608]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-27 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-27 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-27 171400]
R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2008-9-29 899700]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 pnuigdt;pnuigdt;c:\windows\system32\drivers\ttom.sys --> c:\windows\system32\drivers\ttom.sys [?]
UnknownUnknown rootrepeal;rootrepeal; [x]

=============== Created Last 30 ================

2010-01-09 19:41:18 98816 ----a-w- c:\windows\sed.exe
2010-01-09 19:41:18 77312 ----a-w- c:\windows\MBR.exe
2010-01-09 19:41:18 261632 ----a-w- c:\windows\PEV.exe
2010-01-09 19:41:18 161792 ----a-w- c:\windows\SWREG.exe
2010-01-09 19:41:10 0 d-----w- C:\ComboFix
2010-01-07 23:55:06 24573 ----a-w- c:\documents and settings\rene\.recently-used.xbel
2010-01-03 19:21:19 0 d-----w- c:\docume~1\rene\applic~1\AnvSoft
2010-01-03 18:12:20 719872 ----a-w- c:\windows\system32\devil.dll
2010-01-03 18:12:20 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-01-03 18:12:20 0 d-----w- c:\program files\common files\Common Share
2010-01-03 18:12:19 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-02 04:42:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Movielink
2010-01-02 04:41:36 1821192 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-01-01 01:26:20 22816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-01 01:10:13 0 d-----w- c:\docume~1\rene\applic~1\Sling Media
2010-01-01 00:47:30 0 d-----w- c:\program files\Sling Media
2010-01-01 00:47:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Sling Media
2009-12-18 22:20:48 0 d-sh--w- c:\documents and settings\rene\IECompatCache

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 01:35:55 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-22 01:35:33 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-22 01:33:28 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-11-22 01:32:31 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-22 10:45:06 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-22 10:44:42 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-10-22 10:44:24 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-10-22 10:44:08 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-10-22 09:22:38 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-22 06:13:32 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 14:51:45.95 ===============

Any help is appreciated.
Thank you,
Kaap

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 17 January 2010 - 02:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 17 January 2010 - 04:38 PM

Requested logs are below. By the way, I'm fairly certain the infection occured on Jan 7, 2010.

OTL logfile created on: 1/17/2010 3:29:20 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = E:\reneDocs\myReceivedFiles
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.10 Gb Total Space | 7.73 Gb Free Space | 40.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 577.06 Gb Total Space | 319.27 Gb Free Space | 55.33% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 197.15 Gb Free Space | 42.33% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEVO
Current User Name: Rene
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/17 15:28:03 | 00,547,328 | ---- | M] (OldTimer Tools) -- E:\reneDocs\myReceivedFiles\OTL.exe
PRC - [2010/01/09 17:54:58 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/16 22:07:34 | 01,410,856 | ---- | M] (GFI Software Ltd.) -- E:\ProgramFilesE\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe
PRC - [2009/10/28 19:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- E:\ProgramFilesE\iTunes\iTunesHelper.exe
PRC - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/22 04:44:24 | 00,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2009/10/22 04:44:18 | 00,113,200 | ---- | M] (VMware, Inc.) -- E:\ProgramFilesE\VMware\VMware Player\vmware-authd.exe
PRC - [2009/10/22 04:44:08 | 00,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2009/10/22 04:43:30 | 00,064,048 | ---- | M] (VMware, Inc.) -- E:\ProgramFilesE\VMware\VMware Player\hqtray.exe
PRC - [2009/10/22 03:47:54 | 00,563,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2009/10/08 19:18:10 | 26,805,255 | ---- | M] () -- C:\Documents and Settings\Rene\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/09/25 13:16:06 | 00,093,960 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/13 23:43:22 | 00,440,616 | ---- | M] (GFI Software Ltd.) -- E:\ProgramFilesE\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe
PRC - [2009/03/27 09:12:54 | 00,455,112 | ---- | M] (Blockbuster) -- E:\ProgramFilesE\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe
PRC - [2009/03/27 09:12:28 | 01,867,720 | ---- | M] (Blockbuster) -- E:\ProgramFilesE\Blockbuster\BLOCKBUSTERMovielink\MovielinkCore.exe
PRC - [2009/03/09 04:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/05 15:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- E:\ProgramFilesE\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/24 23:05:17 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/11/07 16:43:36 | 00,809,488 | ---- | M] (Logitech, Inc.) -- E:\ProgramFilesE\Logitech\SetPoint\SetPoint.exe
PRC - [2008/11/07 16:39:36 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/10/22 20:03:52 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/10/14 21:38:56 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/09/17 23:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/06/10 12:56:30 | 01,442,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2008/01/24 19:50:00 | 00,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/01/24 19:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2007/10/25 14:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2007/10/25 09:05:40 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2007/10/25 09:04:56 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2007/10/25 09:03:28 | 00,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006/10/18 20:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2004/11/15 04:20:20 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/04/14 13:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


========== Modules (SafeList) ==========

MOD - [2010/01/17 15:28:03 | 00,547,328 | ---- | M] (OldTimer Tools) -- E:\reneDocs\myReceivedFiles\OTL.exe
MOD - [2009/07/12 00:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/11/07 16:41:46 | 00,045,584 | ---- | M] (Logitech, Inc.) -- E:\ProgramFilesE\Logitech\SetPoint\lgscroll.dll
MOD - [2008/04/14 04:42:06 | 00,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shimeng.dll
MOD - [2008/04/14 04:42:00 | 00,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msacm32.dll
MOD - [2008/04/14 04:41:50 | 01,852,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\acgenral.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/16 22:07:34 | 01,410,856 | ---- | M] (GFI Software Ltd.) [Auto | Running] -- E:\ProgramFilesE\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe -- (GFIBckHSched)
SRV - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/22 04:44:24 | 00,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2009/10/22 04:44:18 | 00,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- E:\ProgramFilesE\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2009/10/22 04:44:08 | 00,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2009/10/22 03:47:54 | 00,563,760 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009/10/12 14:32:24 | 00,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- E:\ProgramFilesE\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009/09/25 13:16:06 | 00,093,960 | ---- | M] (Sling Media Inc.) [Auto | Running] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService)
SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/13 23:43:22 | 00,440,616 | ---- | M] (GFI Software Ltd.) [Auto | Running] -- E:\ProgramFilesE\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe -- (GFIBckHAtt)
SRV - [2009/03/27 09:12:28 | 01,867,720 | ---- | M] (Blockbuster) [Auto | Running] -- E:\ProgramFilesE\Blockbuster\BLOCKBUSTERMovielink\MovielinkCore.exe -- (Movielink Core Service)
SRV - [2009/03/09 04:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/24 23:05:17 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/07 16:40:52 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/10/22 20:03:52 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2008/09/17 23:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/01/24 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2008/01/24 19:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2007/10/25 09:03:28 | 00,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/09/17 09:36:18 | 00,800,040 | ---- | M] (Nero AG) [On_Demand | Stopped] -- E:\ProgramFilesE\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2007/06/27 18:04:00 | 00,279,848 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/02/10 07:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- e:\ProgramFilesE\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2007/02/10 07:29:47 | 00,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/10/14 04:50:19 | 00,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Driver Services (SafeList) ==========

