Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antivirus Security Virus/Virtumonde infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 MarieWills

MarieWills

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 17 February 2010 - 04:46 PM

I believe the initial program I was infected with was CT1.exe
Used Malwarebyte. First time found a series of fakealert files (the log file was destoryed)
Recovered Hardrive but virus was not removed. Sumehow it restored itself.
I believe the restore disk is infected.

Malwarebyte scans revealed the following:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Combofix scans revealed the following:
c:\recycler\S-1-5-21-2952099033-2881960656-2168609194-1003
c:\windows\system32\_000006_.tmp.dll
D:\Autorun.inf

Current Status of System:
--No Internet Connection
--Fake Windows Security Center Appears in the System Tray
--When attempt to access Security Center, fake scans appear on the screen
--I cannot access ANY Safe Mode. I can only boot directly into windows.


I will make no further changes until instructed.

--------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 14:27:48.67 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.199 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.emachines.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100216214720.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266279042343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\0diykrkn.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-16 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-16 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-16 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-16 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-16 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-16 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-16 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-16 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-16 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-16 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-16 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-16 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-16 88480]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-16 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-16 83496]

=============== Created Last 30 ================

2010-02-17 19:00:36 0 d-----w- c:\windows\system32\scripting
2010-02-17 19:00:35 0 d-----w- c:\windows\l2schemas
2010-02-17 19:00:34 0 d-----w- c:\windows\system32\en
2010-02-17 19:00:34 0 d-----w- c:\windows\system32\bits
2010-02-17 18:55:51 0 d-----w- c:\windows\network diagnostic
2010-02-17 18:42:51 0 d-----w- c:\windows\EHome
2010-02-17 06:26:04 0 d-sha-r- C:\cmdcons
2010-02-17 05:42:59 98816 ----a-w- c:\windows\sed.exe
2010-02-17 05:42:59 77312 ----a-w- c:\windows\MBR.exe
2010-02-17 05:42:59 261632 ----a-w- c:\windows\PEV.exe
2010-02-17 05:42:59 161792 ----a-w- c:\windows\SWREG.exe
2010-02-17 03:49:37 0 d-----w- c:\program files\McAfeeMOBK
2010-02-17 03:49:16 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-02-17 03:48:56 0 d-----w- c:\program files\McAfee Online Backup
2010-02-17 03:47:18 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-17 03:47:13 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-17 03:47:13 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-17 03:47:13 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-17 03:47:12 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-17 03:47:12 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-17 03:47:12 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-17 03:47:12 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-17 03:47:06 0 d-----w- c:\program files\common files\Mcafee
2010-02-17 03:47:02 0 d-----w- c:\program files\McAfee.com
2010-02-17 03:46:34 0 d-----w- c:\program files\McAfee
2010-02-17 03:15:38 2 ----a-w- c:\windows\msoffice.ini
2010-02-17 02:48:18 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-17 02:48:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 02:48:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-17 02:48:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 02:48:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 01:19:46 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-17 01:15:15 0 d-----w- c:\program files\Trend Micro
2010-02-16 22:06:59 73832 ------w- c:\windows\system32\slcoinst.dll
2010-02-16 22:05:58 76800 ------w- c:\windows\system32\msshavmsg.dll
2010-02-16 22:04:59 20992 ------w- c:\windows\system32\faxpatch.exe
2010-02-16 21:31:37 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-16 21:31:36 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-16 20:39:01 0 d-----w- c:\windows\pss
2010-02-16 03:43:42 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-16 03:33:55 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-02-16 01:42:36 0 d-sh--w- c:\documents and settings\owner\IETldCache
2010-02-16 01:29:21 0 d-----w- c:\docume~1\owner\applic~1\McAfee
2010-02-16 01:27:24 45056 ----a-w- c:\windows\_detmp.2
2010-02-16 01:27:24 44470 ----a-w- c:\windows\_detmp.1
2010-02-16 01:20:48 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-16 01:20:31 0 d-----w- c:\windows\ie8updates
2010-02-16 01:20:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-16 01:20:13 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-16 01:20:13 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-16 01:20:13 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-16 01:20:13 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-16 01:20:12 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-16 01:18:37 0 dc-h--w- c:\windows\ie8
2010-02-16 01:01:07 0 d-----w- c:\windows\ServicePackFiles
2010-02-16 00:54:30 0 d-----w- c:\program files\MSXML 4.0
2010-02-16 00:32:50 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-16 00:32:50 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-16 00:32:15 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-02-16 00:28:35 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-16 00:28:34 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-16 00:26:34 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-16 00:13:01 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-16 00:09:37 0 d-s---w- c:\documents and settings\owner\UserData
