Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE 7 redirects to random websites


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tim Pierson

Tim Pierson

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 23 March 2010 - 07:53 PM

Hello, in IE 7.0.5730.13 I am getting redirected to random sites when clicking on search results. Typing in the address directly does go to the site. For example, searching (with Google search) for "healthcare" and then clicking on the link for whotehouse.gov, it goes to seattle cityscape website. Different ones each time.

Here's what I have tried:

Spybot full scan - 1 object removed
Mcafee full scan - none found
Sophos anti-rootkit partial scan - none found
Cleaned the registry with Regseeker - approx. 1200 objects cleaned/removed
Disabled a startup item with a blank description using msconfig
Malwarebytes scan - removed 4 adware objects
Disabled CD Emulation with Defogger
Ran DDS and have dds.log and attach.log
GMER scan crashed the system with a blue screen "Stop". Removed malwarebytes and reran with registry and files unchecked - ran ok


This is an Dell Vostro 410 desktop XP sp3 computer about a year old.

Attached are the ark.txt and attach.txt files.

Thank you for your help.

Here's the dds log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Connie at 11:25:06.90 on Tue 03/23/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1296 [GMT -7:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Connie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.0\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [masqform.exe] c:\program files\ibm\lotus forms\viewer\3.0\masqform.exe -RunOnce"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPPQVideo] "c:\program files\hp\scheduledlaunch\hp color laserjet cp1510 series\bin\hppschlnch.exe" -r software\hewlett-packard\scheduledlaunch\CLJ_CP1510_Series -f PQOptimizerVideo.xml -o remindLater
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} - hxxp://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://community.weightwatchers.com/Scripts/ImageUploader5.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.705.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-15 214664]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-8-15 14144]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-8-15 8960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-29 47640]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-8-15 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-12-29 282824]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-8-15 11264]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2008-8-15 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2008-8-15 35272]
S2 gupdate1cac4b49b0d28ee;Google Update Service (gupdate1cac4b49b0d28ee);c:\program files\google\update\GoogleUpdate.exe [2010-3-15 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17.tmp --> c:\windows\system32\17.tmp [?]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2008-8-15 34248]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-8-15 16640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-03-23 18:23:37 0 ----a-w- c:\documents and settings\connie\defogger_reenable
2010-03-23 17:35:22 0 d-----w- c:\docume~1\connie\applic~1\Malwarebytes
2010-03-23 17:35:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 17:35:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 17:35:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 17:35:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-23 03:26:54 0 d-----w- c:\program files\Sophos
2010-03-23 02:38:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-23 02:38:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-23 02:35:16 0 d-----w- c:\windows\pss
2010-03-22 06:14:18 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-22 03:08:51 0 d-----w- c:\docume~1\connie\applic~1\Office Genuine Advantage
2010-03-16 02:58:41 0 d-----w- c:\program files\common files\DivX Shared
2010-03-16 02:58:40 0 d-----w- c:\program files\DivX
2010-03-13 04:44:26 0 ----a-w- c:\windows\system32\񀿉
2010-02-27 05:03:24 0 d-----w- c:\documents and settings\connie\Saved Games
2010-02-27 05:03:24 0 d-----w- c:\docume~1\connie\applic~1\Flood Light Games
2010-02-27 05:03:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Flood Light Games

==================== Find3M ====================

2010-03-23 03:37:47 366504 ----a-w- c:\windows\system32\FNTCACHE.DAT
2010-01-25 19:58:06 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-09-14 20:46:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080901\index.dat
2008-09-14 20:46:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 11:25:44.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 27 March 2010 - 04:59 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 March 2010 - 11:12 PM

Hi Elise, and thanks for your help.

I was able to run gmer this time fully without crashing. It examined all files on the system. Here are the logs:

OTL:
OTL logfile created on: 3/28/2010 6:58:42 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Connie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 123.47 Gb Free Space | 82.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.87 Gb Total Space | 1.74 Gb Free Space | 93.19% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CBC
Current User Name: Connie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/28 15:16:46 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Connie\Desktop\OTL.exe
PRC - [2009/12/18 11:03:12 | 000,472,384 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
PRC - [2009/12/18 11:01:08 | 000,282,824 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
PRC - [2009/12/15 15:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
PRC - [2009/12/15 15:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
PRC - [2009/10/01 17:27:29 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/10/01 17:27:19 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/09/16 17:33:46 | 000,972,064 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2009/09/16 16:22:08 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/08/17 22:54:54 | 012,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/07/27 17:19:10 | 000,199,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
PRC - [2009/05/08 17:26:32 | 000,893,112 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/02/06 18:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/01/24 09:31:28 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/01/08 08:36:42 | 002,521,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
PRC - [2008/08/15 15:04:47 | 000,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 15:31:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/02/28 15:31:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/02/26 14:15:30 | 000,909,312 | ---- | M] (Realtek) -- C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
PRC - [2008/02/26 08:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/02/22 02:25:21 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2006/09/25 07:12:20 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe


========== Modules (SafeList) ==========

MOD - [2010/03/28 15:16:46 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Connie\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/18 11:01:08 | 000,282,824 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe -- (myAgtSvc)
SRV - [2009/12/15 15:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe -- (McShield)
SRV - [2009/12/15 15:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -- (EngineServer)
SRV - [2009/10/01 17:27:29 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/09/16 16:22:08 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/05/08 17:26:32 | 000,893,112 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2008/08/15 15:04:47 | 000,029,744 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-010708-104812)
SRV - [2008/02/28 15:31:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2007/10/18 11:51:58 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe -- (Sony SCSI Helper Service)
SRV - [2007/05/24 07:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - [2009/12/15 15:29:52 | 000,055,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/12/15 15:29:42 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (MfeRKDK)
DRV - [2009/12/15 15:29:34 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/12/15 15:29:30 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (MfeBOPK)
DRV - [2009/12/15 15:29:26 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (MfeAVFK)
DRV - [2009/10/01 17:27:21 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/04/09 15:23:02 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/10/17 18:35:48 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/28 15:31:52 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/02/02 11:52:54 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/01/31 12:23:42 | 000,308,248 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/01/31 12:20:36 | 004,637,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/12/03 09:13:48 | 000,011,264 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2007/11/19 23:14:08 | 000,016,640 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTLVLAN.SYS -- (RTLVLAN)
DRV - [2007/11/19 23:04:50 | 000,008,960 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2007/08/27 18:51:18 | 002,371,584 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/07/16 08:29:33 | 000,017,432 | R--- | M] (Hewlett Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2004/08/04 03:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 03:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/03 20:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/05/13 19:57:02 | 000,090,357 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P1110Vid.sys -- (P1110VID)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/...?channel=us-smb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080815
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...?channel=us-smb
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.0\PEhelper.dll (IBM Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe (Realtek)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe ()
O4 - HKLM..\Run: [HPPQVideo] C:\Program Files\HP\ScheduledLaunch\HP Color LaserJet CP1510 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CP1510_Series -f PQOptimizerVideo.xml File not found
O4 - HKLM..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [masqform.exe] C:\Program Files\IBM\Lotus Forms\Viewer\3.0\masqform.exe (IBM Corporation)
O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk = C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (MSN Games Matchmaking)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab (CPlayFirstmsiControl Object)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games Buddy Invite)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (MSN Games Game Chat)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://community.weightwatchers.com/Script...geUploader5.cab (Image Uploader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab (ZPA_DMNO Object)
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab (UnoCtrl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab (ZPA_WheelOfFortune Object)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab (MSN Games Hearts)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games Game Communicator)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.705.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Connie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Connie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0670131e-b073-11dd-963f-00219b03bf5d}\Shell\AutoRun\command - "" = setupSNK.exe
O33 - MountPoints2\{b7cba438-cfc2-11de-969a-00219b03bf5d}\Shell - "" = AutoRun
O33 - MountPoints2\{b7cba438-cfc2-11de-969a-00219b03bf5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7cba438-cfc2-11de-969a-00219b03bf5d}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f311732d-f4ae-11de-96a1-00219b03bf5d}\Shell - "" = AutoRun
O33 - MountPoints2\{f311732d-f4ae-11de-96a1-00219b03bf5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f311732d-f4ae-11de-96a1-00219b03bf5d}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/28 18:58:09 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Connie\Desktop\OTL.exe
[2010/03/23 11:35:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Desktop\gmer
[2010/03/23 10:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Application Data\Malwarebytes
[2010/03/23 10:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/23 10:35:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/23 10:34:43 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Connie\Desktop\mbam-setup.exe
[2010/03/22 20:26:54 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/03/22 20:10:05 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2010/03/22 19:38:36 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/03/22 19:38:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/03/22 19:35:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/03/21 23:14:18 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/21 20:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Application Data\Office Genuine Advantage
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/03/21 19:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/03/21 19:16:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/03/21 15:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/03/19 11:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Local Settings\Application Data\Temp
[2010/03/19 11:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/03/19 08:10:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Connie\Recent
[2010/03/19 07:47:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/15 19:59:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\My Documents\Downloads
[2010/03/15 19:58:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/03/15 19:58:40 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/02/26 22:03:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Saved Games
[2010/02/26 22:03:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Connie\Application Data\Flood Light Games
[2010/02/26 22:03:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2010/01/20 08:48:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/14 20:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/09/08 08:44:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2009/08/16 12:51:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/11 10:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/21 13:51:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\HP
[2009/01/11 22:09:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/09/19 19:26:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/08/29 03:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2006/02/19 03:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/28 15:16:46 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Connie\Desktop\OTL.exe
[2010/03/27 22:29:05 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\HP WEP.job
[2010/03/27 21:48:34 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\Excel.lnk
[2010/03/27 20:26:26 | 000,016,476 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/03/27 19:28:08 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\Microsoft Office Outlook 2007.lnk