DRV - [2009/10/22 04:45:06 | 00,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2009/10/22 04:45:02 | 00,853,936 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2009/10/22 04:45:00 | 00,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2009/10/22 04:45:00 | 00,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2009/10/22 04:44:58 | 00,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2009/10/22 04:44:06 | 00,014,896 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2009/10/22 03:47:52 | 00,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2009/10/22 00:13:32 | 00,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009/10/12 14:31:52 | 00,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- E:\ProgramFilesE\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/03/22 18:19:10 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2008/09/26 09:53:00 | 00,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/09/26 09:53:00 | 00,028,816 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/09/26 09:52:00 | 00,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/09/26 09:52:00 | 00,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/09/26 09:52:00 | 00,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/09/17 23:55:00 | 06,132,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/18 18:54:00 | 00,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvgts.sys -- (nvgts)
DRV - [2008/08/01 11:36:00 | 00,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/08/01 11:36:00 | 00,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/04/29 16:40:56 | 00,210,472 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Si3114r5.sys -- (Si3114r5)
DRV - [2008/04/29 16:40:56 | 00,017,064 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2008/04/29 16:40:56 | 00,012,200 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys -- (SiRemFil)
DRV - [2008/04/14 00:16:22 | 00,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/14 00:16:22 | 00,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/14 00:16:10 | 00,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 23:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/01/24 19:50:00 | 00,171,400 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/01/24 19:50:00 | 00,072,936 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/01/24 19:50:00 | 00,064,232 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/01/24 19:50:00 | 00,052,104 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/01/24 19:50:00 | 00,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/01/24 19:50:00 | 00,031,816 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- c:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2007/04/16 20:46:00 | 00,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/04/24 17:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/01/28 13:36:00 | 00,171,008 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/01/16 23:43:26 | 00,088,576 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2004/11/17 05:05:38 | 02,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/12 20:56:20 | 00,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/07/16 16:47:14 | 00,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2004/05/02 02:47:08 | 00,023,040 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GVCplDrv.sys -- (GVCplDrv)
DRV - [2004/03/10 15:27:18 | 00,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2k)
DRV - [2002/08/29 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/04/08 09:57:40 | 00,899,700 | ---- | M] (Xirlink, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ucdnt.sys -- (XIRLINK)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)
DRV - [2001/08/17 08:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\S-1-5-21-1275210071-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\S-1-5-21-1275210071-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.80
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {6e764c17-863a-450f-bdd0-6772bd5aaa18}:1.0.3
FF - prefs.js..extensions.enabledItems: {52a6a832-4251-430b-8202-46b4463ee1ea}:1.0.4e
FF - prefs.js..extensions.enabledItems: {3f669128-5ad3-4053-ad9b-1afc4ea24c28}:2.4
FF - prefs.js..extensions.enabledItems: {3EC9C995-8072-4fc0-953E-4F30620D17F3}:2.0.0.4
FF - prefs.js..extensions.enabledItems: {9EB34849-81D3-4841-939D-666D522B889A}:1.4.0.76
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 17:55:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 17:55:00 | 00,000,000 | ---D | M]

