Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser (Explorer) hijacking and popups


  • This topic is locked This topic is locked
12 replies to this topic

#1 tbell

tbell

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 23 January 2010 - 05:01 PM

I'm new to online forums. Please forgive probable errors in net-etiquette...

A few days ago, we were infected by a virus I am regrettably unable to identify. Our McAfee detected and removed it. We seem to only have one lingering ill effect: our browser gets hijacked. Usually not during a google search, but when following links we are often (20-30% of the time) redirected to unrelated commercial sites or clearinghouses (yellowbook.com, etc.). We are never redirected if we type the URL in directly. We have also seen an increase in the frequency of pop-ups.

I have done "full" searches using McAfee, Ad-Aware, and Windows Defender. All report no problems.

I downloaded and executed "HijackThis", and did discover some very peculiar (suspicious?) items, which I deleted. The good news is that I apparently have done no damage, but I also didn't fix our hijacking problem. Our symptoms appear unchanged. I'm uncomfortable using HijackThis to remove anything else, since I frankly have no idea what I'm doing.

Below are the DDS and RootRepeal output. Thanks very, very much in advance for any help and suggestions!


DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Root at 14:28:47.73 on Sat 01/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Root\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-30 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-5 214664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-14 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-5 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-5 40552]
S2 gupdate1c9bd7146d2394a;Google Update Service (gupdate1c9bd7146d2394a);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-5 34248]

=============== Created Last 30 ================

2010-01-23 18:23:28 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-01-23 16:34:30 0 d-----w- c:\program files\Trend Micro
2010-01-23 03:33:53 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-23 02:11:58 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-22 20:48:15 0 d-----w- c:\documents and settings\all users\AVP 2009
2010-01-14 01:44:21 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-30 00:59:40 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbz.DAT
2009-12-30 00:58:34 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-12-30 00:58:34 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-09-15 03:11:18 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 14:29:49.32 ===============









RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/23 14:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED333000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA60D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Root\Cookies\desktop.ini
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\root\local settings\temp\~df9142.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\root\local settings\temp\~dfa5a5.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\root\local settings\history\history.ie5\index.dat
Status: Allocation size mismatch (API: 16384, Raw: 8192)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76f187e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76f1bfe

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 2040) Address: 0x10000000 Size: 176128

Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 3948) Address: 0x10000000 Size: 176128

==EOF==







In case anyone can make better sense of it than I can, I'll include the HijackThis log as well:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:57 PM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c9bd7146d2394a) (gupdate1c9bd7146d2394a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9014 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:08 PM

Posted 29 January 2010 - 06:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 tbell

tbell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 30 January 2010 - 05:52 PM

myrti,

Thanks for your response. No worries on the delay. Our problem seems pretty minor in comparison to those I've seen in some other threads I've had a look at, so we are feeling lucky and have been in no particular hurry.

I would stand by the original description of our problems in my first post, with the possible exception that I seem to have underestimated the frequency of the redirect (I would characterize it as more like 90% or more, now). I have performed no additional steps other than those I admitted to in the first post, and I'm happy to refrain from doing anything without your advice from now on.

I have had a look at some of the output from the suggested first scans. This showed up in ark.txt (and may be at least part of the problem):

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 2040) Address: 0x10000000 Size: 176128

Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 3948) Address: 0x10000000 Size: 176128



The output from the OTL scan you requested:

OTL.txt:

OTL logfile created on: 1/30/2010 12:35:27 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Root\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 458.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 51.28 Gb Free Space | 45.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D1HWJC31
Current User Name: Root
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/30 12:33:27 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Root\Desktop\OTL.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/12 08:50:31 | 000,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/10/12 08:50:30 | 001,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/11/20 13:20:54 | 000,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/11/20 13:20:44 | 000,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/11/07 14:28:16 | 000,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/11/04 10:30:50 | 000,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2008/10/16 20:12:28 | 000,569,344 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
PRC - [2008/08/13 18:32:40 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/25 20:49:02 | 000,184,320 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PRC - [2008/03/25 20:40:42 | 000,214,360 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2007/03/15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2007/03/11 21:34:40 | 000,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/11/29 17:48:22 | 000,118,784 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005/09/30 19:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2003/04/24 14:58:00 | 000,069,632 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\SYSTEM32\nvsvc32.exe
PRC - [2002/12/17 10:28:00 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/08/29 03:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE
PRC - [2002/08/14 16:22:52 | 000,028,672 | R--- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe


========== Modules (SafeList) ==========

MOD - [2010/01/30 12:33:27 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Root\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/04 20:14:39 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/12 08:50:30 | 001,028,432 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/04/14 19:23:58 | 000,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9bd7146d2394a) Google Update Service (gupdate1c9bd7146d2394a)
SRV - [2008/11/20 13:20:44 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/11/07 14:28:16 | 000,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/10/16 20:12:28 | 000,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/07/18 13:13:20 | 000,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/07/18 13:13:20 | 000,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/03/25 21:27:36 | 000,135,168 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/09/30 19:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/04/24 14:58:00 | 000,069,632 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\nvsvc32.exe -- (NVSvc)
SRV - [2003/03/03 11:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys -- (MPFP)
DRV - [2009/04/30 08:49:33 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/11/07 14:23:30 | 000,032,000 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys -- (USBAAPL)
DRV - [2008/04/17 13:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 03:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007/03/07 21:20:50 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys -- (HPZius12)
DRV - [2007/03/07 21:20:49 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/07 21:20:48 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys -- (HPZid412)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/02 10:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mr7910.sys -- (mr7910)
DRV - [2005/03/24 17:21:22 | 000,038,937 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Capt905c.sys -- (SQTECH905C)
DRV - [2004/08/03 22:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 22:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2003/08/26 12:15:42 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/08/26 12:15:42 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pwd_2K.sys -- (pwd_2k)
DRV - [2003/08/26 12:15:42 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/08/26 12:15:42 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/04/24 14:58:00 | 001,271,706 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/03/04 09:56:26 | 000,145,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys -- (E100B) Intel®
DRV - [2003/02/28 07:17:18 | 000,545,024 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys -- (smwdm)
DRV - [2002/12/17 10:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 10:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 10:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/08 11:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/29 14:38:10 | 000,170,499 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002/10/29 14:37:36 | 001,175,536 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/10/29 14:31:28 | 000,604,240 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2002/10/07 07:29:48 | 000,011,027 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2002/08/29 03:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)
DRV - [2002/04/01 11:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 13:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 10:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2000/03/29 15:11:20 | 000,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MASPINT.SYS -- (MASPINT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 34 0F 2A 59 A1 CA 01 [binary data]
IE - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\S-1-5-21-3192615128-146669305-3409411857-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\S-1-5-21-3192615128-146669305-3409411857-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/23 19:32:50 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2002/08/29 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\SYSTEM32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3192615128-146669305-3409411857-1007..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-3192615128-146669305-3409411857-1007..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-3192615128-146669305-3409411857-1007..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3192615128-146669305-3409411857-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-centives.com/cif/download/bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (DwnldGroupMgr Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.121.85.2
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 06:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{e70dc784-3113-11dd-aaec-0007e970b0fb}\Shell\AutoRun\command - "" = Autorun.exe /run
O33 - MountPoints2\{e70dc784-3113-11dd-aaec-0007e970b0fb}\Shell\Shell00\Command - "" = Autorun.exe /run
O33 - MountPoints2\{e70dc784-3113-11dd-aaec-0007e970b0fb}\Shell\Shell01\Command - "" = Autorun.exe /action
O33 - MountPoints2\{e70dc784-3113-11dd-aaec-0007e970b0fb}\Shell\Shell02\Command - "" = Autorun.exe /uninstall
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O34 - HKLM BootExecute: (pgdfgsvc C 1) - C:\WINDOWS\System32\pgdfgsvc.exe (Sysinternals - www.sysinternals.com)
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2003/08/26 11:34:50 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 8.5.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 8.5.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{578B3FA6-6B04-4709-908B-DD1B08F565F2}C0022D - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\L3CODECX.ACM (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/30 12:32:57 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Root\Desktop\OTL.exe
[2010/01/23 14:30:44 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Root\Desktop\RootRepeal.exe
[2010/01/23 11:23:28 | 000,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2010/01/23 11:22:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Root\Desktop\PageDefrag
[2010/01/23 09:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/23 09:34:09 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Root\Desktop\HijackThisInstaller.exe
[2010/01/22 20:48:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/22 20:33:53 | 000,181,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/22 20:28:21 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/01/22 13:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\AVP 2009
[2010/01/17 09:33:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Root\Local Settings\Application Data\tyvsfd
[2010/01/13 18:44:21 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/04 20:14:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/12/04 05:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/11/09 10:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2009/07/28 20:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/04/15 18:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/04/14 19:24:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/12/20 16:22:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2008/03/08 09:36:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/02/18 13:36:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/03/05 13:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/06/10 20:06:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2006/06/10 20:06:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2005/05/26 06:21:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Gtek
[2004/11/21 11:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2003/08/26 11:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/30 12:33:27 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Root\Desktop\OTL.exe
[2010/01/30 12:30:06 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/30 12:29:42 | 000,014,439 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/30 12:28:59 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/30 12:26:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/30 12:26:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/30 12:26:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/30 12:26:47 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/29 21:20:54 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Root\NTUSER.DAT
[2010/01/29 21:20:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Root\NTUSER.INI
[2010/01/29 20:58:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/25 10:24:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/25 08:50:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/23 15:21:31 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\penzeys.doc
[2010/01/23 14:31:27 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\settings.dat
[2010/01/23 14:31:01 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Root\Desktop\RootRepeal.exe
[2010/01/23 14:27:49 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\dds.scr
[2010/01/23 11:27:54 | 000,000,644 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/01/23 11:27:54 | 000,000,256 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/01/23 11:27:54 | 000,000,211 | RHS- | M] () -- C:\BOOT.INI
[2010/01/23 11:23:58 | 000,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2010/01/23 11:15:29 | 000,680,340 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\StarterSetup.zip
[2010/01/23 09:34:31 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\HijackThis.lnk
[2010/01/23 09:34:14 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Root\Desktop\HijackThisInstaller.exe
[2010/01/22 20:26:25 | 005,154,304 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\WindowsDefender.msi
[2010/01/21 19:39:22 | 000,042,496 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\landsend.doc
[2010/01/17 19:47:57 | 000,058,880 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\B&H.doc
[2010/01/15 01:29:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/01/14 11:12:06 | 000,181,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/14 03:05:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/01 01:00:36 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/23 14:31:27 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\settings.dat
[2010/01/23 14:27:29 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\dds.scr
[2010/01/23 11:15:18 | 000,680,340 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\StarterSetup.zip
[2010/01/23 09:34:31 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\HijackThis.lnk
[2010/01/22 20:31:35 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/22 20:26:24 | 005,154,304 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\WindowsDefender.msi
[2010/01/22 19:11:58 | 000,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/17 19:47:57 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Root\My Documents\B&H.doc
[2009/12/08 14:47:03 | 000,000,418 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/12/25 15:15:01 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/11/11 18:18:20 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\SingleFiles
[2007/11/11 18:18:20 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Root\Application Data\Screen Saver
[2007/11/11 18:18:20 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
[2007/05/15 09:44:32 | 000,000,073 | ---- | C] () -- C:\WINDOWS\webica.ini
[2006/12/31 09:37:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2006/10/21 09:16:25 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameF.txt
[2006/10/20 19:24:36 | 000,001,433 | ---- | C] () -- C:\WINDOWS\disney.ini
[2006/10/20 19:24:27 | 000,000,206 | ---- | C] () -- C:\WINDOWS\disneysy.ini
[2006/07/24 21:05:39 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
[2006/07/08 14:16:41 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Root\Local Settings\Application Data\fusioncache.dat
[2006/06/17 15:03:05 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
[2006/06/17 14:25:25 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLea.DAT
[2006/02/12 19:30:50 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/03/13 14:04:25 | 000,000,109 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2004/01/26 19:53:52 | 000,001,755 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/12/01 19:51:20 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2003/12/01 19:51:20 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2003/12/01 19:29:41 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/12/01 19:29:36 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/11/28 19:29:02 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
[2003/11/28 08:59:46 | 000,211,456 | ---- | C] () -- C:\Documents and Settings\Root\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/11/17 09:15:54 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\NN_Bar31.dll
[2003/08/31 18:07:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2003/08/26 12:17:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/08/26 12:08:31 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/08/26 11:54:29 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/08/26 11:41:42 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/09/30 03:10:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[1979/12/31 22:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2004/09/11 07:13:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2008/09/14 19:28:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys
[2004/09/11 07:13:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/14 19:28:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/03 23:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 11:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 03:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 03:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/09/11 07:13:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2008/09/14 19:28:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys
[2004/09/11 07:13:09 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/14 19:28:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2003/01/31 13:43:30 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=3C33F5479520844A186C2D43ECFFD477 -- C:\I386\atapi.sys
[2002/08/28 23:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2002/08/28 23:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 03:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2002/08/29 03:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2004/08/04 00:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 03:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