[2010/03/27 19:20:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/27 19:18:08 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/03/27 19:18:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/27 19:18:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/27 19:18:01 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/27 19:17:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Connie\ntuser.ini
[2010/03/27 19:17:09 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Connie\ntuser.dat
[2010/03/27 19:16:31 | 000,012,329 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\fishville Compete.xlsx
[2010/03/27 17:33:51 | 000,026,090 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos 35A_Inspection.xfdl
[2010/03/27 17:27:58 | 000,012,035 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos TitleContingency.xfdl
[2010/03/27 17:27:12 | 000,014,750 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos Utilities.xfdl
[2010/03/27 17:26:51 | 000,024,894 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos lead.xfdl
[2010/03/27 17:26:05 | 000,020,627 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\santos fin.xfdl
[2010/03/27 17:24:16 | 000,059,309 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos.xfdl
[2010/03/27 08:28:13 | 000,000,587 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/27 08:28:13 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/27 08:28:13 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/03/26 20:48:06 | 000,017,927 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Fishville Chart-XP Level One.xlsx
[2010/03/25 17:50:20 | 000,000,165 | -H-- | M] () -- C:\Documents and Settings\Connie\My Documents\~$fishville Compete.xlsx
[2010/03/23 11:30:44 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\gmer.zip
[2010/03/23 11:24:51 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\dds.scr
[2010/03/23 11:23:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Connie\defogger_reenable
[2010/03/23 11:22:56 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\Defogger.exe
[2010/03/23 10:34:47 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Connie\Desktop\mbam-setup.exe
[2010/03/22 21:51:39 | 000,025,883 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Santos Inspect.xfdl
[2010/03/22 21:46:42 | 000,058,847 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\santos p&S.xfdl
[2010/03/22 20:37:47 | 000,366,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/22 20:36:33 | 000,556,758 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 20:36:33 | 000,466,744 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/22 20:36:33 | 000,079,834 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/22 08:02:53 | 000,018,928 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\fishville level timing.xlsx
[2010/03/22 07:34:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/19 08:10:25 | 000,001,581 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\CCleaner.lnk
[2010/03/15 19:58:41 | 000,001,519 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\DivX Movies.lnk
[2010/03/12 21:44:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\񀿉
[2010/03/10 21:34:44 | 021,827,584 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Brown Flyer.pub
[2010/03/10 18:36:16 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\Microsoft Office Publisher 2003 (2).lnk
[2010/02/28 20:23:26 | 000,010,666 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\1096 template.docx
[2010/02/28 19:53:13 | 000,010,411 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\W3 template.docx
[2010/02/28 19:39:06 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\Word.lnk
[2010/02/28 19:31:29 | 000,010,585 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\W2 Template.docx
[2010/02/27 10:15:13 | 000,069,120 | ---- | M] () -- C:\Documents and Settings\Connie\My Documents\Keep eyes on God.pub
[2010/02/26 22:03:07 | 000,001,534 | ---- | M] () -- C:\Documents and Settings\Connie\Desktop\MSN Games.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/27 19:28:16 | 000,000,318 | ---- | C] () -- C:\WINDOWS\tasks\HP WEP.job
[2010/03/27 17:33:51 | 000,026,090 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos 35A_Inspection.xfdl
[2010/03/27 17:27:58 | 000,012,035 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos TitleContingency.xfdl
[2010/03/27 17:27:12 | 000,014,750 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos Utilities.xfdl
[2010/03/25 17:50:20 | 000,000,165 | -H-- | C] () -- C:\Documents and Settings\Connie\My Documents\~$fishville Compete.xlsx
[2010/03/23 11:30:42 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Connie\Desktop\gmer.zip
[2010/03/23 11:24:45 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Connie\Desktop\dds.scr
[2010/03/23 11:23:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Connie\defogger_reenable
[2010/03/23 11:22:55 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Connie\Desktop\Defogger.exe
[2010/03/22 21:51:39 | 000,025,883 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos Inspect.xfdl
[2010/03/22 21:50:55 | 000,024,894 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos lead.xfdl
[2010/03/22 21:48:58 | 000,020,627 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\santos fin.xfdl
[2010/03/22 21:46:42 | 000,058,847 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\santos p&S.xfdl
[2010/03/22 21:42:16 | 000,059,309 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Santos.xfdl
[2010/03/22 07:34:56 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/03/21 19:16:45 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/03/15 19:58:41 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\Connie\Desktop\DivX Movies.lnk
[2010/03/14 20:25:06 | 000,012,329 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\fishville Compete.xlsx
[2010/03/12 21:44:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\񀿉
[2010/03/09 22:20:25 | 021,827,584 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Brown Flyer.pub
[2010/02/28 20:23:26 | 000,010,666 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\1096 template.docx
[2010/02/28 19:46:44 | 000,010,411 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\W3 template.docx
[2010/02/28 19:23:07 | 000,010,585 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\W2 Template.docx
[2010/02/27 10:08:05 | 000,069,120 | ---- | C] () -- C:\Documents and Settings\Connie\My Documents\Keep eyes on God.pub
[2010/01/08 15:57:05 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/17 10:53:21 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2009/01/20 20:11:17 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/12/10 11:06:08 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2008/10/16 19:19:54 | 000,000,059 | ---- | C] () -- C:\WINDOWS\sview.ini
[2008/09/14 06:58:23 | 000,734,764 | ---- | C] () -- C:\Documents and Settings\Connie\Application Data\datasafeupdate.msi
[2008/08/30 11:44:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/08/29 20:03:57 | 000,005,598 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/27 20:18:46 | 000,749,568 | R--- | C] () -- C:\WINDOWS\System32\agi1600.dll
[2008/08/27 20:18:45 | 001,777,664 | R--- | C] () -- C:\WINDOWS\System32\zhp1600r.dll
[2008/08/27 20:18:44 | 000,114,688 | R--- | C] () -- C:\WINDOWS\System32\VSHP1600.dll
[2008/08/27 07:35:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/26 19:52:31 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Connie\Local Settings\Application Data\fusioncache.dat
[2008/08/15 15:10:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/08/15 14:40:12 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/02/28 15:30:08 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/10/18 18:36:54 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/16 17:00:00 | 000,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2004/08/11 15:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 15:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E1069F99
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69B9AAE7
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D3FFFBA9
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1BC1C318
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40546375
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4D7FCCD3
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA7BE830
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5BB3657
< End of report >