[2008/09/28 19:14:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rene\Application Data\Mozilla\Extensions
[2010/01/17 09:03:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions
[2009/11/23 20:35:46 | 00,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2009/03/29 07:36:29 | 00,000,000 | ---D | M] (WeatherBug) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
[2008/12/18 08:31:11 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{3f669128-5ad3-4053-ad9b-1afc4ea24c28}
[2008/12/18 08:30:25 | 00,000,000 | ---D | M] (PackageMapping.com Extension) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{52a6a832-4251-430b-8202-46b4463ee1ea}
[2009/04/07 18:13:17 | 00,000,000 | ---D | M] (Media Converter) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}
[2009/12/31 19:09:46 | 00,000,000 | ---D | M] (WebSlingPlayer) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
[2009/11/23 19:36:27 | 00,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/11/23 19:36:27 | 00,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/08 20:17:14 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/17 06:17:57 | 00,001,512 | ---- | M] () -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\searchplugins\imdb.xml
[2009/09/23 20:02:56 | 00,001,640 | ---- | M] () -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\searchplugins\weathercom.xml
[2009/03/18 19:23:30 | 00,000,705 | ---- | M] () -- C:\Documents and Settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\searchplugins\webster.xml
[2010/01/15 20:37:03 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/08 19:32:20 | 00,371,817 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12818 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - E:\ProgramFilesE\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [iTunesHelper] E:\ProgramFilesE\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [LoadMSvcmm] E:\ProgramFilesE\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe (Blockbuster)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] c:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VMware hqtray] E:\ProgramFilesE\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004..\Run: [Google Update] C:\Documents and Settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004..\Run: [SpybotSD TeaTimer] E:\ProgramFilesE\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = E:\ProgramFilesE\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\Rene\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Rene\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - E:\ProgramFilesE\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ProgramFilesE\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\ProgramFilesE\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - E:\ProgramFilesE\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1275210071-1284227242-839522115-1004\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1229476459452 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://mwnotescluster.caci.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://portal.caci.com/dana-cached/setup/J...perSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Rene\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rene\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/27 16:04:47 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 20:49:56 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Rene\Recent
[2010/01/13 19:18:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\.hd
[2010/01/13 01:17:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\VMware
[2010/01/12 20:49:48 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/11 21:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\VMware
[2010/01/10 13:15:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\My Documents\LightScribe
[2010/01/09 14:46:23 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/09 13:41:18 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/09 13:41:18 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/09 13:41:18 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/09 13:41:18 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/09 13:41:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/09 13:41:10 | 00,000,000 | ---D | C] -- C:\ComboFix
[2010/01/09 13:40:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/08 21:01:19 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Rene\Desktop\RootRepeal.exe
[2010/01/08 20:57:42 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Rene\Desktop\ATF-Cleaner.exe
[2010/01/03 13:21:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\Application Data\AnvSoft
[2010/01/03 12:56:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\My Documents\FFOutput
[2010/01/03 12:12:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\My Documents\OJOsoft Corporation
[2010/01/03 12:12:20 | 00,719,872 | ---- | C] (Abysmal Software) -- C:\WINDOWS\System32\devil.dll
[2010/01/03 12:12:20 | 00,351,744 | ---- | C] (The Public) -- C:\WINDOWS\System32\avisynth.dll
[2010/01/03 12:12:20 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Common Share
[2010/01/03 12:12:19 | 01,700,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gdiplus.dll
[2010/01/01 22:47:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\Local Settings\Application Data\Blockbuster
[2010/01/01 22:42:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Movielink
[2010/01/01 22:41:36 | 01,821,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vcredist_x86.exe
[2010/01/01 22:13:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/31 19:10:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rene\Application Data\Sling Media
[2009/12/31 18:47:30 | 00,000,000 | ---D | C] -- C:\Program Files\Sling Media
[2009/12/31 18:47:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2009/12/18 16:20:48 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Rene\IECompatCache
[2009/08/19 16:14:57 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/26 10:33:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/03/22 18:19:10 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Rene\Application Data\pcouffin.sys
[2009/01/03 17:38:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/09/27 19:38:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/17 15:14:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004UA.job
[2010/01/17 11:57:07 | 00,002,055 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/16 17:14:06 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004Core.job
[2010/01/15 21:02:10 | 00,022,699 | ---- | M] () -- C:\Documents and Settings\Rene\.recently-used.xbel
[2010/01/15 20:16:35 | 00,002,481 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Microsoft Excel.lnk
[2010/01/14 11:33:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/13 22:42:32 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/13 07:52:16 | 00,194,030 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/13 01:21:19 | 00,591,400 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/13 01:21:19 | 00,490,406 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/13 01:21:19 | 00,090,058 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/13 01:16:36 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 01:16:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 01:16:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 01:15:38 | 08,388,608 | -H-- | M] () -- C:\Documents and Settings\Rene\NTUSER.DAT
[2010/01/11 22:08:45 | 00,055,808 | ---- | M] () -- C:\Documents and Settings\Rene\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/09 16:54:00 | 00,000,343 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP USB Disk Storage Format Tool.lnk
[2010/01/09 15:08:13 | 00,003,275 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Attach.zip
[2010/01/09 13:45:18 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/09 09:19:34 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\settings.dat
[2010/01/08 21:01:23 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Rene\Desktop\RootRepeal.exe
[2010/01/08 21:00:01 | 03,819,182 | R--- | M] () -- C:\Documents and Settings\Rene\Desktop\ComboFix.exe
[2010/01/08 20:57:47 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Rene\Desktop\ATF-Cleaner.exe
[2010/01/08 20:45:49 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\dds.scr
[2010/01/08 20:01:36 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Rene\ntuser.ini
[2010/01/08 19:32:20 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 15:20:34 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Microsoft Word.lnk
[2010/01/06 20:25:47 | 00,156,588 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\RegOnlineTest.pdf
[2010/01/03 13:21:24 | 00,000,651 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Any Video Converter.lnk
[2010/01/03 12:56:13 | 00,000,715 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Format Factory.lnk
[2010/01/01 22:42:31 | 00,000,903 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BLOCKBUSTER Movielink.lnk
[2009/12/31 19:26:20 | 00,022,816 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/31 18:47:33 | 00,001,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch SlingPlayer.lnk
[2009/12/26 10:42:41 | 00,000,761 | ---- | M] () -- C:\Documents and Settings\Rene\Desktop\Revo Uninstaller.lnk
[2009/12/19 12:45:27 | 00,366,461 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100108-193220.backup
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/15 21:02:10 | 00,022,699 | ---- | C] () -- C:\Documents and Settings\Rene\.recently-used.xbel
[2010/01/09 16:54:00 | 00,000,343 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP USB Disk Storage Format Tool.lnk
[2010/01/09 15:08:13 | 00,003,275 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\Attach.zip
[2010/01/09 13:41:18 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/09 13:41:18 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/09 13:41:18 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/09 13:41:18 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/09 13:41:18 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/08 21:04:19 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\settings.dat
[2010/01/08 20:59:27 | 03,819,182 | R--- | C] () -- C:\Documents and Settings\Rene\Desktop\ComboFix.exe
[2010/01/08 20:45:49 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\dds.scr
[2010/01/07 23:31:01 | 00,384,912 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/06 20:25:45 | 00,156,588 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\RegOnlineTest.pdf
[2010/01/03 13:21:24 | 00,000,651 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\Any Video Converter.lnk
[2010/01/03 12:56:13 | 00,000,715 | ---- | C] () -- C:\Documents and Settings\Rene\Desktop\Format Factory.lnk
[2010/01/01 22:42:31 | 00,000,903 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BLOCKBUSTER Movielink.lnk
[2010/01/01 22:13:11 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/31 19:26:20 | 00,022,816 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/31 18:47:33 | 00,001,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch SlingPlayer.lnk
[2009/08/19 19:50:43 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Rene\Local Settings\Application Data\fusioncache.dat
[2009/05/08 17:57:14 | 00,005,328 | ---- | C] () -- C:\Documents and Settings\Rene\Application Data\temp15224.txt
[2009/05/06 21:08:38 | 00,005,036 | ---- | C] () -- C:\Documents and Settings\Rene\Application Data\temp12722.txt
[2009/04/27 18:36:33 | 00,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/03/22 18:19:14 | 00,000,033 | ---- | C] () -- C:\Documents and Settings\Rene\Application Data\pcouffin.log
[2009/03/22 18:19:10 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Rene\Application Data\pcouffin.cat
[2009/03/22 18:19:10 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Rene\Application Data\pcouffin.inf
[2009/01/11 16:06:26 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/11 16:06:26 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/11 15:07:15 | 00,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2008/11/30 18:53:15 | 00,055,808 | ---- | C] () -- C:\Documents and Settings\Rene\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/25 22:19:39 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/29 19:24:30 | 00,000,305 | ---- | C] () -- C:\WINDOWS\bundle.ini
[2008/09/28 08:32:27 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2008/09/28 07:38:44 | 00,000,426 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2008/09/28 07:38:44 | 00,000,211 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008/09/28 07:38:44 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008/09/28 07:38:44 | 00,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/09/28 07:38:33 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2008/09/28 07:38:29 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008/09/28 07:35:50 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/09/28 07:31:27 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/27 21:50:10 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/09/27 19:16:33 | 00,023,040 | R--- | C] () -- C:\WINDOWS\System32\drivers\GVCplDrv.sys
[2008/09/27 16:15:02 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2008/09/27 16:14:59 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2008/09/27 16:11:28 | 00,000,264 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2008/09/27 16:10:56 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/09/27 16:10:51 | 00,006,133 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/09/27 16:10:45 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/03/09 01:29:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/09 01:29:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/09 01:29:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/09 01:29:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/03/09 01:29:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/09 01:29:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/03/18 07:44:29 | 01,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2002/03/04 09:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2000/01/06 18:00:00 | 00,024,448 | ---- | C] () -- C:\WINDOWS\sysgtime.dll
[2000/01/06 18:00:00 | 00,024,448 | ---- | C] () -- C:\WINDOWS\System32\proclsvr.drv
< End of report >



