Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan


  • This topic is locked This topic is locked
11 replies to this topic

#1 cforchan

cforchan

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 13 April 2010 - 08:19 PM

I think I have a Trojan and don't know how to be sure it's completely gone. At first all I got on startup was a black screen (even in safe mode). I managed to run a scan with Malwarebytes in Safe Mode using Task Manager a few times which restored my desktop but I'm still having problems. This is my first time posting, please help? sad.gif

Here is the dds.txt file


DDS (Ver_10-03-17.01) - NTFSx86
Run by EndUser at 19:44:02.46 on Tue 04/13/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.214 [GMT -4:00]

AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\EndUser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.ca
uSearch Bar = hxxp://www.googe.ca/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_13.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\enduser\applic~1\mozilla\firefox\profiles\2tr13r6a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\enduser\application data\mozilla\firefox\profiles\2tr13r6a.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-21 214664]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-22 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-21 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-21 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-21 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-21 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-21 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-21 40552]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S0 KL1;KL1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-21 34248]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-5-23 91830]
S3 UXDCMN;UXDCMN;\??\c:\documents and settings\enduser\my documents\winstress\uxdcmn.sys --> c:\documents and settings\enduser\my documents\winstress\UXDCMN.SYS [?]

=============== Created Last 30 ================

2010-04-13 23:39:15 0 ----a-w- c:\documents and settings\enduser\defogger_reenable
2010-04-10 01:03:47 0 d-----w- c:\program files\Cobian Backup 8
2010-04-02 21:14:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-04-02 20:30:24 32128 -c----w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-02 20:30:24 32128 ------w- c:\windows\system32\drivers\usbccgp.sys
2010-04-01 23:27:45 48 ---h--w- c:\windows\system32\ezsidmv.dat
2010-04-01 23:25:18 0 d-----r- c:\program files\Skype
2010-04-01 00:59:19 0 d-----w- c:\program files\iPod
2010-04-01 00:58:51 0 d-----w- c:\program files\iTunes
2010-04-01 00:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 00:45:23 0 d-----w- c:\program files\Bonjour
2010-03-18 01:53:42 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 01:53:42 69632 ------w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-03-30 04:46:30 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ------w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 15:46:14 91424 ------w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ------w- c:\windows\system32\dns-sd.exe
2009-05-06 07:27:45 401720 ------w- c:\program files\HiJackThis.exe
2008-06-12 03:22:46 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061120080612\index.dat

============= FINISH: 19:45:13.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 18 April 2010 - 05:09 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 cforchan

cforchan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 20 April 2010 - 08:57 PM

Hi There. I am still having issues. Several attempts to run GMER resulted in errors (Twice in Safe Mode). Windows keeps shutting down and displays a blue error prior to shut down.

Here are the logs:

OTL:

OTL logfile created on: 4/19/2010 7:22:37 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\EndUser\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 92.00 Mb Available Physical Memory | 9.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 92.96 Gb Total Space | 69.31 Gb Free Space | 74.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CVMCV
Current User Name: EndUser
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/19 19:21:41 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\EndUser\Desktop\OTL.exe
PRC - [2010/04/02 12:15:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/17 15:53:26 | 000,193,040 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcinsupd.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/29 07:54:44 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/10/29 07:54:44 | 000,378,088 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdui.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/11/01 11:11:46 | 000,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2004/10/14 10:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/09/03 17:04:18 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/04/19 19:21:41 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\EndUser\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2010/04/04 03:49:33 | 002,504,280 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3653.dll -- (Akamai)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 12:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/03 11:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2004/09/03 17:04:18 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/01/05 20:05:23 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/11/16 15:12:46 | 001,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/06/23 10:16:08 | 000,162,176 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/11/10 11:41:26 | 000,105,831 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/09/20 04:41:00 | 003,210,496 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/09/03 17:03:12 | 000,268,872 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/30 09:55:48 | 000,091,830 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P0630Vid.sys -- (P0630VID)
DRV - [2004/06/28 06:35:24 | 000,069,760 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/04/26 08:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/04/14 08:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2004/02/02 13:29:00 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/08/28 22:40:26 | 000,189,792 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2003/06/06 12:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2003/05/01 14:26:34 | 000,005,220 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2002/09/20 10:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
IE - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.2
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..keyword.URL: "http://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 18:06:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 12:15:23 | 000,000,000 | ---D | M]