Here is the extras log:
OTL Extras logfile created on: 3/28/2010 6:58:42 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Connie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 123.47 Gb Free Space | 82.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.87 Gb Total Space | 1.74 Gb Free Space | 93.19% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CBC
Current User Name: Connie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}" = 32 Bit HP CIO Components Installer
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax
"{1C5D5D15-CABD-4C5A-A80E-B5C4CA6FE90A}" = hppTLBXFXCP1510
"{1F73D672-6175-4A1D-B3C1-420439D03D0F}" = Product_SF_Full_QFolder
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{223C0721-A6B0-4853-88C0-331029841734}" = HP Color LaserJet CP1510 Series 2.0
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{414C803A-6115-4DB6-BD4E-FD81EA6BC71C}" = Product_SF_Min_QFolder
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{42756145-9997-4D28-809B-8756BFD00107}" = Microsoft Digital Image Pro 10
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{50CE6FB8-23DF-42B1-98CE-AA17A0905C7A}" = Learning QuickBooks 2009
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{51592ABE-532F-4E96-8AE3-97A5AA0FB5D2}" = Desktop Notifier
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5E894531-91FB-4B76-AA0F-49E0E1F357D6}" = hppPQVideoCP1510
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{64FD4D83-085A-49D0-905A-F06057B73DA3}" = hppCLJCP1510
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{7ADCEEA0-AC82-4360-AD6B-CCF01B66F9DB}" = hppusgCP1510
"{7B02BF60-796D-4616-908B-B31A63CFDEFB}" = HPCarePackCore
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115650950}" = Top Chef
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{88253B77-33C9-4A9D-9E4C-4579E39D9158}" = Diagnostics Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91190409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Publisher 2003
"{9203AC41-0E7B-445A-98E6-AB3072CB4A10}" = HPCarePackProducts
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A0BBF7AB-2F47-47DC-BB02-4C826F2BC73B}" = IBM Lotus Forms Viewer 3.0
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}" = PRS-500 USB driver
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3B4CD34-6C20-4b28-A231-FEC55B42C579}" = c6100_Help
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{B932A416-28A7-4D08-89A6-7A0464DAD37D}" = hpzTLBXFX
"{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C239BCD7-882A-478F-A5CF-DDEB074A4291}" = eBook Library by Sony
"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes
"{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min
"{c600ab3d-8b64-41df-bf36-b3d87ce0706b}" = C7200_Help
"{C8574AE5-370F-4246-A301-B85A2CC89A5E}" = C6100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CECEB0FF-5C45-4b50-9A00-C596E36D88F4}" = C7200
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D8AC1EB5-E8B0-44A0-B113-899407188A2F}" = hppFonts
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{ED0042CA-CBEA-4ADF-B262-FE0518AF2221}" = LogMeIn
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{ED5BDA06-0D68-4B4C-93FE-50BE94ADA6E9}" = hppManualsCP1510
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"75070B1806113224B16C70296B90DD1AD8A53479" = Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
"AAA Logo 2009 Free Trial_is1" = AAA Logo 2009 Home Edition 3.0 Free Trial
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ATI Display Driver" = ATI Display Driver
"BASICR" = Microsoft Office Basic 2007
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Creative PC-CAM Center" = Creative PC-CAM Center Lite
"Creative PD1110" = Creative WebCam NX Driver (1.02.01.0827)
"Creative WebCam Monitor" = Creative WebCam Monitor
"Creative WebCam NX User's Guide English" = Creative WebCam NX User's Guide (English)
"deskPDF 2.5 Professional_is1" = deskPDF 2.5 Professional Edition
"EFileMagic" = E-File Magic - 2009
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"GPL Ghostscript_is1" = Docudesk GPL Ghostscript 8.15
"HijackThis" = HijackThis 1.99.1
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HP-Color LaserJet 1600" = Color LaserJet 1600
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Learning QuickBooks 2009" = Learning QuickBooks 2009
"McAfee Managed Firewall" = McAfee Firewall Protection Service
"McAfee Security Scan" = McAfee Security Scan
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSNINST" = MSN
"MVS" = McAfee Virus and Spyware Protection Service
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureIt_PI2_v10" = Microsoft Digital Image Pro 10
"SearchAssist" = SearchAssist
"Shop for HP Supplies" = Shop for HP Supplies
"Time Stamp_is1" = Time Stamp
"W2 Mate (2009)_is1" = W2 Mate (2009) 6.0.35
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2803712148-4218544504-2834424877-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320
"Move Media Player" = Move Media Player
"SmartDraw 2009" = SmartDraw 2009