OTL Extras logfile created on: 1/17/2010 3:29:20 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = E:\reneDocs\myReceivedFiles
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.10 Gb Total Space | 7.73 Gb Free Space | 40.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 577.06 Gb Total Space | 319.27 Gb Free Space | 55.33% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 197.15 Gb Free Space | 42.33% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEVO
Current User Name: Rene
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"E:\ProgramFilesE\uTorrent\uTorrent.exe" = E:\ProgramFilesE\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"E:\ProgramFilesE\iTunes\iTunes.exe" = E:\ProgramFilesE\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"E:\ProgramFilesE\VMware\VMware Player\vmware-authd.exe" = E:\ProgramFilesE\VMware\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)
"E:\ProgramFilesE\Sling Media\SlingPlayer\SlingPlayer.exe" = E:\ProgramFilesE\Sling Media\SlingPlayer\SlingPlayer.exe:*:Enabled:SlingPlayer -- (Sling Media Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F6993D-B763-4F40-8F93-2A9CD97586E3}" = Microsoft IntelliType Pro 6.3
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{1102D7B1-098C-4F48-92F4-DC403E45A527}" = LightScribe Template Designs - Athletic Pack 1
"{1B399A41-C1D0-40A2-9E4F-095868EFAF01}" = InterVideo WinDVD 5
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{20608BFA-6068-48FE-A410-400F2A124C27}" = Microsoft SQL Server Management Studio Express
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 13
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{305D4B08-5807-4475-B1C8-D54685534864}" = LightScribeTemplateLabeler
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4A81B632-07AB-4CAC-BB04-DF20DFFBFFA0}" = ArcSoft PhotoStudio 5.5
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5B295E70-5256-46DD-ADA8-81E9EF7F4939}" = LightScribe Template Designs - Life Events Pack 1
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04
"{714ACFF3-B8A3-4AD6-937B-13C833D71033}" = Nero 7 Essentials
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}" = Microsoft Visual C# 2005 Express Edition - ENU
"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
"{8E4CF4E6-062E-11D8-BCF1-005004748D87}" = 3114 SATARAID5
"{90170409-6000-11D3-8CFE-0050048383C9}" = Microsoft FrontPage 2002
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{9E491AB7-4589-48CA-9CBB-874CB2788391}" = Studio 9
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B023185F-F1EF-4F97-B0BD-AE6D802226D1}" = NVIDIA WDM Drivers
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B67624DE-75CE-4FAD-9F29-5C115773CE61}" = Studio 9 Content CD/DVD
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF3D8718-EF21-4408-AE38-A6DA98E1E2B6}" = LightScribe System Software 1.14.32.1
"{D102611A-6466-4101-A51D-51069303AC65}" = tools-linux
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}" = Brother MFL-Pro Suite
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.62
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Any Video Converter_is1" = Any Video Converter 3.0.1
"CCleaner" = CCleaner
"CTDVDAudio Plugin" = Creative DVD Audio Plugin for Audigy Series
"CutePDF Writer Installation" = CutePDF Writer 2.7
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"Defraggler" = Defraggler
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"FileZilla Client" = FileZilla Client 3.2.4.1
"FLV Player" = FLV Player 2.0, build 24
"FormatFactory" = FormatFactory 2.20
"GFI Backup 2009 - Home Edition" = GFI Backup 2009 - Home Edition
"Hollywood FX 5.5 Additional Effects" = Hollywood FX 5.5 Additional Effects
"Hollywood FX for Studio" = Pinnacle Hollywood FX for Studio
"ie8" = Windows Internet Explorer 8
"InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2009a" = MATLAB R2009a
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual C# 2005 Express Edition - ENU" = Microsoft Visual C# 2005 Express Edition - ENU
"Movielink Manager" = BLOCKBUSTER Movielink
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"proDAD-Heroglyph-1.0" = proDAD Heroglyph 1.0
"proDAD-Heroglyph-2.0" = proDAD Heroglyph 2.0
"Revo Uninstaller" = Revo Uninstaller 1.85
"Tweak UI 2.10" = Tweak UI
"VMware_Player" = VMware Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.7
"WM Converter 2.0" = WM Converter 2.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XML Marker_is1" = XML Marker version 1.1
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1275210071-1284227242-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Download Agent" = Download Agent
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/16/2010 2:52:46 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/16/2010 4:50:05 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/16/2010 5:45:00 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/16/2010 7:08:47 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/16/2010 7:18:33 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/16/2010 7:41:36 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/17/2010 5:26:57 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/17/2010 7:08:47 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/17/2010 7:17:58 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

Error - 1/17/2010 7:41:00 AM | Computer Name = BEVO | Source = McLogEvent | ID = 259
Description = McAfee alerting interface unable to send alert to \\001-hq-epol01.caci.com\pipe\AlertManager.
Error returned = The network path was not found.

[ System Events ]
Error - 1/13/2010 2:33:06 AM | Computer Name = BEVO | Source = VolSnap | ID = 393241
Description = The shadow copy of volume E: was aborted because the diff area file
could not grow in time. Consider reducing the IO load on this system to avoid this
problem in the future.

Error - 1/13/2010 3:17:14 AM | Computer Name = BEVO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 1/14/2010 11:21:20 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:21:27 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:21:34 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:21:41 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:21:47 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:23:05 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:23:12 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/14/2010 11:23:18 PM | Computer Name = BEVO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 17 January 2010 - 04:52 PM

Hi,

please post the combofix log and a log from gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 17 January 2010 - 09:26 PM