[2008/12/06 12:22:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\EndUser\Application Data\Mozilla\Extensions
[2010/04/14 20:19:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\extensions
[2009/06/04 20:14:01 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/09/16 05:46:04 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/03/17 21:30:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\extensions\personas@christopher.beard
[2010/04/13 19:50:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/01 19:26:01 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

O1 HOSTS File: ([2010/04/09 20:08:47 | 000,388,020 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13312 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1960408961-1757981266-682003330-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1960408961-1757981266-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/16 16:19:23 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5a2cd3fc-6cbe-11dd-9d80-0012f05df5c9}\Shell\Auto\command - "" = E:\autorun.bat -- File not found
O33 - MountPoints2\{5a2cd3fc-6cbe-11dd-9d80-0012f05df5c9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5a2cd3fc-6cbe-11dd-9d80-0012f05df5c9}\Shell\explore\Command - "" = E:\autorun.bat -- File not found
O33 - MountPoints2\{5d6d1197-366b-11dd-9d6d-0012f05df5c9}\Shell\Auto\command - "" = E:\autorun.bat -- File not found
O33 - MountPoints2\{5d6d1197-366b-11dd-9d6d-0012f05df5c9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5d6d1197-366b-11dd-9d6d-0012f05df5c9}\Shell\explore\Command - "" = E:\autorun.bat -- File not found
O33 - MountPoints2\{67a6851e-4744-11df-9e63-0012f05df5c9}\Shell - "" = AutoRun
O33 - MountPoints2\{67a6851e-4744-11df-9e63-0012f05df5c9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{67a6851e-4744-11df-9e63-0012f05df5c9}\Shell\AutoRun\command - "" = E:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{e52b02f1-698a-11dd-9d7f-0012f05df5c9}\Shell\Auto\command - "" = E:\autorun.bat -- File not found
O33 - MountPoints2\{e52b02f1-698a-11dd-9d7f-0012f05df5c9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e52b02f1-698a-11dd-9d7f-0012f05df5c9}\Shell\explore\Command - "" = E:\autorun.bat -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/19 19:24:43 | 000,000,000 | ---D | C] -- C:\c89d8cea6234b22099
[2010/04/19 19:20:58 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\EndUser\Desktop\OTL.exe
[2010/04/15 14:52:03 | 003,103,640 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\EndUser\Desktop\spywareblastersetup43.exe
[2010/04/13 19:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\EndUser\Desktop\gmer
[2010/04/13 17:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\EndUser\Local Settings\Application Data\Western Digital
[2010/04/09 21:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/04/09 21:00:20 | 008,499,200 | ---- | C] (Luis Cobian) -- C:\Documents and Settings\EndUser\Desktop\cbSetup8.exe
[2010/04/02 17:14:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/04/02 16:30:24 | 000,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/04/01 19:27:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\EndUser\Application Data\skypePM
[2010/04/01 19:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\EndUser\Application Data\Skype
[2010/04/01 19:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/04/01 19:25:18 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/04/01 19:25:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/31 20:59:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/31 20:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/31 20:58:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/31 20:52:42 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/31 20:45:23 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/12/10 10:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/12/06 10:03:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\McAfee
[2009/11/23 08:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/11/21 16:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/21 16:38:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/21 16:38:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/21 16:38:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/23 01:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/05/06 03:27:39 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\HiJackThis.exe
[2008/09/28 21:00:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2008/05/31 08:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/19 19:33:32 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/19 19:21:41 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\EndUser\Desktop\OTL.exe