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/26/2010 9:50:46 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 9:51:15 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 9:51:40 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 10:25:30 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 10:25:30 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 10:25:30 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/26/2010 10:25:43 PM | Computer Name = CBC | Source = QuickBooks | ID = 4
Description =

Error - 3/27/2010 11:27:51 AM | Computer Name = CBC | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 hptlbxfx.exe, P2 3.13.279.0, P3 46d446dd, P4
hpapptools, P5 3.13.279.0, P6 46d446ae, P7 13d, P8 f, P9 system.nullreferenceexception,
P10 NIL.

Error - 3/27/2010 10:26:15 PM | Computer Name = CBC | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 hptlbxfx.exe, P2 3.13.279.0, P3 46d446dd, P4
hpapptools, P5 3.13.279.0, P6 46d446ae, P7 13d, P8 f, P9 system.nullreferenceexception,
P10 NIL.

Error - 3/27/2010 10:31:02 PM | Computer Name = CBC | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

[ OSession Events ]
Error - 9/2/2008 11:38:37 PM | Computer Name = D85H45H1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 134729
seconds with 3180 seconds of active time. This session ended with a crash.

Error - 11/30/2008 11:22:20 AM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 396145
seconds with 5940 seconds of active time. This session ended with a crash.

Error - 12/15/2008 10:58:18 PM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 122136
seconds with 1320 seconds of active time. This session ended with a crash.

Error - 2/28/2009 3:37:14 PM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 270130
seconds with 9060 seconds of active time. This session ended with a crash.

Error - 3/23/2009 11:53:33 AM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 296905
seconds with 4200 seconds of active time. This session ended with a crash.

Error - 4/27/2009 9:47:11 AM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 122918
seconds with 1020 seconds of active time. This session ended with a crash.

Error - 9/4/2009 11:44:56 AM | Computer Name = CBC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1597
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/23/2010 2:40:33 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 3/23/2010 2:40:37 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7034
Description = The McAfee Virus and Spyware Protection Service service terminated
unexpectedly. It has done this 1 time(s).

Error - 3/23/2010 3:30:10 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 3/23/2010 3:53:21 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 3/23/2010 4:34:00 PM | Computer Name = CBC | Source = DCOM | ID = 10010
Description = The server {89DAE4CD-9F17-4980-902A-99BA84A8F5C8} did not register
with DCOM within the required timeout.

Error - 3/23/2010 7:26:25 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 3/25/2010 10:16:31 AM | Computer Name = CBC | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{BE745E1D-25BE-4BC7-8280-2A2CE352C1B8}. The
backup browser is stopping.

Error - 3/27/2010 11:09:23 AM | Computer Name = CBC | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.2 on
the Network Card with network address 00219B03BF5D.

Error - 3/27/2010 11:14:37 AM | Computer Name = CBC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 3/27/2010 10:20:21 PM | Computer Name = CBC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >

Here is the GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-28 20:46:59
Windows 5.1.2600 Service Pack 3
Running: d96xwglg.exe; Driver: C:\DOCUME~1\Connie\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB0B6C78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB0B6C738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB0B6C74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB0B6C7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB0B6C710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB0B6C724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB0B6C79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB0B6C776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB0B6C762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB0B6C7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB0B6C7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB0B6C7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP B0B6C7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B0B6C78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B0B6C7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B0B6C7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B0B6C7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B0B6C714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B0B6C728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B0B6C766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B0B6C750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B0B6C73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B0B6C77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B0B6C7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F21780]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013F000A
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013F0F86
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013F0FA1
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013F0FB2
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013F006F
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013F0FD4
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013F00C4
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013F00A7
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013F00DF
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013F0F46
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013F00FA
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013F0FC3
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013F0025
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013F0096
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013F0036
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013F0FE5
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013F0F61
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013E0047
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013E0087
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013E0036
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013E001B
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013E006C
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013E0FCA
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5E, 89]
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013E0FDB
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FBC
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E4008E
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40073
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40062
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40051
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F63
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E400B5
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F41
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400D0
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400EB
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40F7E
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F52
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E30079
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E30014
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E30054
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [03, 89]
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FB5
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD7
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FC6
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026D000A
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026D0F6D
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026D0F7E
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026D0058
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026D0FA5
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026D0036
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026D0F41
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026D0F52
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026D0F15
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026D0F26
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026D00D3
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026D0047
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026D0FEF
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026D007D
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026D0FCA
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026D001B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026D00A4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026C0FE5
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026C006C
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026C0036
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026C0025
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026C0FAF
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026C000A
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 026C0051
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026C0FCA
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026B0042
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 026B0031
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026B0FD2
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026B0000
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026B0FC1
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026B0FE3
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012A0000
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012A0F9E
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012A0093
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012A006C
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012A0051
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012A002C
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012A0F83
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012A00CB
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012A00F0
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012A0F57
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012A0F32
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012A0FAF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012A0011
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012A00AE
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012A0FC0
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012A0FD1
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012A0F72
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01290FCA
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0129005B
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01290FDB
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01290011
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01290F9E
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01290000
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01290FAF
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 89]
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01290036
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FAD
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0038
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FBE
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026E0FEF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026E0067
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026E0F72
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026E0F83
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026E0040
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026E0FAF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026E0078
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026E0F30
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026E0F0B
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026E009A
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026E00BF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026E0F9E
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026E0FD4
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026E0F4D
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026E0025
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026E000A
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026E0089
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026D002F
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026D0080
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026D001E
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026D0FDE
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026D0FB9
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026D0FEF
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 026D005B
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026D004A
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026B0F90
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 026B0FAB
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026B001B
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026B0000
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026B0FBC
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026B0FD7
.text C:\WINDOWS\System32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 026A000A
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02690000
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02690FE5
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02690FCA
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0269001B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F7C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F8D
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F44
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F61
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000C9
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000B8
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000E4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F9E
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0090008C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000A7
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008F0051
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008F000A
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008F0F94
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008F0FAF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AF, 88]
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008F0036
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008E0FC8
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 008E0053
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008E0038
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008E000C
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008E0FE3
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008E001D
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00078
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00F8D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0005B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00F9E
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B0002F
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F4D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F5E
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F2B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000BA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B000DF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00040
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00FD4
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00089
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FB9
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F3C
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF004E
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF001B
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0F91
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF003D
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0FAB
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE001B
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FC6
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FD7
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F5F
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F7A
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F97
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE008A
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0079
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00AC
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F13
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00BD
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F4E
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE009B
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30076
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30014
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30065
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A2006E
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20053
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A2002E
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FD9
.text C:\WINDOWS\system32\svchost.exe[1568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2001D
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1568] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A00FC0
.text C:\WINDOWS\system32\svchost.exe[1568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012E0000
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012E0F70
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012E006F
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012E0054
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012E0F97
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012E002F
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012E00B8
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012E009D
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012E00C9
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012E0F3A
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012E00EE
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012E0FB2
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012E0FE5
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012E0080
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012E0FC3
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012E0FD4
.text C:\WINDOWS\Explorer.EXE[1944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012E0F4B
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012D0FE5
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012D0080
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012D0036
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012D0011
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012D0FB9
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012D0000
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012D0FCA
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 89]
.text C:\WINDOWS\Explorer.EXE[1944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012D0051
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012C0FE3
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!system 77C293C7 5 Bytes JMP 012C006E
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012C002E
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012C0000
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012C0053
.text C:\WINDOWS\Explorer.EXE[1944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012C001D
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00DE0FD4
.text C:\WINDOWS\Explorer.EXE[1944] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00DE0025
.text C:\WINDOWS\Explorer.EXE[1944] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00E30000
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00BF
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F30
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0076
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[2212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00AE
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F68
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FAF
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F79
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F94
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[2212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0049
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FBE
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0038
.text C:\WINDOWS\System32\svchost.exe[2212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[2212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F3C
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0003B
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F61
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0001E
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00F97
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00EF3
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F0E
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00EC7
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00060
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C0007B
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00F7C
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F2B
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[2228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00EE2
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[2228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F9C
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0031
.text C:\WINDOWS\system32\svchost.exe[2228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0073
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F7E
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0062
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0FA5
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0047
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA009F
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F63
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0F06
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0F21
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00BA
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FB6
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA008E
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F32
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F9, 88]
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FB4
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80049
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8001D
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80038
.text C:\WINDOWS\system32\svchost.exe[3224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3448] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0027007B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270060
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F7C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270F8D
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FA8
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F4E
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F6B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700C2
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700A7
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002700D3
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270025
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027000A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270096
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FB9
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605436 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FD4
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F33
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360FCA
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360055
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360029
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360044
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360018
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00370FDB
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370073
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0037002C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0037001B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00370062
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00370000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00370FCA
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [57, 88]
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00370051
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02ED0FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02EE000A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02EE001B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02EE0FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[6092] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02EE0040

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 29 March 2010 - 04:30 AM

Hello Tim Pierson,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 29 March 2010 - 09:58 PM

Here is the combofix log. Although I had disabled Mcafee, somehow when it tried to install the recovery console the McAfee service had restarted, and McAfee prevented Combofix from accessing the internet. Before I could try to restart it, Combofix proceeded.