2010-02-16 00:07:34 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-16 00:05:36 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-02-16 00:04:52 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-16 00:04:30 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-16 00:00:41 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-15 23:59:44 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-15 23:59:42 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-15 23:54:12 0 d-----w- c:\windows\system32\PreInstall
2010-02-15 23:38:01 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-02-15 23:04:16 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-02-15 23:02:11 0 d-----w- c:\docume~1\owner\applic~1\AOL
2010-02-15 23:02:05 0 ----a-w- c:\windows\system32\Gateway_T3306__CK859H0008009.MRK
2010-02-15 23:01:58 333 ----a-w- c:\windows\system32\$ncsp$.inf
2010-02-15 22:53:50 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee.com
2010-02-15 22:53:17 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-15 22:52:42 0 d--h--w- c:\windows\$hf_mig$
2010-02-15 22:52:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-15 22:51:13 0 d-----w- c:\windows\RegisteredPackages
2010-02-15 22:51:02 67072 ----a-w- c:\windows\POWERCFG.EXE
2010-02-15 22:50:24 0 d-----w- c:\program files\Realtek Sound Manager
2010-02-15 22:50:24 0 d-----w- c:\program files\AvRack
2010-02-15 22:48:48 0 d-----w- c:\program files\Microsoft Money 2005
2010-02-15 22:48:25 0 d-----w- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2010-02-15 22:48:23 0 d-----w- c:\program files\common files\Nullsoft
2010-02-15 22:48:09 86016 ----a-w- c:\windows\unvise32qt.exe
2010-02-15 22:48:03 0 d-----w- c:\windows\system32\QuickTime
2010-02-15 22:47:54 0 d-----w- c:\program files\common files\Real
2010-02-15 22:47:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2010-02-15 22:47:41 0 d-----w- c:\program files\Viewpoint
2010-02-15 22:47:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2010-02-15 22:47:37 0 d-----w- c:\program files\Pure Networks
2010-02-15 22:46:39 1151 ---ha-w- C:\IPH.PH
2010-02-15 22:46:38 0 d-----w- c:\program files\common files\AOL
2010-02-15 22:46:31 0 d-----w- c:\program files\MSN Encarta Plus
2010-02-15 22:46:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-02-15 22:46:03 0 d-----w- c:\program files\Napster
2010-02-15 22:45:45 4 ----a-w- c:\windows\Pix11.dat
2010-02-15 22:45:05 0 d-----w- c:\program files\Microsoft Digital Image 2006
2010-02-15 22:44:34 0 d-----w- c:\program files\VIA
2010-02-15 22:44:22 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-02-15 22:44:20 0 d-----w- c:\program files\SIFXINST
2010-02-15 22:43:57 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-02-15 22:42:59 2238 ----a-w- c:\windows\system32\32-aol.ico
2010-02-15 22:42:59 1406 ----a-w- c:\windows\system32\16-aol.ico
2010-02-15 22:42:56 471300 ----a-w- c:\windows\wallpe.exe
2010-02-15 22:42:56 30056 ----a-w- c:\windows\system32\oemlogo.bmp
2010-02-15 22:41:22 376 ----a-w- c:\windows\ODBC.INI
2010-02-15 22:41:18 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-02-15 22:40:50 0 d-----w- c:\program files\Microsoft ActiveSync
2010-02-15 22:40:29 0 d-----w- c:\windows\SHELLNEW
2010-02-15 22:39:38 65280 ----a-w- c:\windows\system32\drivers\Rtlnic51.sys
2010-02-15 22:34:18 0 d-----w- c:\program files\Symantec
2010-02-15 22:34:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-15 22:34:11 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-15 22:34:07 3126 ----a-w- c:\windows\emachines_32.bmp
2010-02-15 22:33:52 0 d-----w- c:\program files\BigFix
2010-02-15 22:31:01 27904 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS
2010-02-15 22:30:50 0 d-----w- c:\windows\system32\ReinstallBackups
2010-02-15 22:28:43 0 d-----w- c:\program files\common files\New Boundary
2010-02-15 22:28:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Prism Deploy
2010-02-15 22:25:55 0 d-----w- c:\windows\system32\URTTemp
2010-02-15 22:25:49 2 --sh--r- C:\USER
2010-02-15 22:25:27 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-15 22:25:22 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-02-15 22:24:45 0 d-----w- c:\program files\CONEXANT
2010-02-15 22:24:43 46464 ----a-w- c:\windows\system32\drivers\gagp30kx.sys
2010-02-15 22:24:23 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-02-15 22:24:13 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-02-15 22:24:13 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-02-15 22:21:01 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2010-02-15 22:20:59 0 d-----w- c:\windows\creator
2010-02-15 22:19:26 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-02-15 22:19:26 685056 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-02-15 22:19:26 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-02-15 22:19:26 1041536 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2010-02-15 22:19:25 39018 ----a-w- c:\windows\system32\HSFCI011.dll
2010-02-15 22:19:25 220032 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2010-02-15 22:19:25 129045 ----a-w- c:\windows\system32\drivers\HSFProf.cty
2010-02-15 22:19:25 0 d-----w- c:\windows\SMINST
2010-02-15 22:19:21 0 d-----w- c:\windows\I386
2010-02-15 22:19:05 483840 ----a-w- c:\windows\system32\wzcsvc.dll
2010-02-15 22:19:04 52736 ----a-w- c:\windows\system32\wzcsapi.dll
2010-02-15 22:19:01 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2010-02-15 22:17:58 69699 ----a-w- c:\windows\system32\usrcoina.dll
2010-02-15 22:16:58 55296 ----a-w- c:\windows\system32\dvdplay.exe
2010-02-15 22:15:18 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2010-02-13 02:54:59 68096 ----a-w- c:\windows\system32\webclnt.dll
2010-02-13 02:53:59 838432 -c--a-w- c:\windows\system32\dllcache\mswdat10.dll
2010-02-13 02:52:59 9728 -c--a-w- c:\windows\system32\dllcache\label.exe
2010-02-13 02:51:59 96480 -c--a-w- c:\windows\system32\dllcache\cdm.dll
2010-02-06 03:14:48 0 ----a-w- c:\windows\MOBK.flt
2010-02-06 03:14:48 0 ----a-w- c:\windows\MOBK.blk