ComboFix 10-01-04.01 - Rene 01/09/2010 13:42:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2504 [GMT -6:00]
Running from: c:\documents and settings\Rene\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rene\Application Data\inst.exe
E:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-08 05:31 . 2010-01-08 05:31 384912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-03 19:21 . 2010-01-03 19:21 -------- d-----w- c:\documents and settings\Rene\Application Data\AnvSoft
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\Common Files\Common Share
2010-01-03 18:12 . 2008-12-18 19:38 719872 ----a-w- c:\windows\system32\devil.dll
2010-01-03 18:12 . 2008-12-18 19:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-01-03 18:12 . 2008-12-18 19:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-02 04:47 . 2010-01-02 04:47 -------- d-----w- c:\documents and settings\Rene\Local Settings\Application Data\Blockbuster
2010-01-02 04:42 . 2010-01-02 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Movielink
2010-01-02 04:41 . 2008-04-16 18:55 1821192 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-01-02 04:38 . 2008-12-04 07:25 120832 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2010-01-01 01:26 . 2010-01-01 01:26 22816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-01 01:10 . 2010-01-01 01:10 -------- d-----w- c:\documents and settings\Rene\Application Data\Sling Media
2010-01-01 01:09 . 2009-12-17 23:00 1786368 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
2010-01-01 01:09 . 2009-12-17 22:57 148992 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\DXVAProbe.dll
2010-01-01 01:09 . 2009-12-17 22:57 581632 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SPRemote.dll
2010-01-01 01:09 . 2009-12-17 22:56 292352 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\RCDownloader.dll
2010-01-01 01:09 . 2009-12-17 22:57 2001920 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SBIL2.dll
2010-01-01 01:09 . 2009-12-17 22:56 175616 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\CabinetUtils.dll
2010-01-01 01:09 . 2009-09-01 21:00 252416 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\sling_socket_layer.dll
2010-01-01 01:09 . 2009-05-29 19:54 882176 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\curllib.dll
2010-01-01 01:09 . 2009-04-30 21:19 79112 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\zlib1.dll
2010-01-01 01:09 . 2009-04-30 21:06 95624 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SMST.dll
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\program files\Sling Media
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2009-12-18 22:20 . 2009-12-18 22:20 -------- d-sh--w- c:\documents and settings\Rene\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 19:41 . 2009-11-11 13:46 79488 ----a-w- c:\documents and settings\Rene\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-09 19:35 . 2009-10-18 18:53 -------- d-----w- c:\documents and settings\Rene\Application Data\Dropbox
2010-01-09 19:28 . 2009-12-01 03:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-09 19:28 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-09 02:21 . 2009-04-26 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-08 05:29 . 2008-11-25 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 05:29 . 2008-12-05 02:08 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 05:26 . 2009-01-11 17:25 -------- d-----w- c:\documents and settings\Rene\Application Data\uTorrent
2010-01-07 23:55 . 2009-12-10 02:33 -------- d-----w- c:\documents and settings\Rene\Application Data\gtk-2.0
2010-01-07 22:07 . 2008-11-25 02:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-11-25 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 02:45 . 2009-01-11 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-01 00:48 . 2008-09-27 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-05 17:12 . 2008-09-28 13:35 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-12-05 15:17 . 2009-12-01 16:29 -------- d-----w- c:\documents and settings\Rene\Application Data\VMware
2009-12-01 02:36 . 2009-12-01 02:36 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-12-01 02:36 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-12-01 02:35 . 2009-12-01 02:35 -------- d-----w- c:\program files\Common Files\VMware
2009-12-01 02:33 . 2009-12-01 02:36 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-12-01 02:33 . 2009-12-01 02:36 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-12-01 02:33 . 2009-12-01 02:36 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-12-01 02:33 . 2009-12-01 02:36 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-12-01 02:33 . 2009-12-01 02:36 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-12-01 02:33 . 2009-12-01 02:36 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-12-01 02:33 . 2009-12-01 02:36 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-28 18:16 . 2009-11-24 02:39 -------- d-----w- c:\documents and settings\Rene\Application Data\FireShot
2009-11-22 04:31 . 2009-11-22 04:31 -------- d-----w- c:\documents and settings\Rene\Application Data\dBpoweramp
2009-11-22 01:35 . 2009-11-22 01:35 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-22 01:35 . 2009-11-22 01:32 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-22 01:33 . 2009-11-22 01:33 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-11-22 01:32 . 2009-11-22 01:32 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-11-22 01:32 . 2009-11-22 01:32 -------- d-----w- c:\documents and settings\Rene\Application Data\AccurateRip
2009-10-31 22:32 . 2009-10-31 22:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2002-08-29 20:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-22 10:45 . 2009-10-22 10:45 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-22 10:45 . 2009-10-22 10:45 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-22 10:45 . 2009-10-22 10:45 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-22 10:45 . 2009-12-01 02:35 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-10-22 10:45 . 2009-10-22 10:45 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-22 10:44 . 2009-12-01 02:35 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-10-22 10:44 . 2009-12-01 02:35 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-10-22 10:44 . 2009-12-01 02:35 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-10-22 10:44 . 2009-12-01 02:35 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-10-22 10:44 . 2009-10-22 10:44 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-22 09:47 . 2009-10-22 09:47 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-22 09:22 . 2009-10-22 09:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-22 06:13 . 2009-12-01 02:36 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-10-22 06:13 . 2009-12-01 02:36 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-10-22 06:13 . 2009-12-01 02:35 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-10-21 05:38 . 2008-09-28 01:28 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2008-09-28 01:28 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2008-09-28 01:28 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-18 18:54 . 2009-10-18 18:54 89962 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\Uninstall.exe
2009-10-13 10:30 . 2002-08-29 20:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 20:33 . 2009-10-12 20:33 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-12 13:38 . 2002-08-29 20:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 20:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-02 133104]
"SpybotSD TeaTimer"="e:\programfilese\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"Acrobat Assistant 8.0"="e:\programfilese\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="e:\programfilese\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"VMware hqtray"="e:\programfilese\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]
"LoadMSvcmm"="e:\programfilese\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe" [2009-03-27 455112]

c:\documents and settings\Rene\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Rene\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - e:\programfilese\Logitech\SetPoint\SetPoint.exe [2008-12-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 22:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\ProgramFilesE\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\ProgramFilesE\\iTunes\\iTunes.exe"=
"e:\\ProgramFilesE\\VMware\\VMware Player\\vmware-authd.exe"=
"e:\\ProgramFilesE\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;e:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [7/1/2009 9:21 PM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;e:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [7/1/2009 9:21 PM 1410856]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/23/2008 9:58 PM 10384]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [9/29/2008 7:24 PM 899700]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 pnuigdt;pnuigdt;c:\windows\system32\drivers\ttom.sys --> c:\windows\system32\drivers\ttom.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 01:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004Core.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004UA.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save with Download Manager... - file://e:\programfilese\Road Runner Music\DMDownload.htm
LSP: e:\programfilese\VMware\VMware Player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
FF - plugin: c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: e:\programfilese\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\programfilese\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 13:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-01-09 13:46:54
ComboFix-quarantined-files.txt 2010-01-09 19:46

Pre-Run: 8,097,665,024 bytes free
Post-Run: 8,226,803,712 bytes free

- - End Of File - - 842A0B11162273E5B5A6E4391F5AC0B8



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 20:25:30
Windows 5.1.2600 Service Pack 3
Running: whciyxw5.exe; Driver: C:\DOCUME~1\Rene\LOCALS~1\Temp\fgtdqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA5A798BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA5A7983B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA5A798E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA5A7984F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA5A7987B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA5A7990F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA5A79827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA5A798CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA5A79865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA5A79891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA5A798A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA5A79925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA5A798F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP A5A798FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP A5A798BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP A5A79913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP A5A79929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP A5A798D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP A5A798E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP A5A798AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP A5A79895 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP A5A79869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 5 Bytes JMP A5A7983F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP A5A79853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP A5A7987F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 5 Bytes JMP A5A7982B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8DDA360, 0x32DEFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF00BD
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF00A2
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0087
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF005B
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F88
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0FA3
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0F52
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00F5
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0106
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0076
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF001B
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF00CE
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0036
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\System32\svchost.exe[200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F77
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FDB
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0098
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE002C
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0011
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0087
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE006C
.text C:\WINDOWS\System32\svchost.exe[200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0051
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0FAB
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0036
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0011
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0FBC
.text C:\WINDOWS\System32\svchost.exe[200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0000
.text C:\WINDOWS\System32\svchost.exe[200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F3008A
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F95
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30FA6
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F3006F
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F3009B
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F5F
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F300C0
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30F31
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F300DB
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30054
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F7A
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F3002F
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30F42
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F2002C
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F94
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2001B
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20FA5
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20000
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20FB6
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F2003D
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F1002F
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FA4
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FB5
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F1000A
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\System32\svchost.exe[276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00090
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0007F
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00062
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F65
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F000AB
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F39
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F4A
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00F1E
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FC0
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00011
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F8A
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FDB
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000C8
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0025
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0062
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0FA5