[2010/04/19 19:13:08 | 000,012,315 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/04/19 19:13:07 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010/04/19 19:11:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/19 19:11:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/19 19:11:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/19 19:11:50 | 1063,768,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/15 16:52:32 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\EndUser\NTUSER.DAT
[2010/04/15 16:52:32 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\EndUser\ntuser.ini
[2010/04/15 16:51:51 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\EndUser\My Documents\Default.rdp
[2010/04/15 15:03:13 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/15 14:52:42 | 003,103,640 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\EndUser\Desktop\spywareblastersetup43.exe
[2010/04/13 19:47:39 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\EndUser\Desktop\gmer.zip
[2010/04/13 19:42:04 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\EndUser\Desktop\dds.scr
[2010/04/13 19:39:15 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\EndUser\defogger_reenable
[2010/04/13 19:37:52 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\EndUser\Desktop\Defogger.exe
[2010/04/09 21:02:10 | 008,499,200 | ---- | M] (Luis Cobian) -- C:\Documents and Settings\EndUser\Desktop\cbSetup8.exe
[2010/04/09 20:08:47 | 000,388,020 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/08 09:42:12 | 000,388,020 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100409-200847.backup
[2010/04/08 08:53:16 | 000,388,020 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100408-094208.backup
[2010/04/07 19:08:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/07 14:49:14 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/04/07 14:46:53 | 000,388,020 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100408-085309.backup
[2010/04/07 12:05:22 | 000,094,656 | ---- | M] () -- C:\Documents and Settings\EndUser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/07 11:15:31 | 000,383,076 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100407-144653.backup
[2010/04/07 08:15:21 | 000,340,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/01 19:27:45 | 000,000,048 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/04/01 01:00:03 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/23 08:56:07 | 000,383,822 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/23 08:56:06 | 000,054,010 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/23 08:56:05 | 000,443,556 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 19:47:36 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\EndUser\Desktop\gmer.zip
[2010/04/13 19:41:53 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\EndUser\Desktop\dds.scr
[2010/04/13 19:39:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\EndUser\defogger_reenable
[2010/04/13 19:37:38 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\EndUser\Desktop\Defogger.exe
[2010/04/09 20:44:12 | 1063,768,064 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/01 19:27:45 | 000,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/06/18 00:49:15 | 000,106,403 | ---- | C] () -- C:\Documents and Settings\EndUser\Local Settings\Application Data\FASTWiz.log
[2009/05/10 15:55:46 | 000,000,862 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/29 19:30:47 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/07 10:49:14 | 000,000,720 | -H-- | C] () -- C:\WINDOWS\avscan.ini
[2008/05/23 18:36:05 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/05/23 17:44:50 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\EndUser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/05 14:46:51 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\EndUser\Application Data\default.log
[2007/02/05 14:46:30 | 000,001,400 | ---- | C] () -- C:\Documents and Settings\EndUser\Application Data\default.cfg
[2007/01/16 16:17:48 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2007/01/16 16:15:37 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/01/16 16:15:37 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/01/16 16:15:37 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/01/16 16:15:37 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/01/16 16:15:37 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/01/16 16:15:37 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/01/16 15:54:27 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\EndUser\ntuser.dat.LOG
[2007/01/16 15:54:27 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\EndUser\ntuser.ini
[2007/01/16 15:54:26 | 007,864,320 | -H-- | C] () -- C:\Documents and Settings\EndUser\NTUSER.DAT
[2006/07/14 15:35:46 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2004/10/27 04:30:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/09/03 16:04:16 | 000,139,280 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/01/13 20:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

Extras:

OTL Extras logfile created on: 4/19/2010 7:22:37 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\EndUser\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 92.00 Mb Available Physical Memory | 9.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 92.96 Gb Total Space | 69.31 Gb Free Space | 74.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CVMCV
Current User Name: EndUser
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1960408961-1757981266-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"1041:TCP" = 1041:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Disabled:Windows Live Messenger (Phone) -- File not found
"c:\Program Files\Mozilla Firefox\firefox.exe" = c:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Internet Explorer -- (Mozilla Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger -- File not found
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{316CDA1E-4760-4772-94B0-0FFC56D85700}" = RPS CRT
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37E31FCE-A048-4D8C-B167-31891BCF6585}" = muvee autoProducer 3.5 - SE
"{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}" = Cisco Systems VPN Client 4.0.5 (A)
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}" = Zone Deluxe Games
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.00 D5
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D10619EA-8F56-445F-AA98-6EF208E4864F}" = BlackBerry v4.2.1 for the 8700 Series Wireless Handheld
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FF6F491D-BC82-4DCC-A72F-1824957C6466}" = TIxx21
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"Akamai" = Akamai NetSession Interface
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Driver
"CobBackup8" = Cobian Backup 8
"Creative PD0630" = Creative WebCam Live! Driver (1.01.01.0730)
"Creative WebCam Center" = Creative WebCam Center
"eMule" = eMule
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{FF6F491D-BC82-4DCC-A72F-1824957C6466}" = Texas Instruments PCIxx21/x515 drivers.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SpywareBlaster_is1" = SpywareBlaster 4.3
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/14/2010 8:16:43 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/14/2010 8:16:44 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/15/2010 9:53:42 AM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/15/2010 2:47:51 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/15/2010 3:37:59 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/15/2010 3:38:18 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/19/2010 7:12:11 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/19/2010 7:12:28 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/19/2010 7:12:29 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

Error - 4/19/2010 7:12:30 PM | Computer Name = CVMCV | Source = TrueVector Service | ID = 5003
Description = TrueVector driver: Driver install or load failure: LoadNTDeviceDriver.
Win32 error: The system cannot find the file specified.

[ System Events ]
Error - 4/14/2010 8:16:57 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KL1

Error - 4/15/2010 9:53:53 AM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 4/15/2010 9:54:15 AM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KL1

Error - 4/15/2010 2:48:02 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 4/15/2010 2:48:22 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KL1

Error - 4/15/2010 3:38:13 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 4/15/2010 3:38:36 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KL1

Error - 4/19/2010 7:11:58 PM | Computer Name = CVMCV | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0012F05DF5C9. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 4/19/2010 7:12:20 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 4/19/2010 7:12:31 PM | Computer Name = CVMCV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KL1