==================== Find3M ====================

2010-02-15 22:47:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-01-06 00:04:02 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 00:04:02 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 14:29:16.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 20 February 2010 - 01:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 February 2010 - 05:00 PM

Hi myrti,

I have not used, accessed or made any changes to the computer since this post.
--All original scans are exactly the same.
--There are no changes in the computer's condition as listed in the original posting.

Also, please note: The computer I am asking assistance will not connect to the internet. I have verified that the DSL is working properly and that the computer is connected. I just cannot see any of the network connections. It is as if they have disappeared.

Please see below for OTL logs as per your request. The file is too big to attach and I cannot paste it all in one response. I will divide it between three different messages.

-MW

-------------------------------------------

OTL logfile created on: 2/20/2010 3:14:45 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 230.00 Mb Available Physical Memory | 52.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.92 Gb Total Space | 79.55 Gb Free Space | 89.46% Space Free | Partition Type: NTFS
Drive D: | 4.23 Gb Total Space | 2.24 Gb Free Space | 52.97% Space Free | Partition Type: FAT32
Drive E: | 655.57 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 1.72 Gb Free Space | 92.40% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GORILLAS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/20 14:58:42 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/02/15 16:30:46 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/01/27 01:24:24 | 001,179,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/01/05 18:04:02 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2010/01/05 18:04:02 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/11 19:33:28 | 000,147,456 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTTrayp.exe
PRC - [2005/03/08 05:33:28 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2004/11/02 22:24:46 | 000,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2003/12/09 13:17:00 | 000,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/20 14:58:42 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (mcupdmgr.exe)
SRV - [2010/02/15 16:30:46 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/05 18:04:02 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/01/05 18:04:02 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2009/12/30 18:13:18 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/07/28 14:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/02/05 21:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/01/05 18:04:02 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/01/05 18:04:02 | 000,312,584 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/01/05 18:04:02 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/01/05 18:04:02 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/01/05 18:04:02 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/01/05 18:04:02 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/01/05 18:04:02 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/01/05 18:04:02 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/01/05 18:04:02 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/01/05 18:04:02 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 12:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2005/04/06 20:31:36 | 000,173,696 | ---- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/11/10 19:30:18 | 000,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/10 19:27:34 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/13 12:49:00 | 000,065,280 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2004/08/04 13:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 13:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 13:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 13:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 13:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 13:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 13:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 13:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 13:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 13:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 13:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 13:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 13:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 13:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 13:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/04 00:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 16:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/17 16:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 16:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 16:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/03/17 13:04:14 | 000,013,059 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/12/09 13:16:00 | 000,626,977 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/09 13:16:00 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/02 07:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/01/10 15:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 07:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
IE - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\S-1-5-21-1036409691-3325883436-2201785684-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/17 22:19:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/16 21:47:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/15 21:39:33 | 000,000,000 | ---D | M]