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0047
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0FB2
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0022
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0033
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0011
.text C:\WINDOWS\system32\services.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED000A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF007B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F86
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FA1
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00B3
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF008C
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F2B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F46
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00DF
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F6B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00C4
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F54
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F6F
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0F8A
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FBC
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\lsass.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01080F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01080FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0108007D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01080FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01080051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01080F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010800B8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010800FA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01080F61
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01080F46
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080062
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01080F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01080036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0108001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010800DF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070FD1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01070FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0107002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0107006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01070FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0107003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0106005F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060029
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0106003A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060018
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01050000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] WinInet.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] WinInet.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E50011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] WinInet.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E50FD1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1024] WinInet.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E50FC0
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F7C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA007B
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0FA1
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0FB2
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA004A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F46
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0F61
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00C4
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0F21
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F10
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0FC3
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA008C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA002F
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00A9
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FA8
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F61
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F72
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A90014
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FB7
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80038
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A80027
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80FC8
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FE3
.text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0091
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0076
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F9C
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00C7
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F75
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00F3
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F5A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0104
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00A2
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00D8
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0054
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0014
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0018
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F66
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A008C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F44
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A00B8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0F1F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A0F04
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F55
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A009D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0069002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 00690084
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 0069001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 00690FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00690058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680044
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680033
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00670FEF
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA009B
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA008A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA006F
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F7A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F8B
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0102
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00E7
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA011D
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0054
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00AC
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F69
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FAF
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093004A
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FCA
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F83
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F9E
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092005A
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920049
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092002E
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1492] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05550000
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05550F68
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05550F83
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05550F94
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05550FA5
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05550047
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0555007F
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05550F37
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05550F1C
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 055500AB
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05550F01
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05550FB6
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05550025
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0555006E
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05550FDB
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05550036
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0555009A
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05540051
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05540FAF
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05540036
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05540025
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05540FC0
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05540000
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 05540FE5
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [74, 8D] {JZ 0xffffffffffffff8f}
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05540062
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018B0031
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 018B0F9C
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018B0FD2
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018B0000
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018B0FB7
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018B0FE3
.text C:\WINDOWS\System32\svchost.exe[1780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 018A0000
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01890FE5
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01890FD4
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01890FC3
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01890FA8
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F6D
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0062
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F88
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0047
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0036
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F3F
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0087
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00C4
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00B3
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00DF
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FA5
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F5C
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C001B
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\System32\svchost.exe[1824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00A2
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0040
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0062
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B001B
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0FAF
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0FCA
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\System32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0051
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F92
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FA3
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A000C
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A001D
.text C:\WINDOWS\System32\svchost.exe[1824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FDE
.text C:\WINDOWS\System32\svchost.exe[1824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30062
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30047
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F83
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E300AE
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30087
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E30F29
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F3A
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E30F0E
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30F9E
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E30F5C
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30011
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E30F4B
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20F83
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20F94
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10FBC
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E10047
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E10FCD
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E1002C
.text C:\WINDOWS\system32\svchost.exe[1908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10FDE
.text C:\WINDOWS\system32\svchost.exe[1908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\svchost.exe[1908] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F5000A
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F76
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A006B
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F91
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004E
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F54
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F65
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D9
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C8
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F25
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0086
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\dllhost.exe[3092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00B7
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290047
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029002C
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FD7
.text C:\WINDOWS\System32\dllhost.exe[3092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0FA5
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0022
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0011
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FB6
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0058
.text C:\WINDOWS\System32\dllhost.exe[3092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A003D
.text C:\WINDOWS\System32\dllhost.exe[3092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F73
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F84
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA1
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A004A
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00A3
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F51
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F25
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00BE
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00D9
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0014
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F62
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[3364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F40
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290F94
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F5E
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FAF
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F79
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[3364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0042
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0031
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A000C
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\Explorer.EXE[3364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\Explorer.EXE[3364] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[3364] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[3364] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[3364] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[3364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D1000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007a hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007b hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 18 January 2010 - 06:51 AM