Extras.txt:


OTL Extras logfile created on: 1/30/2010 12:35:27 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Root\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 458.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 51.28 Gb Free Space | 45.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D1HWJC31
Current User Name: Root
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealOne Player -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{2FD94FBC-07AE-475C-B522-BFE899B9048E}" = Garmin WebUpdater
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}" = Microsoft Works Suite Add-in for Microsoft Word
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = MyDSC2
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AD4203ED-7683-435E-B436-C299773A9936}" = MapSource - US Topo v3.02
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B041ABD7-4A10-482a-A525-577A7AAD8EC7}" = C6200_Help
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B34E4B72-37C6-4f79-A5B3-008EEFC6EA8B}" = PS_AIO_02_Software_min
"{B46AC30C-22D2-4610-B041-1DA7BB29EB57}" = HP Photosmart All-In-One Software 9.0
"{B7E5D642-E74E-40a4-B5C7-6AB6EE916814}" = PS_AIO_02_ProductContext
"{BC10649A-983B-494e-AD1F-DE0BF717D701}" = PS_AIO_02_Software
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5D0C3D1-0497-4A1C-95DF-48DB0CEB8FCF}" = Disney/Pixar Finding Nemo: Learning with Nemo
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE428642-5112-49AC-B08F-D87DA8392FD2}" = Garmin MapSource
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{F73459A3-36B8-42e4-A982-AAF06A44D508}" = C6200_doccd
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FE54D686-ACC0-42db-A46B-987A5B6D8325}" = C6200
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
"3D Ultra Pinball : The Lost Continent" = 3D Ultra Pinball : The Lost Continent
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Autopano_SIFT_23" = Autopano-SIFT 2.3
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"Capture NX" = Capture NX
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V92 56K DF PCI Modem
"CSCLIB" = Canon Camera Support Core Library
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"Hugin_release_is1" = Hugin 2009.2.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"mr7910_1ffef370f39864f3aaa62219d434ae06b02b70ab" = Windows Driver Package - (mr7910) Image 08/08/2006 1.4.0.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MWASPI" = MicroStaff WINASPI
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickGamma_is1" = QuickGamma 2.0.0.3
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RegiStax_is1" = RegiStax Version 4
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"Sierra Utilities" = Sierra Utilities
"TOPO!" = TOPO!
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2003Setup" = Microsoft Works 2003 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/20/2009 10:04:20 AM | Computer Name = D1HWJC31 | Source = Google Update | ID = 20
Description =