[2010/02/15 17:53:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/02/15 17:53:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0diykrkn.default\extensions
[2010/02/15 17:51:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/05 18:04:02 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll

O1 HOSTS File: ([2004/08/04 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20100216214720.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE (New Boundary Technologies, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1036409691-3325883436-2201785684-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1266279042343 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\emachines.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\emachines.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 12:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/02/15 16:17:01 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "wscsvc"
MsConfig - StartUpReg: Reminder - hkey= - key= - C:\WINDOWS\creator\remind_xp.exe (SoftThinks)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: McMPFSvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootNet: mcmscsvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: mfefire - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SafeBootNet: mfefirek - C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
SafeBootNet: mfefirek.sys - C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
SafeBootNet: mfehidk - C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
SafeBootNet: mfehidk.sys - C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
SafeBootNet: mfevtp - C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.)
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 20 February 2010 - 05:05 PM

Hi,

please run Flash_Disinfector:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

As well as gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Have you previously restored the PC with said recovery disks? Did you burn them yourself and if so when?
Have you been using flash drives?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 February 2010 - 05:16 PM

myrti,

I'm confused. Do you want the rest of the OTL logs or do you want me to proceed to the next step outlined in your last post?

Please instruct.

The logs are too big to attach so I have to break them into pieces and that will take time.

To answer your questions:

> Have you previously restored the PC with said recovery disks?

Yes, I have restored the hard drive twice. No I did not use recovery disks. I used the partition on the hardrive and the virus has returned both times, but in different forms.

> Did you burn them yourself and if so when?

No I did not burn the disk. See above answer.

> Have you been using flash drives?

Yes, I have been using flash drives. That is the only way I have been able to transfer information since the internet connection had disappeared. This disappearance occurred after I installed Service Pack III. All of the sudden I couldn't access or make any changes to the network properties although the physical configuration of the internet did not change.

But the flash drives have only been used to transfer programs to the computer so that I can perform virus sweeps.

-MW

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 20 February 2010 - 05:27 PM

Hi,


please try to zip the logs from OTL before attaching them. That should reduce the size enough for you to be able to attach them. Afterwards proceed with the isntruction from my previous post.

The reason I asked about flash drives, is that some infections will spread through them. Once you insert them in an infected PC they will get infected themselves and infect every PC into which they are inserted.

Is it possible that you were reinfected through flash drive and not that your recovery partition is infected?

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 February 2010 - 05:31 PM

myrti,

At this point, anything is possible. I have disinfected the flash drives as instructed.

Personally I hope it is not my partition, but since I did not create restore disks the process for restoration is as follows. We were given one disk and that disk initiates the restore process. The rest is done from the hard drive partition.

I'm in the process of working on GMER right now, but this might take a bit. I'm working on two computers in two different rooms of the house so bear with me.

-MW

#8 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 February 2010 - 07:52 PM