Hi,

please run an updated scan with combofix.

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Are you still getting DEP messages? Do you have your windows CD close by, could we use it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 18 January 2010 - 07:10 PM

I have not seen the DEP pop-up since the first time I ran ComboFix (see log above). I do have my WinXP Home (SP0) CD available.

It would seem I can no longer run ComboFix. After downloading to the desktop and double-clickong on ComboFix, I receive an error "Some installation files are corrupt. Please download a fresh copy and retry the installation." All malware and AV programs are deactivated prior to trying to run ComboFix. I tried downloading the program from each of the two links you provided. Both return the same error.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 19 January 2010 - 11:51 AM

Hi,

please try to redownload ComboFix and run it. There was a problem with the download yesterday, but it's fixed now.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 19 January 2010 - 08:22 PM

Thank you for fixing the ComboFix download. Below is the most recent scan log.


ComboFix 10-01-19.02 - Rene 01/19/2010 19:07:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2430 [GMT -6:00]
Running from: c:\documents and settings\Rene\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-14 01:18 . 2010-01-14 01:28 -------- d-----w- c:\documents and settings\Rene\.hd
2010-01-13 02:49 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 19:15 . 2010-01-10 19:15 15086 ----a-r- c:\documents and settings\Rene\Application Data\Microsoft\Installer\{5B295E70-5256-46DD-ADA8-81E9EF7F4939}\ARPPRODUCTICON.exe
2010-01-10 19:15 . 2010-01-10 19:15 15086 ----a-r- c:\documents and settings\Rene\Application Data\Microsoft\Installer\{1102D7B1-098C-4F48-92F4-DC403E45A527}\ARPPRODUCTICON.exe
2010-01-08 05:31 . 2010-01-08 05:31 384912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-03 19:21 . 2010-01-03 19:21 -------- d-----w- c:\documents and settings\Rene\Application Data\AnvSoft
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\Common Files\Common Share
2010-01-03 18:12 . 2008-12-18 19:38 719872 ----a-w- c:\windows\system32\devil.dll
2010-01-03 18:12 . 2008-12-18 19:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-01-03 18:12 . 2008-12-18 19:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-02 04:47 . 2010-01-02 04:47 -------- d-----w- c:\documents and settings\Rene\Local Settings\Application Data\Blockbuster
2010-01-02 04:41 . 2008-04-16 18:55 1821192 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-01-02 04:38 . 2008-12-04 07:25 120832 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2010-01-01 01:26 . 2010-01-01 01:26 22816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-01 01:10 . 2010-01-01 01:10 -------- d-----w- c:\documents and settings\Rene\Application Data\Sling Media
2010-01-01 01:09 . 2009-12-17 23:00 1786368 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
2010-01-01 01:09 . 2009-12-17 22:57 148992 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\DXVAProbe.dll
2010-01-01 01:09 . 2009-12-17 22:57 581632 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SPRemote.dll
2010-01-01 01:09 . 2009-12-17 22:56 292352 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\RCDownloader.dll
2010-01-01 01:09 . 2009-12-17 22:57 2001920 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SBIL2.dll
2010-01-01 01:09 . 2009-12-17 22:56 175616 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\CabinetUtils.dll
2010-01-01 01:09 . 2009-09-01 21:00 252416 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\sling_socket_layer.dll
2010-01-01 01:09 . 2009-05-29 19:54 882176 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\curllib.dll
2010-01-01 01:09 . 2009-04-30 21:19 79112 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\zlib1.dll
2010-01-01 01:09 . 2009-04-30 21:06 95624 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SMST.dll
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\program files\Sling Media
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 01:10 . 2009-10-18 18:53 -------- d-----w- c:\documents and settings\Rene\Application Data\Dropbox
2010-01-19 01:07 . 2009-12-01 03:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-19 01:07 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-18 02:39 . 2009-12-10 02:33 -------- d-----w- c:\documents and settings\Rene\Application Data\gtk-2.0
2010-01-15 03:26 . 2009-01-11 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-12 03:45 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-01-10 04:17 . 2009-11-11 13:46 79488 ----a-w- c:\documents and settings\Rene\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-09 22:54 . 2008-09-27 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-09 02:21 . 2009-04-26 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-08 05:29 . 2008-11-25 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 05:29 . 2008-12-05 02:08 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 05:26 . 2009-01-11 17:25 -------- d-----w- c:\documents and settings\Rene\Application Data\uTorrent
2010-01-07 22:07 . 2008-11-25 02:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-11-25 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 17:12 . 2008-09-28 13:35 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-12-05 15:17 . 2009-12-01 16:29 -------- d-----w- c:\documents and settings\Rene\Application Data\VMware
2009-12-01 02:36 . 2009-12-01 02:36 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-12-01 02:35 . 2009-12-01 02:35 -------- d-----w- c:\program files\Common Files\VMware
2009-12-01 02:33 . 2009-12-01 02:36 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-12-01 02:33 . 2009-12-01 02:36 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-12-01 02:33 . 2009-12-01 02:36 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-12-01 02:33 . 2009-12-01 02:36 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-12-01 02:33 . 2009-12-01 02:36 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-12-01 02:33 . 2009-12-01 02:36 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-12-01 02:33 . 2009-12-01 02:36 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-28 18:16 . 2009-11-24 02:39 -------- d-----w- c:\documents and settings\Rene\Application Data\FireShot
2009-11-22 04:31 . 2009-11-22 04:31 -------- d-----w- c:\documents and settings\Rene\Application Data\dBpoweramp
2009-11-22 01:35 . 2009-11-22 01:35 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-22 01:35 . 2009-11-22 01:32 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-22 01:33 . 2009-11-22 01:33 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-11-22 01:32 . 2009-11-22 01:32 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-11-22 01:32 . 2009-11-22 01:32 -------- d-----w- c:\documents and settings\Rene\Application Data\AccurateRip
2009-11-21 15:51 . 2002-08-29 20:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-31 22:32 . 2009-10-31 22:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2002-08-29 20:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-22 10:45 . 2009-10-22 10:45 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-22 10:45 . 2009-10-22 10:45 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-22 10:45 . 2009-10-22 10:45 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-22 10:45 . 2009-12-01 02:35 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-10-22 10:45 . 2009-10-22 10:45 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-22 10:44 . 2009-12-01 02:35 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-10-22 10:44 . 2009-12-01 02:35 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-10-22 10:44 . 2009-12-01 02:35 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-10-22 10:44 . 2009-12-01 02:35 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-10-22 10:44 . 2009-10-22 10:44 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-22 09:47 . 2009-10-22 09:47 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-22 09:22 . 2009-10-22 09:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-22 06:13 . 2009-12-01 02:36 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-10-22 06:13 . 2009-12-01 02:36 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-10-22 06:13 . 2009-12-01 02:35 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_19.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-19 01:07 . 2010-01-19 01:07 16384 c:\windows\Temp\Perflib_Perfdata_dcc.dat
+ 2010-01-19 01:07 . 2010-01-19 01:07 16384 c:\windows\Temp\Perflib_Perfdata_7e4.dat
- 2002-08-29 20:00 . 2010-01-09 19:32 90058 c:\windows\system32\perfc009.dat
+ 2002-08-29 20:00 . 2010-01-19 01:11 90058 c:\windows\system32\perfc009.dat
- 2002-08-29 20:00 . 2009-06-16 14:36 81920 c:\windows\system32\fontsub.dll
+ 2002-08-29 20:00 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
+ 2009-06-16 14:36 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
- 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2002-08-29 20:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
- 2002-08-29 20:00 . 2009-06-16 14:36 119808 c:\windows\system32\t2embed.dll
+ 2002-08-29 20:00 . 2010-01-19 01:11 490406 c:\windows\system32\perfh009.dat
- 2002-08-29 20:00 . 2010-01-09 19:32 490406 c:\windows\system32\perfh009.dat
+ 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2010-01-10 19:15 . 2010-01-10 19:15 308736 c:\windows\Installer\3c47ef2.msi
+ 2010-01-10 19:15 . 2010-01-10 19:15 309248 c:\windows\Installer\3c47eea.msi
+ 2008-09-28 04:35 . 2010-01-05 00:17 29634504 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-02 133104]
"SpybotSD TeaTimer"="e:\programfilese\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"Acrobat Assistant 8.0"="e:\programfilese\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="e:\programfilese\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"VMware hqtray"="e:\programfilese\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]

c:\documents and settings\Rene\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Rene\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - e:\programfilese\Logitech\SetPoint\SetPoint.exe [2008-12-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 22:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\ProgramFilesE\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\ProgramFilesE\\iTunes\\iTunes.exe"=
"e:\\ProgramFilesE\\VMware\\VMware Player\\vmware-authd.exe"=
"e:\\ProgramFilesE\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;e:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [7/1/2009 9:21 PM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;e:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [7/1/2009 9:21 PM 1410856]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/23/2008 9:58 PM 10384]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [9/29/2008 7:24 PM 899700]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 pnuigdt;pnuigdt;c:\windows\system32\drivers\ttom.sys --> c:\windows\system32\drivers\ttom.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 01:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004Core.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004UA.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save with Download Manager... - file://e:\programfilese\Road Runner Music\DMDownload.htm
LSP: e:\programfilese\VMware\VMware Player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
FF - plugin: c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: e:\programfilese\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\programfilese\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
e:\programfilese\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-19 19:11:17
ComboFix-quarantined-files.txt 2010-01-20 01:11
ComboFix2.txt 2010-01-09 19:46

Pre-Run: 8,249,860,096 bytes free
Post-Run: 8,216,584,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - E867DF0575FE8AA652C781B1754B9861


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 20 January 2010 - 02:15 PM

Hi,

please run the following fix to remove leftovers:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Driver::
pnuigdt


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 20 January 2010 - 09:17 PM

Thank you for your attention in this matter. Please find the ComboFix log below per your previous post instructions.

ComboFix 10-01-19.02 - Rene 01/20/2010 19:21:49.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2436 [GMT -6:00]
Running from: c:\documents and settings\Rene\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rene\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pnuigdt