We feel that if it can be cleaned it will be ok. No unauthorized person accessed this computer in person, we know when and where the trojan came from (infected email from a friend's computer which has been turned into a zombie bot), and as afar as we can tell the trojan was only redirecting searches to click websites. I understand there is some small risk but we will accept that at this point.

Combofix completed, and now internet searches are not getting redirected. The computer appears to be running normally. Any further steps?

Thanks so much for your help.



ComboFix 10-03-29.02 - Connie 03/29/2010 19:12:26.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT -7:00]
Running from: c:\documents and settings\Connie\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-23 17:35 . 2010-03-23 17:35 -------- d-----w- c:\documents and settings\Connie\Application Data\Malwarebytes
2010-03-23 17:35 . 2010-03-23 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 17:35 . 2010-03-23 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-23 03:26 . 2010-03-23 03:35 -------- d-----w- c:\program files\Sophos
2010-03-23 02:38 . 2010-03-23 03:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-23 02:38 . 2010-03-23 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 06:14 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-22 03:08 . 2010-03-22 03:08 -------- d-----w- c:\documents and settings\Connie\Application Data\Office Genuine Advantage
2010-03-21 22:17 . 2010-03-21 22:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-19 18:07 . 2010-03-25 05:50 -------- d-----w- c:\documents and settings\Connie\Local Settings\Application Data\Temp
2010-03-19 18:02 . 2010-03-19 18:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-19 14:47 . 2010-03-19 14:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-16 02:58 . 2010-03-16 02:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-16 02:58 . 2010-03-16 02:59 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 02:01 . 2009-01-22 03:05 -------- d-----w- c:\documents and settings\Connie\Application Data\HPAppData
2010-03-29 14:05 . 2008-08-29 14:13 -------- d-----w- c:\program files\LogMeIn
2010-03-27 03:31 . 2008-08-30 05:10 14612 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-03-23 03:30 . 2008-08-15 22:10 98736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-22 14:33 . 2008-08-15 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-19 15:10 . 2009-02-13 16:10 -------- d-----w- c:\program files\CCleaner
2010-03-16 02:59 . 2008-08-15 22:04 -------- d-----w- c:\program files\Google
2010-02-27 14:35 . 2008-11-27 10:11 -------- d-----w- c:\program files\MSN Games
2010-02-27 05:27 . 2008-11-27 10:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-27 05:03 . 2010-02-27 05:03 -------- d-----w- c:\documents and settings\Connie\Application Data\Flood Light Games
2010-02-27 05:03 . 2010-02-27 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-02-27 05:02 . 2008-11-27 10:11 -------- d-----w- c:\program files\Oberon Media
2010-02-22 01:09 . 2009-12-05 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-02-20 16:18 . 2009-11-09 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-12 05:38 . 2009-11-09 21:04 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-01 21:21 . 2010-02-01 21:21 -------- d-----w- c:\program files\Real Business Solutions
2010-01-25 19:58 . 2008-02-28 22:30 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2010-01-15 01:16 . 2010-01-15 01:16 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-01-15 01:16 . 2010-01-15 01:16 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-05 10:00 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-15 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2009-12-18 472384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"masqform.exe"="c:\program files\IBM\Lotus Forms\Viewer\3.0\masqform.exe" [2008-01-17 991232]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-10 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2007-08-28 53248]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-08 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 00:27 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [8/15/2008 3:07 PM 14144]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [8/15/2008 3:00 PM 8960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/29/2009 10:49 AM 282824]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2008 3:00 PM 11264]
S2 gupdate1cac4b49b0d28ee;Google Update Service (gupdate1cac4b49b0d28ee);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 7:58 PM 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17.tmp --> c:\windows\system32\17.tmp [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [8/15/2008 3:00 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP Color LaserJet CP1510 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CP1510_Series -f PQOptimizerVideo.xml
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\17.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(4760)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-03-29 19:28:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 02:27

Pre-Run: 132,073,979,904 bytes free
Post-Run: 133,004,738,560 bytes free

- - End Of File - - BDA9677316520DE925DE957E69554032


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 30 March 2010 - 02:14 AM

Hello Tim Pierson,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
File::
c:\windows\system32\17.tmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

DDS::
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 30 March 2010 - 02:26 PM

Here is the combofix log from running that script. I would like to know what that script did and why we needed to run it? Just trying to learn someting. Thanks.