Attached are OTL & Extra Logs

Below (and attached) is the GMER Log

-MW

---------------------------------------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 18:19:45
Windows 5.1.2600 Service Pack 3
Running: jgtxfbb3.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwrdqpod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF736CC50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF736CC64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF736CC90]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF736CCE6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF736CC3C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF736CC14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF736CC28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF736CC7A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF736CCBC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF736CCA6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF736CD10]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF736CCFC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF736CCD0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6DF3900]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 026A0FC3
.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 026A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0269000A
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02690F77
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0269006C
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0269005B
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0269004A
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02690FC3
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02690F2E
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02690F49
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026900A2
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02690F09
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026900B3
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690FB2
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690FEF
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02690F66
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0269002F
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02690FDE
.text C:\WINDOWS\system32\wuauclt.exe[248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02690091
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0267003D
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!system 77C293C7 5 Bytes JMP 02670FB2
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02670FDE
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02670FC3
.text C:\WINDOWS\system32\wuauclt.exe[248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0267000C
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0268001B
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680F8D
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02680FCA
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680000
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680F9E
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FEF
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02680FAF
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0268002C
.text C:\WINDOWS\system32\wuauclt.exe[248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02660FEF
.text C:\Program Files\Messenger\msmsgs.exe[772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60000
.text C:\Program Files\Messenger\msmsgs.exe[772] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F6002C
.text C:\Program Files\Messenger\msmsgs.exe[772] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F6001B
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F5000A
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F5008E
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F99
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F5007D
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50062
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FCA
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F48
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F63
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500C6
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F2D
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F08
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50051
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FE5
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F74
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50036
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5001B
.text C:\Program Files\Messenger\msmsgs.exe[772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F500AB
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FB7
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30FD2
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30027
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30042
.text C:\Program Files\Messenger\msmsgs.exe[772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30FE3
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FC3
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40043
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40FDE
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40FEF
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40F86
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F4000A
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F40FA1
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [14, 89] {ADC AL, 0x89}
.text C:\Program Files\Messenger\msmsgs.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FB2
.text C:\Program Files\Messenger\msmsgs.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF
.text C:\Program Files\Messenger\msmsgs.exe[772] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F10FEF
.text C:\Program Files\Messenger\msmsgs.exe[772] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F10000
.text C:\Program Files\Messenger\msmsgs.exe[772] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F1001B
.text C:\Program Files\Messenger\msmsgs.exe[772] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F8D
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040082
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400C4
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400A7
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F35
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F46
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400E9
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F7C
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F61
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FC3
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10FA8
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F1006F
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F1004A
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F1002F
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FBE
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FCF
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0007002E
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0007000C
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0007003F
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0007001D
.text C:\WINDOWS\system32\services.exe[884] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F80
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F91
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0069
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0FAC
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0033
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F48
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F59
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F0B
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F1C
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0EFA
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB004E
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0090
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FC7
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0022
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F2D
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC004A
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0039
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC001E
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0F97
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE001D
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0F9C
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FD2
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE000C
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FB7
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\lsass.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F4006C
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F77
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F26
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F41
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40ED5
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40EF0
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40089
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F52
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F0B
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F8006C
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80040
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FAF
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70FA1
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70FB2
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70022
.text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FE3
.text C:\WINDOWS\system32\svchost.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F92
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0087
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0076
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB00B3
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0098
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00E6
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00D5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0101
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F77
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0051
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00C4
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FA1
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FCD
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02030000
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02030FCA
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02030FDB
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02020FEF
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02020F72
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02020F83
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0202005D
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02020040
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02020025
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02020F35
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02020F50
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020200CE
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 020200B3
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02020F1A
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02020F9E
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02020FDE
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02020F61
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0202000A
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02020FB9
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020200A2
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F8002C
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F80F9E
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F8001B
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F8000A
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F80FAF
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F80FEF
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02F80047
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F80FC0
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F70F6E
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F70F7F
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F70FAB
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F70FEF
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F70F90
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F70FD2
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F60FEF
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02040000
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02040011
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02040FE5
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02040036
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00750FD4
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00750FE5
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00740F5F
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00740054
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00740F7C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00740039
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00740FA8
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00740F16
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00740F27
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00740ECF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00740EE0
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00740EB4
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00740F97
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00740FDE
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00740F4E
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00740FB9
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00740F05
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780FB6
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FD1
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780062
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770038
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FAD
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FC8
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B200A2
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20087
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20076
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B20065
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B20F81
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B20F92
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B20F44
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B20F5F
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B20F1F
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B200BD
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B20036
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B20F70
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6004E
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B6003D
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B60022
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60F9B
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B5005D
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FC8
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B5001D
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50038
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50FE3
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090004C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F57
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F72
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F83
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900084
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900067
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900EFC
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900095
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900EEB
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F9E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F3C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F17
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002F
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0FA8
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC004A
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0055
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB003A
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB001D
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00920047
.text C:\WINDOWS\system32\svchost.exe[1596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text C:\WINDOWS\Explorer.EXE[1604] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04F30000
.text C:\WINDOWS\Explorer.EXE[1604] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04F30FD4
.text C:\WINDOWS\Explorer.EXE[1604] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04F30FE5
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04710000
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04710089
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04710F94
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04710FA5
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04710FC0
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04710FE5
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04710F6D
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 047100B5
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 047100E4
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04710F41
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04710F30
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04710062
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0471001B
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0471009A
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04710047
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04710036
.text C:\WINDOWS\Explorer.EXE[1604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04710F52
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 051D0FA5
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 051D0F65
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 051D0000
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 051D0FD4
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 051D0022
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 051D0FEF
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 051D0F80
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3D, 8D]
.text C:\WINDOWS\Explorer.EXE[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 051D0011
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 050A0049
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 050A0038
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 050A0FD2
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 050A0000
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 050A001D
.text C:\WINDOWS\Explorer.EXE[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 050A0FE3
.text C:\WINDOWS\Explorer.EXE[1604] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04F40000
.text C:\WINDOWS\Explorer.EXE[1604] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04F40011
.text C:\WINDOWS\Explorer.EXE[1604] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04F40FE5
.text C:\WINDOWS\Explorer.EXE[1604] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 04F40FD4
.text C:\WINDOWS\Explorer.EXE[1604] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04F50FEF
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1760] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1760] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 21 February 2010 - 06:49 AM

This actually doesn't look to bad. What symptoms are you having?