Error - 12/20/2009 11:04:16 AM | Computer Name = D1HWJC31 | Source = Google Update | ID = 20
Description =

Error - 12/20/2009 12:04:16 PM | Computer Name = D1HWJC31 | Source = Google Update | ID = 20
Description =

Error - 12/20/2009 1:04:18 PM | Computer Name = D1HWJC31 | Source = Google Update | ID = 20
Description =

Error - 12/20/2009 2:04:18 PM | Computer Name = D1HWJC31 | Source = Google Update | ID = 20
Description =

Error - 1/8/2010 5:59:44 PM | Computer Name = D1HWJC31 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 1/8/2010 5:59:44 PM | Computer Name = D1HWJC31 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 1/18/2010 9:23:16 PM | Computer Name = D1HWJC31 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/29/2010 10:58:11 PM | Computer Name = D1HWJC31 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 1/29/2010 10:58:11 PM | Computer Name = D1HWJC31 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 1/27/2010 9:11:27 AM | Computer Name = D1HWJC31 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/27/2010 9:11:54 AM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/28/2010 8:57:28 AM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/28/2010 8:58:08 AM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/28/2010 8:58:21 AM | Computer Name = D1HWJC31 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/29/2010 10:59:47 PM | Computer Name = D1HWJC31 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/30/2010 3:27:58 PM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/30/2010 3:28:38 PM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/30/2010 3:28:52 PM | Computer Name = D1HWJC31 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/30/2010 3:29:19 PM | Computer Name = D1HWJC31 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:08 PM

Posted 05 February 2010 - 08:01 AM

Hi,

you seem to be infected by a rootkit, please run a scan with gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 tbell

tbell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 06 February 2010 - 05:03 PM

myrti,

Thanks for your response. Here is the output from GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-06 14:44:23
Windows 5.1.2600 Service Pack 3
Running: 56dzdtkf.exe; Driver: C:\DOCUME~1\Root\LOCALS~1\Temp\awloapob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76F187E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76F1BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED25978A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED259738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED25974C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED2597CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED259710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED259724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED25979E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED259776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED259762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED2597F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED2597E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED2597B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP ED2597B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP ED25978E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP ED259766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP ED259714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP ED2597A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP ED2597E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP ED2597CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP ED259750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP ED2597FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP ED259728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP ED25973C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP ED25977A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF7620780]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01310000
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01310089
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01310078
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0131005D
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01310F94
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01310FAF
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013100B5
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013100A4
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013100C6
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01310F2D
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013100D7
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01310036
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01310FDB
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01310F79
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01310FCA
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0131001B
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01310F48
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01300040
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01300051
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01300025
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01300FEF
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01300F94
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01300000
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01300FB9
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [50, 89]
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01300FCA
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012F0FBE
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 012F0FD9
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012F0038
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012F0000
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012F0049
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012F0011
.text C:\WINDOWS\system32\services.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 012E0000
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F5C
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F81
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB004A
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F4B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0093
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00B8
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F1F
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F0E
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F3A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90FA6
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90031
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FD2
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FE3
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90FC1
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B9000C
.text C:\WINDOWS\system32\lsass.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC004F
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F5A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F6B
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0F7C
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC001E
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC0F0E
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0060
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0EE2
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC007B
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC0EC7
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0F97
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F3F
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FB2
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0EFD
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB004A
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB002F
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F8D
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0FA8
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0051
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FBC
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0018
.text C:\WINDOWS\system32\svchost.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB00AE
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0093
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0076
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB005B
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F81
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB00C9
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F5C
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00EB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0F4B
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0F9E
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB00DA
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA0FB9
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA001B
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0076
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0065
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90FB7
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90042
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FD2
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90027
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02290000
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02290F46
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02290F57
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02290F68
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02290F79
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02290FA5
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02290EFD
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02290F0E
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02290085
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02290074
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022900AA
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02290F94
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02290011
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02290F2B
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02290FB6
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02290FDB
.text C:\WINDOWS\System32\svchost.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02290EEC
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0183002F
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01830FA8
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01830014
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01830FD4
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01830065
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01830FE5
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01830054
.text C:\WINDOWS\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01830FC3
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01820036
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 01820FAB
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01820011
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01820FE3
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01820FBC
.text C:\WINDOWS\System32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01820000
.text C:\WINDOWS\System32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01810000
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0180000A
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01800FEF
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01800FD4
.text C:\WINDOWS\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01800FB9
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B009D
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B008C
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0FB2
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FC3
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F66
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F81
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00EB
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00DA
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0F41
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0025
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B00AE
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B005B
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0036
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00C9
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F8D
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0014
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A004A
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007A0FB2
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 88]
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A002F
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FB9
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 0079004E
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790022
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790033
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790011
.text C:\WINDOWS\System32\svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F88
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD007D
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD006C
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD005B
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0039
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F5A
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00A2
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F24
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00BD
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00D8
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD004A
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F77
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F3F
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0011
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0055
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0000
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0044
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0033
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0022
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F81
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0F9C
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FB7
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F57
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F68
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F79
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0036
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0087
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F35
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F24
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00BD
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0EFF
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF001B
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F46
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0098
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093002C
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930073
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930058
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FC0
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F7A
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920F8B
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FA6
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FDE
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900040
.text C:\WINDOWS\System32\svchost.exe[1500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02400FEF
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02400F46
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0240003B
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02400F61
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02400F72
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02400F94
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02400062
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02400F1A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02400EE7
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02400EF8
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0240009B
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02400F83
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02400000
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02400F35
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02400FB9
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02400FCA
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02400F09
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 023F004A
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 023F0FB9
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 023F0025
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 023F0FEF
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 023F0076
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 023F0000
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 023F0FDE
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5F, 8A]
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 023F0065
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02330058
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 02330FCD
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02330FDE
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02330000
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02330033
.text C:\WINDOWS\Explorer.EXE[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02330FEF
.text C:\WINDOWS\Explorer.EXE[1536] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C60000
.text C:\WINDOWS\Explorer.EXE[1536] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C60FDB
.text C:\WINDOWS\Explorer.EXE[1536] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\Explorer.EXE[1536] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\Explorer.EXE[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF00A7
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0FB2
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0080
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF006F
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF004A
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0F77
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF00C9
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF00EE
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF0F55
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AF00FF
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AF00B8
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AF0F66
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0047
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE0073
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE001B
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FB6
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FD1
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0058
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0F84
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0F95
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0FC1
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FA6
.text C:\WINDOWS\system32\svchost.exe[1828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0FD2
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0F83
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0F9E
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0078
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0FAF
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C00A7
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F55
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C00E4
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C00D3
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C00F5
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0047
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C0F72
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0036
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C001B
.text C:\WINDOWS\System32\svchost.exe[2528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C00B8
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B0FB2
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F57
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B0FC3
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B0FD4
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F72
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006B0F83
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0014
.text C:\WINDOWS\System32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006A0FBC
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!system 77C293C7 5 Bytes JMP 006A0FCD
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006A0FDE
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006A0000
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006A003D
.text C:\WINDOWS\System32\svchost.exe[2528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[2528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0056
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0F61
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0F72
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C002F
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0F97
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C0F29
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F3A
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0F07
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C00A0
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C00BB
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C001E
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C0067
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0FB2
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C0F18
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B001B
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F9B
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B0FD4
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0062
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 3 Bytes JMP 006B0047
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B002C
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006A005F
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!system 77C293C7 5 Bytes JMP 006A004E
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006A0022
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006A0033
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006A0FDE
.text C:\WINDOWS\System32\svchost.exe[2592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0086
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0075
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0058
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0047
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0025
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F5E
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F6F
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F32
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00C1
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00E6
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0036
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F80
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[2764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F43
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0036
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F94
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0FDB
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD001B
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0051
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FAF
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC004C
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0FB7
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC000C
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0027
.text C:\WINDOWS\System32\svchost.exe[2764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0FD2