((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-14 01:18 . 2010-01-14 01:28 -------- d-----w- c:\documents and settings\Rene\.hd
2010-01-13 02:49 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 19:15 . 2010-01-10 19:15 15086 ----a-r- c:\documents and settings\Rene\Application Data\Microsoft\Installer\{5B295E70-5256-46DD-ADA8-81E9EF7F4939}\ARPPRODUCTICON.exe
2010-01-10 19:15 . 2010-01-10 19:15 15086 ----a-r- c:\documents and settings\Rene\Application Data\Microsoft\Installer\{1102D7B1-098C-4F48-92F4-DC403E45A527}\ARPPRODUCTICON.exe
2010-01-08 05:31 . 2010-01-08 05:31 384912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-03 19:21 . 2010-01-03 19:21 -------- d-----w- c:\documents and settings\Rene\Application Data\AnvSoft
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\Common Files\Common Share
2010-01-03 18:12 . 2008-12-18 19:38 719872 ----a-w- c:\windows\system32\devil.dll
2010-01-03 18:12 . 2008-12-18 19:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-01-03 18:12 . 2008-12-18 19:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-02 04:47 . 2010-01-02 04:47 -------- d-----w- c:\documents and settings\Rene\Local Settings\Application Data\Blockbuster
2010-01-02 04:41 . 2008-04-16 18:55 1821192 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-01-02 04:38 . 2008-12-04 07:25 120832 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2010-01-01 01:26 . 2010-01-01 01:26 22816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-01 01:10 . 2010-01-01 01:10 -------- d-----w- c:\documents and settings\Rene\Application Data\Sling Media
2010-01-01 01:09 . 2009-12-17 23:00 1786368 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
2010-01-01 01:09 . 2009-12-17 22:57 148992 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\DXVAProbe.dll
2010-01-01 01:09 . 2009-12-17 22:57 581632 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SPRemote.dll
2010-01-01 01:09 . 2009-12-17 22:56 292352 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\RCDownloader.dll
2010-01-01 01:09 . 2009-12-17 22:57 2001920 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SBIL2.dll
2010-01-01 01:09 . 2009-12-17 22:56 175616 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\CabinetUtils.dll
2010-01-01 01:09 . 2009-09-01 21:00 252416 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\sling_socket_layer.dll
2010-01-01 01:09 . 2009-05-29 19:54 882176 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\curllib.dll
2010-01-01 01:09 . 2009-04-30 21:19 79112 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\zlib1.dll
2010-01-01 01:09 . 2009-04-30 21:06 95624 ----a-w- c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\SMST.dll
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\program files\Sling Media
2010-01-01 00:47 . 2010-01-01 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 02:12 . 2009-10-18 18:53 -------- d-----w- c:\documents and settings\Rene\Application Data\Dropbox
2010-01-21 01:26 . 2009-12-01 03:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-21 01:26 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-20 04:41 . 2009-04-26 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-18 02:39 . 2009-12-10 02:33 -------- d-----w- c:\documents and settings\Rene\Application Data\gtk-2.0
2010-01-15 03:26 . 2009-01-11 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-12 03:45 . 2009-12-01 02:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-01-10 04:17 . 2009-11-11 13:46 79488 ----a-w- c:\documents and settings\Rene\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-09 22:54 . 2008-09-27 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-08 05:29 . 2008-11-25 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 05:29 . 2008-12-05 02:08 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 05:26 . 2009-01-11 17:25 -------- d-----w- c:\documents and settings\Rene\Application Data\uTorrent
2010-01-07 22:07 . 2008-11-25 02:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-11-25 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 17:12 . 2008-09-28 13:35 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-12-05 15:17 . 2009-12-01 16:29 -------- d-----w- c:\documents and settings\Rene\Application Data\VMware
2009-12-01 02:36 . 2009-12-01 02:36 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-12-01 02:35 . 2009-12-01 02:35 -------- d-----w- c:\program files\Common Files\VMware
2009-12-01 02:33 . 2009-12-01 02:36 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-12-01 02:33 . 2009-12-01 02:36 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-12-01 02:33 . 2009-12-01 02:36 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-12-01 02:33 . 2009-12-01 02:36 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-12-01 02:33 . 2009-12-01 02:36 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-12-01 02:33 . 2009-12-01 02:36 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-12-01 02:33 . 2009-12-01 02:36 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-28 18:16 . 2009-11-24 02:39 -------- d-----w- c:\documents and settings\Rene\Application Data\FireShot
2009-11-22 04:31 . 2009-11-22 04:31 -------- d-----w- c:\documents and settings\Rene\Application Data\dBpoweramp
2009-11-22 01:35 . 2009-11-22 01:35 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-22 01:35 . 2009-11-22 01:32 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-22 01:33 . 2009-11-22 01:33 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-11-22 01:32 . 2009-11-22 01:32 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-11-21 15:51 . 2002-08-29 20:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-31 22:32 . 2009-10-31 22:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2002-08-29 20:00 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_19.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-21 01:26 . 2010-01-21 01:26 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2010-01-20 01:15 . 2010-01-20 01:15 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat
+ 2010-01-21 01:26 . 2010-01-21 01:26 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat
+ 2002-08-29 20:00 . 2010-01-21 01:30 90058 c:\windows\system32\perfc009.dat
- 2002-08-29 20:00 . 2010-01-09 19:32 90058 c:\windows\system32\perfc009.dat
+ 2002-08-29 20:00 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
- 2002-08-29 20:00 . 2009-06-16 14:36 81920 c:\windows\system32\fontsub.dll
- 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-06-16 14:36 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2002-08-29 20:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
- 2002-08-29 20:00 . 2009-06-16 14:36 119808 c:\windows\system32\t2embed.dll
+ 2002-08-29 20:00 . 2010-01-21 01:30 490406 c:\windows\system32\perfh009.dat
- 2002-08-29 20:00 . 2010-01-09 19:32 490406 c:\windows\system32\perfh009.dat
- 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2010-01-10 19:15 . 2010-01-10 19:15 308736 c:\windows\Installer\3c47ef2.msi
+ 2010-01-10 19:15 . 2010-01-10 19:15 309248 c:\windows\Installer\3c47eea.msi
+ 2008-09-28 04:35 . 2010-01-05 00:17 29634504 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-02 133104]
"SpybotSD TeaTimer"="e:\programfilese\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"Acrobat Assistant 8.0"="e:\programfilese\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="e:\programfilese\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"VMware hqtray"="e:\programfilese\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]

c:\documents and settings\Rene\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Rene\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - e:\programfilese\Logitech\SetPoint\SetPoint.exe [2008-12-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 22:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\ProgramFilesE\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\ProgramFilesE\\iTunes\\iTunes.exe"=
"e:\\ProgramFilesE\\VMware\\VMware Player\\vmware-authd.exe"=
"e:\\ProgramFilesE\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;e:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [7/1/2009 9:21 PM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;e:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [7/1/2009 9:21 PM 1410856]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/23/2008 9:58 PM 10384]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [9/29/2008 7:24 PM 899700]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 01:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004Core.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1284227242-839522115-1004UA.job
- c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-02 01:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\programfilese\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save with Download Manager... - file://e:\programfilese\Road Runner Music\DMDownload.htm
LSP: e:\programfilese\VMware\VMware Player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\documents and settings\Rene\Application Data\Mozilla\Firefox\Profiles\rnqjddjk.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
FF - plugin: c:\documents and settings\Rene\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: e:\programfilese\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\programfilese\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WININET.dll
e:\programfilese\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\documents and settings\Rene\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\vmnat.exe
e:\programfilese\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-01-20 20:14:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 02:14
ComboFix2.txt 2010-01-20 01:11
ComboFix3.txt 2010-01-09 19:46

Pre-Run: 8,182,435,840 bytes free
Post-Run: 8,037,507,072 bytes free

- - End Of File - - E96E2264516E5C1CB25EA959B7AB7075


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 20 January 2010 - 09:22 PM

Hi,

this is looking good. How is the PC doing? Still fine?

Please run a scan with Eset to check for any leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 21 January 2010 - 09:04 AM

Hi myrti,

The ESET scan completed with no threats found (pic of results window attached).

No recent DEP windows.

If there are any additional steps to verify a clean PC, I am willing to do them.

Thanks,

kaap

Attached Files



#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 22 January 2010 - 10:57 AM

Hi,

i believe that your logs are clean. I would like you to do a couple more things though. First I would like you to bring your software up to date:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Let me know if you run into any problems with that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 kaap

kaap
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 22 January 2010 - 10:25 PM

hello myrti,

No problems uninstalling the old Java and installing the new Java. No problems uninstalling the old acrobat reader and installing the new acrobat reader. No DEP windows either!

Thanks,

kaap




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users