Please run Malwarebytes once more:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 February 2010 - 05:24 PM

myrti,

Below is the Malwarebytes log. It didn't find anything. I am currently preforming a long scan. Like before, I don't believe it will find anything either.

Current status of the system is the same. I still don't have an internet connection in addition to:

--Fake Windows Security Center Appears in the System Tray (when I try to access the security center)
--When attempt to access Security Center, fake scans appear on the screen
--I cannot access ANY Safe Mode. I can only boot directly into windows.


Is there any thing else we can do?

-MW

---------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3772
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/21/2010 4:12:50 PM
mbam-log-2010-02-21 (16-12-50).txt

Scan type: Quick Scan
Objects scanned: 109216
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 21 February 2010 - 06:25 PM

Hi,

don't give up just yet! smile.gif There is still lodas we can do.

For starters please run ComboFix:
(Either wait till Malwarebytes finished it's scan or terminate it before running ComboFix)
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 February 2010 - 10:38 PM

Unfortunately, Combofix will not work.

I tried to fun it from:

1) The desktop (it gave me the disclaimer and then did nothing else)
2) The flash drive (no success)
3) Safe mode....but I couldn't boot into safe mode so that didn't work either.

I reset the computer multiple times, but the program still wouldn't run.
I followed the instructions (about disabling the virus protection) but still no luck.

Any more suggestions?

Oh and I still don't have any internet.

-IMW

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 22 February 2010 - 03:18 PM

Hi,

please delete the copy of ComboFix you currently have. Download a new copy and save it has fun.com instead of combofix.exe and try to run it again.

regards myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 MarieWills

MarieWills
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 February 2010 - 06:27 PM

That seemed to work.

Please see attached long.