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7613B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7613B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F7613B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F7613B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7613B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 158997
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AFE72429-3BD5-4BAE-9B23-916F6399A745}@LeaseObtainedTime 1265483488
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AFE72429-3BD5-4BAE-9B23-916F6399A745}@T1 1265483498
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AFE72429-3BD5-4BAE-9B23-916F6399A745}@T2 1265483505
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AFE72429-3BD5-4BAE-9B23-916F6399A745}@LeaseTerminatesTime 1265483508
Reg HKLM\SYSTEM\CurrentControlSet\Services\{AFE72429-3BD5-4BAE-9B23-916F6399A745}\Parameters\Tcpip@LeaseObtainedTime 1265483488
Reg HKLM\SYSTEM\CurrentControlSet\Services\{AFE72429-3BD5-4BAE-9B23-916F6399A745}\Parameters\Tcpip@T1 1265483498
Reg HKLM\SYSTEM\CurrentControlSet\Services\{AFE72429-3BD5-4BAE-9B23-916F6399A745}\Parameters\Tcpip@T2 1265483505
Reg HKLM\SYSTEM\CurrentControlSet\Services\{AFE72429-3BD5-4BAE-9B23-916F6399A745}\Parameters\Tcpip@LeaseTerminatesTime 1265483508

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:08 PM

Posted 08 February 2010 - 12:24 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 tbell

tbell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 08 February 2010 - 10:25 PM

myrti,

Thanks for your message, in spite of the less-than-stellar news.

We will remove the PC from the internet and refrain from making any financial transactions from it (which, fortunately, we seldom do). Thanks for your advice regarding passwords at institutions we may have accessed from this computer. I'll take care of that ASAP. I followed your link regarding identity theft, and will likely avail myself of this information as well.

We'll probably use this as an opportunity to "need" a new computer. This one is ~8 years old, and probably not worth the hassle of reformatting. I don't have the original operating system disk (WindowsXP) anyway. Your link has convinced me that we can't really ever trust this computer completely again.

In the meantime (i.e., while shopping for a replacement), I would like to continue to clean this machine if you're willing to continue helping. I ran ComboFix, and saw that it deleted several files. Out of curiosity, I tried our browser and those symptoms (redirection to the same commercial sites), at least, remain unchanged.

Thanks again for your most gracious help!