ComboFix 10-03-29.04 - Connie 03/30/2010 12:10:36.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1293 [GMT -7:00]
Running from: c:\documents and settings\Connie\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Connie\Desktop\cfscript.txt
AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

FILE ::
"c:\windows\system32\17.tmp"
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-23 17:35 . 2010-03-23 17:35 -------- d-----w- c:\documents and settings\Connie\Application Data\Malwarebytes
2010-03-23 17:35 . 2010-03-23 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 17:35 . 2010-03-23 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-23 03:26 . 2010-03-23 03:35 -------- d-----w- c:\program files\Sophos
2010-03-23 02:38 . 2010-03-23 03:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-23 02:38 . 2010-03-23 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 06:14 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-22 03:08 . 2010-03-22 03:08 -------- d-----w- c:\documents and settings\Connie\Application Data\Office Genuine Advantage
2010-03-21 22:17 . 2010-03-21 22:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-19 18:07 . 2010-03-25 05:50 -------- d-----w- c:\documents and settings\Connie\Local Settings\Application Data\Temp
2010-03-19 18:02 . 2010-03-19 18:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-19 14:47 . 2010-03-19 14:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-16 02:58 . 2010-03-16 02:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-16 02:58 . 2010-03-16 02:59 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 19:08 . 2009-01-22 03:05 -------- d-----w- c:\documents and settings\Connie\Application Data\HPAppData
2010-03-30 19:02 . 2008-08-29 14:13 -------- d-----w- c:\program files\LogMeIn
2010-03-27 03:31 . 2008-08-30 05:10 14612 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-03-23 03:30 . 2008-08-15 22:10 98736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-22 14:33 . 2008-08-15 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-19 15:10 . 2009-02-13 16:10 -------- d-----w- c:\program files\CCleaner
2010-03-16 02:59 . 2008-08-15 22:04 -------- d-----w- c:\program files\Google
2010-02-27 14:35 . 2008-11-27 10:11 -------- d-----w- c:\program files\MSN Games
2010-02-27 05:27 . 2008-11-27 10:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-27 05:03 . 2010-02-27 05:03 -------- d-----w- c:\documents and settings\Connie\Application Data\Flood Light Games
2010-02-27 05:03 . 2010-02-27 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-02-27 05:02 . 2008-11-27 10:11 -------- d-----w- c:\program files\Oberon Media
2010-02-22 01:09 . 2009-12-05 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-02-20 16:18 . 2009-11-09 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-12 05:38 . 2009-11-09 21:04 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-01 21:21 . 2010-02-01 21:21 -------- d-----w- c:\program files\Real Business Solutions
2010-01-25 19:58 . 2008-02-28 22:30 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2010-01-15 01:16 . 2010-01-15 01:16 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-01-15 01:16 . 2010-01-15 01:16 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-05 10:00 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-15 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2009-12-18 472384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"masqform.exe"="c:\program files\IBM\Lotus Forms\Viewer\3.0\masqform.exe" [2008-01-17 991232]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-10 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2007-08-28 53248]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-08 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 00:27 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [8/15/2008 3:07 PM 14144]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
S2 gupdate1cac4b49b0d28ee;Google Update Service (gupdate1cac4b49b0d28ee);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 7:58 PM 133104]
S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [8/15/2008 3:00 PM 8960]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/29/2009 10:49 AM 282824]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2008 3:00 PM 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [8/15/2008 3:00 PM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 21:28]

2010-03-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-30 12:15:24
ComboFix-quarantined-files.txt 2010-03-30 19:15
ComboFix2.txt 2010-03-30 02:28

Pre-Run: 132,497,022,976 bytes free
Post-Run: 132,907,196,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4C25FC3B350471A9AB589F933BB4D5BB


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 30 March 2010 - 02:45 PM

Hello Tim Pierson,

Looking good now. We needed to run the script to get rid of some things that Combofix did not delete automatically.
How are things running now, do you have any problems left?

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 30 March 2010 - 10:52 PM

Hi Elise, here is the mbam log. And I was able to update Java before the mbm ran. I'm curious - if I make a adonation, do you get any of it? I hope you do. Thanks so much for your help.

MBM Log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/30/2010 5:50:16 PM
mbam-log-2010-03-30 (17-50-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 205358
Time elapsed: 38 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 31 March 2010 - 05:40 AM

Hello again,

Things are looking good. One question though, is there a reason you are still using Internet Explorer 7 and not 8? IE8 is a lot safer and a bit faster than IE7. Its also listed as a priority update by Microsoft Updates site.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 31 March 2010 - 07:12 PM

Hi, ESET did a full scan and did not find any threats. It didn't let me make a log file.

I updated to IE8, no issues with that.



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 01 April 2010 - 04:58 AM

Hello Tim Pierson,

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Tim Pierson

Tim Pierson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 01 April 2010 - 02:40 PM

Thanks Elise, I will follow the suggeestions and keep it up to date. OK to close this topic. Thanks again for your help!



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:29 PM

Posted 01 April 2010 - 02:44 PM

You are welcome smile.gif

This topic will now be closed. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users