-MW

-----------------------------------------------------------

ComboFixlog

------------------------------------------------------------

ComboFix 10-02-21.02 - Owner 02/22/2010 17:12:47.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.163 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\fun.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-21 21:32 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 21:32 . 2010-02-21 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 21:32 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 19:00 . 2010-02-17 19:00 -------- d-----w- c:\windows\system32\scripting
2010-02-17 19:00 . 2010-02-17 19:00 -------- d-----w- c:\windows\l2schemas
2010-02-17 19:00 . 2010-02-17 19:00 -------- d-----w- c:\windows\system32\en
2010-02-17 19:00 . 2010-02-17 19:00 -------- d-----w- c:\windows\system32\bits
2010-02-17 18:42 . 2010-02-17 18:42 -------- d-----w- c:\windows\EHome
2010-02-17 06:16 . 2010-02-17 20:07 33120 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 03:49 . 2010-02-17 03:49 -------- d-----w- c:\program files\McAfeeMOBK
2010-02-17 03:49 . 2010-02-17 03:49 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-17 03:49 . 2010-02-06 03:13 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-02-17 03:48 . 2010-02-17 03:49 -------- d-----w- c:\program files\McAfee Online Backup
2010-02-17 03:47 . 2010-01-06 00:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-17 03:47 . 2010-01-06 00:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-17 03:47 . 2010-01-06 00:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-17 03:47 . 2010-01-06 00:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-17 03:47 . 2010-01-06 00:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-17 03:47 . 2010-01-06 00:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-17 03:47 . 2010-01-06 00:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-17 03:47 . 2010-01-06 00:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-17 03:47 . 2010-02-17 03:47 -------- d-----w- c:\program files\Common Files\Mcafee
2010-02-17 03:47 . 2010-02-17 03:47 -------- d-----w- c:\program files\McAfee.com
2010-02-17 03:46 . 2010-02-17 05:07 -------- d-----w- c:\program files\McAfee
2010-02-17 02:48 . 2010-02-17 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-17 02:48 . 2010-02-17 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:15 . 2010-02-17 01:15 -------- d-----w- c:\program files\Trend Micro
2010-02-16 22:06 . 2008-04-14 00:12 73832 ------w- c:\windows\system32\slcoinst.dll
2010-02-16 22:05 . 2008-04-14 00:12 155136 ------w- c:\windows\system32\mssha.dll
2010-02-16 22:04 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\faxpatch.exe
2010-02-16 21:31 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-16 03:43 . 2010-02-16 03:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-16 03:33 . 2010-02-16 03:33 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-16 01:42 . 2010-02-16 01:42 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-16 01:29 . 2010-02-16 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2010-02-16 01:20 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-16 01:20 . 2010-02-17 06:00 -------- d-----w- c:\windows\ie8updates
2010-02-16 01:20 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-16 01:20 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-16 01:20 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-16 01:20 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-16 01:20 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-16 01:20 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-16 01:18 . 2010-02-16 01:20 -------- dc-h--w- c:\windows\ie8
2010-02-16 01:01 . 2010-02-17 18:57 -------- d-----w- c:\windows\ServicePackFiles
2010-02-16 00:57 . 2010-02-16 01:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2010-02-16 00:54 . 2010-02-16 00:54 -------- d-----w- c:\program files\MSXML 4.0
2010-02-16 00:43 . 2010-02-16 00:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-16 00:32 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-16 00:32 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-16 00:32 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-02-16 00:28 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-16 00:28 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-16 00:26 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-16 00:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-16 00:11 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-02-16 00:11 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-02-16 00:11 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-16 00:11 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-16 00:11 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-02-16 00:11 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-16 00:11 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-02-16 00:11 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-02-16 00:11 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-16 00:11 . 2009-08-05 02:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 00:11 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 00:11 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 00:07 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-16 00:05 . 2010-02-16 00:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2010-02-16 00:04 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-16 00:04 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-16 00:00 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-15 23:59 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-15 23:59 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-15 23:53 . 2010-02-15 23:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-02-15 23:27 . 2010-02-15 22:46 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-02-15 23:27 . 2010-02-15 22:46 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-02-15 23:27 . 2010-02-15 22:46 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-02-15 23:27 . 2010-02-15 22:46 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2010-02-15 23:27 . 2010-02-15 23:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AOL
2010-02-15 23:27 . 2010-02-15 22:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2010-02-15 23:27 . 2010-02-15 22:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2010-02-15 23:27 . 2010-02-15 22:14 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2010-02-15 23:27 . 2010-02-15 22:14 -------- d-----w- c:\documents and settings\Default User\WINDOWS
2010-02-15 23:02 . 2010-02-17 03:16 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2010-02-15 22:53 . 2010-02-18 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-15 22:53 . 2010-02-15 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-02-15 22:53 . 2009-01-08 00:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-15 22:52 . 2010-02-21 09:02 -------- d--h--w- c:\windows\$hf_mig$
2010-02-15 22:52 . 2004-08-04 19:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-15 22:51 . 2003-03-25 13:00 67072 ----a-w- c:\windows\POWERCFG.EXE
2010-02-15 22:48 . 2010-02-15 22:49 -------- d-----w- c:\program files\Microsoft Money 2005
2010-02-15 22:48 . 2010-02-15 22:48 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2010-02-15 22:48 . 2010-02-15 22:48 -------- d-----w- c:\program files\Common Files\Nullsoft
2010-02-15 22:48 . 1999-11-10 19:05 86016 ----a-w- c:\windows\unvise32qt.exe
2010-02-15 22:48 . 2010-02-15 22:48 -------- d-----w- c:\program files\QuickTime
2010-02-15 22:48 . 2010-02-15 22:48 -------- d-----w- c:\windows\system32\QuickTime