Here's the output from ComboFix:

ComboFix 10-02-08.04 - Root 02/08/2010 19:00:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.523 [GMT -7:00]
Running from: c:\documents and settings\Root\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\BSTIEPrintCtl1.dll
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-06 13:54 . 2010-02-06 13:54 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-23 18:23 . 2010-01-23 18:23 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-01-23 16:34 . 2010-01-23 16:34 -------- d-----w- c:\program files\Trend Micro
2010-01-23 03:33 . 2010-01-14 18:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-23 03:28 . 2010-01-23 03:28 -------- d-----w- c:\program files\Windows Defender
2010-01-23 02:11 . 2009-10-12 15:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-22 20:48 . 2010-01-22 21:36 -------- d-----w- c:\documents and settings\All Users\AVP 2009
2010-01-17 16:33 . 2010-01-17 23:49 -------- d-----w- c:\documents and settings\Root\Local Settings\Application Data\tyvsfd
2010-01-14 01:44 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 19:00 . 2007-11-12 00:19 -------- d-----w- c:\program files\Google
2009-12-30 00:59 . 2006-07-25 04:05 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2009-12-30 00:58 . 2007-11-12 01:18 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-12-30 00:58 . 2006-06-17 22:03 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-12-27 02:16 . 2006-07-08 21:09 -------- d-----w- c:\program files\hugin
2009-12-22 02:18 . 2007-03-05 20:19 -------- d-----w- c:\program files\McAfee
2009-12-21 19:14 . 2002-08-29 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 15:50 . 2009-10-12 15:50 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-05 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-12 520024]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-8-26 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-6-17 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/30/2009 8:50 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 8:15 PM 93320]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9bd7146d2394a;Google Update Service (gupdate1c9bd7146d2394a);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 7:24 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:50]

2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 02:23]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 02:23]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-05 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-05 19:22]

2010-02-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-HijackThis - c:\documents and settings\Root\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x873598C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e5f28
\Driver\ACPI -> ACPI.sys @ 0xf7658cb8
\Driver\atapi -> atapi.sys @ 0xf7613b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf751cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7529a21
SendHandler -> NDIS.sys @ 0xf750787b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-02-08 19:10:34
ComboFix-quarantined-files.txt 2010-02-09 02:10

Pre-Run: 54,882,603,008 bytes free
Post-Run: 54,974,615,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 38AC7D8E4944E2407E1986D49D867602


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 13 February 2010 - 01:54 AM

Hi tbell,


Myrti is not available right now, I will be helping you with the continued support. Please do the following:

Step1

  1. Please download Flash_Disinfector and save it to your desktop.
  2. Double click to run it.
  3. You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  4. Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  5. When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  6. Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step2
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Step3

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




In your next reply, please post back:

1.TDSSKiller.txt
2.MBAM log

Tell me if you have any remaining issues on your pc.

#9 tbell

tbell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 14 February 2010 - 01:07 PM

sundavis,

Thanks for picking up where myrti left off.

I performed the steps you suggested. The most obvious problems (redirects in browser, pop-ups) appear to be gone. I don't know if that means we are clean or not...

Here are the log files you requested:

19:47:46:456 3576 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
19:47:46:456 3576 ================================================================================
19:47:46:456 3576 SystemInfo:

19:47:46:456 3576 OS Version: 5.1.2600 ServicePack: 3.0
19:47:46:456 3576 Product type: Workstation
19:47:46:456 3576 ComputerName: D1HWJC31
19:47:46:456 3576 UserName: Root
19:47:46:456 3576 Windows directory: C:\WINDOWS
19:47:46:456 3576 Processor architecture: Intel x86
19:47:46:456 3576 Number of processors: 1
19:47:46:456 3576 Page size: 0x1000
19:47:46:456 3576 Boot type: Normal boot
19:47:46:456 3576 ================================================================================
19:47:46:471 3576 UnloadDriverW: NtUnloadDriver error 1
19:47:46:471 3576 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
19:47:46:471 3576 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:47:46:471 3576 LoadDriverW: Driver already loaded
19:47:46:471 3576 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
19:47:46:471 3576 UtilityInit: KLMD drop and load failed, trying to open device
19:47:46:471 3576 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
19:47:46:471 3576 UtilityInit: KLMD open success
19:47:46:471 3576 UtilityInit: Initialize success
19:47:46:471 3576
19:47:46:471 3576 Scanning Services ...
19:47:46:471 3576 CreateRegParser: Registry parser init started
19:47:46:471 3576 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:47:46:471 3576 CreateRegParser: DisableWow64Redirection error
19:47:46:471 3576 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:47:46:471 3576 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
19:47:46:471 3576 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:47:46:471 3576 wfopen_ex: Trying to KLMD file open
19:47:46:471 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
19:47:46:471 3576 wfopen_ex: File opened ok (Flags 2)
19:47:46:471 3576 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384AC0
19:47:46:471 3576 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:47:46:471 3576 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
19:47:46:471 3576 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:47:46:471 3576 wfopen_ex: Trying to KLMD file open
19:47:46:471 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
19:47:46:471 3576 wfopen_ex: File opened ok (Flags 2)
19:47:46:471 3576 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3849B0
19:47:46:471 3576 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:47:46:471 3576 CreateRegParser: EnableWow64Redirection error
19:47:46:471 3576 CreateRegParser: RegParser init completed
19:47:46:862 3576 GetAdvancedServicesInfo: Raw services enum returned 379 services
19:47:46:862 3576 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:47:46:862 3576 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:47:46:862 3576
19:47:46:877 3576 Scanning Kernel memory ...
19:47:46:877 3576 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:47:46:877 3576 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 873DEA08
19:47:46:877 3576 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
19:47:46:877 3576
19:47:46:877 3576 DetectCureTDL3: DEVICE_OBJECT: 868ECC68
19:47:46:877 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868ECC68
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0x868ECC68[0x38]
19:47:46:877 3576 DetectCureTDL3: DRIVER_OBJECT: 873DEA08
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0x873DEA08[0xA8]
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0xE1A10830[0x18]
19:47:46:877 3576 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:47:46:877 3576 DetectCureTDL3: IrpHandler (0) addr: F76E7BB0
19:47:46:877 3576 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (2) addr: F76E7BB0
19:47:46:877 3576 DetectCureTDL3: IrpHandler (3) addr: F76E1D1F
19:47:46:877 3576 DetectCureTDL3: IrpHandler (4) addr: F76E1D1F
19:47:46:877 3576 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (9) addr: F76E22E2
19:47:46:877 3576 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (14) addr: F76E23BB
19:47:46:877 3576 DetectCureTDL3: IrpHandler (15) addr: F76E5F28
19:47:46:877 3576 DetectCureTDL3: IrpHandler (16) addr: F76E22E2
19:47:46:877 3576 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (22) addr: F76E3C82
19:47:46:877 3576 DetectCureTDL3: IrpHandler (23) addr: F76E899E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:47:46:877 3576 TDL3_FileDetect: Processing driver: Disk
19:47:46:877 3576 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:877 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:877 3576 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:47:46:877 3576
19:47:46:877 3576 DetectCureTDL3: DEVICE_OBJECT: 868DEAB8
19:47:46:877 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868DEAB8
19:47:46:877 3576 DetectCureTDL3: DEVICE_OBJECT: 873176F0
19:47:46:877 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873176F0
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0x873176F0[0x38]
19:47:46:877 3576 DetectCureTDL3: DRIVER_OBJECT: 86C97248
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0x86C97248[0xA8]
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0xE1B20378[0x1E]
19:47:46:877 3576 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:47:46:877 3576 DetectCureTDL3: IrpHandler (0) addr: F7A1E218
19:47:46:877 3576 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (2) addr: F7A1E218
19:47:46:877 3576 DetectCureTDL3: IrpHandler (3) addr: F7A1E23C
19:47:46:877 3576 DetectCureTDL3: IrpHandler (4) addr: F7A1E23C
19:47:46:877 3576 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (14) addr: F7A1E180
19:47:46:877 3576 DetectCureTDL3: IrpHandler (15) addr: F7A199E6
19:47:46:877 3576 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (22) addr: F7A1D5F0
19:47:46:877 3576 DetectCureTDL3: IrpHandler (23) addr: F7A1BA6E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:47:46:877 3576 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:47:46:877 3576 KLMD_ReadMem: Trying to ReadMemory 0xF7A1AF26[0x400]
19:47:46:877 3576 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:47:46:877 3576 TDL3_FileDetect: Processing driver: USBSTOR
19:47:46:877 3576 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:47:46:893 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:47:46:893 3576 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:47:46:893 3576
19:47:46:893 3576 DetectCureTDL3: DEVICE_OBJECT: 873C7C68
19:47:46:893 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873C7C68
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873C7C68[0x38]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT: 873DEA08
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873DEA08[0xA8]
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xE1A10830[0x18]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:47:46:893 3576 DetectCureTDL3: IrpHandler (0) addr: F76E7BB0
19:47:46:893 3576 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (2) addr: F76E7BB0
19:47:46:893 3576 DetectCureTDL3: IrpHandler (3) addr: F76E1D1F
19:47:46:893 3576 DetectCureTDL3: IrpHandler (4) addr: F76E1D1F
19:47:46:893 3576 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (9) addr: F76E22E2
19:47:46:893 3576 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (14) addr: F76E23BB
19:47:46:893 3576 DetectCureTDL3: IrpHandler (15) addr: F76E5F28
19:47:46:893 3576 DetectCureTDL3: IrpHandler (16) addr: F76E22E2
19:47:46:893 3576 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (22) addr: F76E3C82
19:47:46:893 3576 DetectCureTDL3: IrpHandler (23) addr: F76E899E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:47:46:893 3576 TDL3_FileDetect: Processing driver: Disk
19:47:46:893 3576 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:893 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:893 3576 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:47:46:893 3576
19:47:46:893 3576 DetectCureTDL3: DEVICE_OBJECT: 873C89F0
19:47:46:893 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873C89F0
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873C89F0[0x38]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT: 873DEA08
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873DEA08[0xA8]
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xE1A10830[0x18]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:47:46:893 3576 DetectCureTDL3: IrpHandler (0) addr: F76E7BB0
19:47:46:893 3576 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (2) addr: F76E7BB0
19:47:46:893 3576 DetectCureTDL3: IrpHandler (3) addr: F76E1D1F
19:47:46:893 3576 DetectCureTDL3: IrpHandler (4) addr: F76E1D1F
19:47:46:893 3576 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (9) addr: F76E22E2
19:47:46:893 3576 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (14) addr: F76E23BB
19:47:46:893 3576 DetectCureTDL3: IrpHandler (15) addr: F76E5F28
19:47:46:893 3576 DetectCureTDL3: IrpHandler (16) addr: F76E22E2
19:47:46:893 3576 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (22) addr: F76E3C82
19:47:46:893 3576 DetectCureTDL3: IrpHandler (23) addr: F76E899E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:47:46:893 3576 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:47:46:893 3576 TDL3_FileDetect: Processing driver: Disk
19:47:46:893 3576 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:893 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:47:46:893 3576 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:47:46:893 3576
19:47:46:893 3576 DetectCureTDL3: DEVICE_OBJECT: 873CAAB8
19:47:46:893 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873CAAB8
19:47:46:893 3576 DetectCureTDL3: DEVICE_OBJECT: 87348B00
19:47:46:893 3576 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87348B00
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x87348B00[0x38]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT: 8738F480
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x8738F480[0xA8]
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xE1A15008[0x1A]
19:47:46:893 3576 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:47:46:893 3576 DetectCureTDL3: IrpHandler (0) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (1) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (2) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (3) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (4) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (5) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (6) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (7) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (8) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (9) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (10) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (11) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (12) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (13) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (14) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (15) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (16) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (17) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (18) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (19) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (20) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (21) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (22) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (23) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (24) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (25) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: IrpHandler (26) addr: F7613B3A
19:47:46:893 3576 DetectCureTDL3: All IRP handlers pointed to one addr: F7613B3A
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xF7613B3A[0x400]
19:47:46:893 3576 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873490B4[0x4]
19:47:46:893 3576 TDL3_IrpHookDetect: New IrpHandler addr: 873928C8
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0x873928C8[0x400]
19:47:46:893 3576 TDL3_IrpHookDetect: TDL3 is already cured
19:47:46:893 3576 KLMD_ReadMem: Trying to ReadMemory 0xF7611864[0x400]
19:47:46:893 3576 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:47:46:893 3576 TDL3_FileDetect: Processing driver: atapi
19:47:46:893 3576 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk8D.tmp
19:47:46:893 3576 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk8D.tmp
19:47:46:924 3576 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk8D.tmp - Verdict: Clean
19:47:46:924 3576
19:47:46:924 3576 Completed
19:47:46:924 3576
19:47:46:924 3576 Results:
19:47:46:924 3576 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:47:46:924 3576 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:47:46:924 3576 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:47:46:924 3576
19:47:46:924 3576 UnloadDriverW: NtUnloadDriver error 1
19:47:46:924 3576 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:47:46:924 3576 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:47:46:924 3576 UtilityDeinit: KLMD(ARK) unloaded successfully