2010-02-15 22:48 . 2010-02-15 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-02-15 22:46 . 2010-02-15 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2010-02-15 22:46 . 2010-02-17 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-15 22:46 . 2010-02-17 03:16 -------- d-----w- c:\program files\Common Files\AOL
2010-02-15 22:46 . 2010-02-15 22:46 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-02-15 22:46 . 2010-02-15 22:46 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-02-15 22:46 . 2010-02-15 22:46 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-02-15 22:46 . 2010-02-15 22:46 335 ----a-w- c:\windows\nsreg.dat
2010-02-15 22:46 . 2010-02-15 22:46 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2010-02-15 22:46 . 2010-02-15 22:46 -------- d-----w- c:\program files\MSN Encarta Plus
2010-02-15 22:46 . 2010-02-15 22:46 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-02-15 22:46 . 2010-02-15 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-02-15 22:46 . 2010-02-15 22:46 -------- d-----w- c:\program files\Napster
2010-02-15 22:45 . 2010-02-15 22:45 4 ----a-w- c:\windows\Pix11.dat
2010-02-15 22:45 . 2010-02-15 22:45 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-02-15 22:44 . 2010-02-15 22:44 -------- d-----w- c:\program files\VIA
2010-02-15 22:44 . 2004-09-04 00:07 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-02-15 22:44 . 2010-02-15 22:44 -------- d-----w- c:\program files\SIFXINST
2010-02-15 22:43 . 2010-02-15 22:43 -------- d-----w- c:\program files\Java
2010-02-15 22:43 . 2010-02-15 22:43 -------- d-----w- c:\program files\Common Files\Java
2010-02-15 22:43 . 2010-02-15 22:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}
2010-02-15 22:43 . 2010-02-15 22:43 -------- d-----w- c:\program files\CyberLink
2010-02-15 22:42 . 2004-07-15 22:08 471300 ----a-w- c:\windows\wallpe.exe
2010-02-15 22:41 . 2007-04-09 19:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-02-15 22:41 . 2007-04-09 19:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-02-15 22:40 . 2010-02-15 22:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-15 22:40 . 2010-02-15 22:40 -------- d-----w- c:\windows\SHELLNEW
2010-02-15 22:40 . 2010-02-15 22:40 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 19:03 . 2004-08-26 18:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-17 03:20 . 2010-02-15 22:47 -------- d-----w- c:\program files\Pure Networks
2010-02-16 01:28 . 2010-02-15 22:33 -------- d-----w- c:\program files\BigFix
2010-02-15 22:50 . 2010-02-15 22:50 -------- d-----w- c:\program files\Realtek Sound Manager
2010-02-15 22:50 . 2010-02-15 22:50 -------- d-----w- c:\program files\AvRack
2010-02-15 22:50 . 2010-02-15 22:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-15 22:47 . 2010-02-15 22:47 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-02-15 22:47 . 2010-02-15 22:47 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 22:47 . 2010-02-15 22:47 -------- d-----w- c:\program files\Real
2010-02-15 22:47 . 2010-02-15 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-15 22:47 . 2010-02-15 22:47 -------- d-----w- c:\program files\Viewpoint
2010-02-15 22:47 . 2010-02-15 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2010-02-15 22:33 . 2010-02-15 22:33 -------- d-----w- c:\program files\Microsoft Works
2010-02-15 22:14 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2010-01-06 00:04 . 2010-01-06 00:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 00:04 . 2010-01-06 00:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50 . 2010-02-13 02:54 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2010-02-13 02:55 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2010-02-13 02:53 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2010-02-13 02:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2010-02-13 02:53 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2010-02-15 22:17 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2010-02-13 02:54 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2010-02-15 22:17 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2010-02-13 02:53 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2010-02-15 22:17 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2010-02-13 02:53 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2010-02-13 02:51 84992 ----a-w- c:\windows\system32\avifil32.dll
2010-01-06 00:04 . 2010-02-17 03:47 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-17_19.56.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 21:04 . 2010-02-21 21:04 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
- 2010-02-13 02:55 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2010-02-13 02:55 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2004-08-26 18:07 . 2010-02-20 21:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-26 18:07 . 2010-02-17 19:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-26 18:07 . 2010-02-20 21:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2010-02-17 19:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-17 22:59 . 2010-02-20 21:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-13 02:55 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
- 2010-02-13 02:55 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
- 2010-02-13 02:54 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
+ 2010-02-13 02:54 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
- 2010-02-13 02:54 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
+ 2010-02-13 02:54 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe
+ 2010-02-13 02:52 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe
+ 2010-02-13 02:53 . 2009-06-10 15:19 2066432 c:\windows\system32\mstscax.dll
+ 2010-02-13 02:53 . 2009-06-10 15:19 2066432 c:\windows\system32\dllcache\mstscax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 03:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 03:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 03:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-12 147456]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"SoundMan"="SOUNDMAN.EXE" [2003-12-09 67584]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-01-27 1179952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2010-2-15 729088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/16/2010 9:47 PM 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2/16/2010 9:49 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/16/2010 9:47 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/16/2010 9:47 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/16/2010 9:47 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [2/16/2010 9:47 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [2/16/2010 9:47 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/16/2010 9:47 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/16/2010 9:47 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/16/2010 9:47 PM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/16/2010 9:47 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/16/2010 9:47 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2010-02-13 00:12]

2010-02-15 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2010-02-13 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0diykrkn.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2360)
c:\windows\system32\WININET.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-02-22 17:20:35
ComboFix-quarantined-files.txt 2010-02-22 23:20
ComboFix2.txt 2010-02-17 19:59
ComboFix3.txt 2010-02-17 06:33
ComboFix4.txt 2010-02-17 05:52

Pre-Run: 85,465,124,864 bytes free
Post-Run: 85,400,637,440 bytes free

- - End Of File - - 71A5D4FF4885C3F3DFC343226339F28F

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:44 AM

Posted 22 February 2010 - 06:57 PM

Hi,

please try booting into safe mode now and let me know if that was fixed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users