Malwarebytes' Anti-Malware 1.44
Database version: 3736
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/14/2010 9:00:38 AM
mbam-log-2010-02-14 (09-00-35).txt

Scan type: Quick Scan
Objects scanned: 128457
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf2f7e80-83ff-41a7-a826-e96b45bf7c89} (Adware.Mirar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Adware_ProNE (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> No action taken.

Files Infected:
C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> No action taken.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 14 February 2010 - 01:21 PM

Hi tbell,



You need to rerun MBAM and let it delete the infected items. We need to scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:


Step1

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to update your java:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 18 (JDK or JRE)".
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  11. After that, please clear your java cache as instructed in this thread .


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.MBAM log
2.Kas Online Scan Report

Tell me how your pc is running now.

#11 tbell

tbell
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 February 2010 - 08:35 PM

sundavis,

Thanks for your continued help.

0. MBAM still found some problems (log file below), and deleted two items

1. Java updated with no issues.

2. ATF-cleaner - thanks for giving me back that diskspace...

3. Kaspersky still found one issue (log file below).

Our original symptoms appear to be gone...but I'm still nervous about what myrti characterized as a "nasty rootkit".


MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3736
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/14/2010 9:06:11 PM
mbam-log-2010-02-14 (21-06-11).txt

Scan type: Full Scan (C:\|H:\|I:\|)
Objects scanned: 229903
Time elapsed: 51 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP861\A0058409.exe (Rogue.Installer) -> Quarantined and deleted successfully.




KAS:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 15, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, February 15, 2010 03:46:31
Records in database: 3504512
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 81931
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:27:36


File name / Threat / Threats count
C:\WINDOWS\SYSTEM32\NN_Bar31.dll Infected: not-a-virus:AdWare.Win32.NetNucleus 1

Selected area has been scanned.


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 15 February 2010 - 10:58 PM

Hi tbell,




QUOTE
but I'm still nervous about what myrti characterized as a "nasty rootkit

We have rechecked your system with TDSSKiller and the nasty rootkit appeared to have been removed. Hope that eases your mind.

As far as the infected item listed in Kas Online Scanner, please navigate to the following filepath and delete the bolded file manually.

C:\WINDOWS\SYSTEM32\NN_Bar31.dll

Other than that, your system appears clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 17 February 2010 - 01:53 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users