< End of report >


GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 21:43:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\EndUser\LOCALS~1\Temp\pxtdqpog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAD2078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAAD20821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAD20738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAD2074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAD20835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAD20861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAAD208CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAAD208B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAD207CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAD208FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAAD2080D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAD20710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAD20724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAD2079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAAD20937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAD208A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAAD2088D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAD2084B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAD20923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAD2090F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAD20776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAD20762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAAD20877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAD207F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAD208E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAD207E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAD207B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP AAD207B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP AAD2078E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP AAD207CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP AAD207E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP AAD207A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP AAD20714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP AAD20728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP AAD20766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP AAD20750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP AAD2073C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP AAD2077A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP AAD207FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP AAD20891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP AAD2087B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP AAD208E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP AAD208A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP AAD2084F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP AAD20825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP AAD20839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP AAD20865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP AAD208D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP AAD208BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP AAD20811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP AAD2093B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP AAD20913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP AAD20927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP AAD208FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6BACDBF]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6AB2F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0073
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F77
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F15
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00BF
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F7C
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F97
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0044
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0033
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB000C
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026A0000
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026A0098
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026A007D
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026A0FA5
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026A0058
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026A0FB6
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026A00D0
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026A00B3
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026A0106
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026A0F77
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026A0117
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026A003D
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026A0011
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026A0F88
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026A002C
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026A0FDB
.text C:\WINDOWS\system32\wuauclt.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026A00EB
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02680FB0
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 02680FC1
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02680FD2
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02680FE3
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02680027
.text C:\WINDOWS\system32\wuauclt.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02680000
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0269001E
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 02690F8D
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 02690FCD
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 02690FDE
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 0269004A
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 02690FEF
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02690FA8
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [89, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0269002F
.text C:\WINDOWS\system32\wuauclt.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F4D
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F5E
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F79
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F32
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007006E
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F06
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EEB
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007005D
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F21
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F72
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F90
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FAB
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F68
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0051
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0084
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F3C
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00C4
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB009F
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F10
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F4D
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F21
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90FA1
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FE3
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B90FC6
.text C:\WINDOWS\system32\lsass.exe[824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F2007A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20069
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20F9B
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20058
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F2003D
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200C6
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F2009F
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F2010D
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200F2
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F2011E
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20FAC
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F74
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20022
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F20FD1
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F200D7
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FB9
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10F79
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10F94
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10025
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F0005F
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00029
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F00044
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00018
.text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0000
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60087
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600DC
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600CB
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60112
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600F7
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60F5E
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60062
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60011
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600AE
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60051
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60036
.text C:\WINDOWS\Explorer.EXE[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F79
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50065
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5001B
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50054
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50FB2
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\Explorer.EXE[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FCD
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D4004E
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40033
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\Explorer.EXE[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40018
.text C:\WINDOWS\Explorer.EXE[1024] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\Explorer.EXE[1024] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[1024] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D2001B
.text C:\WINDOWS\Explorer.EXE[1024] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\Explorer.EXE[1024] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C9005B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90040
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F72
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F4B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90093
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900C9
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F30
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90F15
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDB
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C9006C
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C900AE
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C8004A
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes CALL C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70044
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70033
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05310FE5
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05310062
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05310047
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0531002C
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05310F79
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05310FA5
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0531008E
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0531007D
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 053100CB
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 053100BA
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 053100E6
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05310F8A
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05310FCA
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05310F52
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05310011
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05310000
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 053100A9
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05300F94
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05300014
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05300FB9
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05300FCA
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05300F61
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05300FE5
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 05300F72
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [50, 8D]
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05300F83
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B20FAD
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B20FC8
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B20FD9
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B20000
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B20038
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B2001D
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B1000A
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 029F0000
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 029F001B
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 029F002C
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 029F0FDB
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0082
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0071
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F8D
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0FA8
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F44
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F55
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0EFA
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F1F
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0EE9
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FB9
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC001B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F72
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0040
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC009D
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0025
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0069
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0058
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0047
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0036
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F8B
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0016
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FB7
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0FE3
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0F9C
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FD2
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA00BF
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0098
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0087
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F92
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0FA3
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00FF
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F66
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0110
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00DA
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F77
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FD1
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F94
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660FA5
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FC0
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FBC
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065003D
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FCD
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0124000A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01240FB6
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012400AB
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01240FD1
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0124008E
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01240058
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01240F79
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01240F8A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012400E6
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01240F57
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012400F7
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01240073
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0124001B
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01240F9B
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01240047
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0124002C
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01240F68
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0123002C
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01230F94
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01230FDB
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0123001B
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01230FAF
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01230000
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01230051
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01230FC0
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01220FCA
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 01220055
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01220029
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01220FEF
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0122003A
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0122000C
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FF0014
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FF0025
.text C:\WINDOWS\System32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01210000
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F400BF
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F400A4
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40FC0
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F4007D
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40051
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F8A
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F400DC
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F5B
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400FE
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F4010F
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40062
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40040
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4001B
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400ED
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30047
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F3001B
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F3000A
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F8A
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30036
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0F95
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FA6
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FB7
.text C:\WINDOWS\System32\svchost.exe[1652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FD2
.text C:\WINDOWS\System32\svchost.exe[1652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

---- EOF - GMER 1.0.15 ----


Please Help! sad.gif

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 21 April 2010 - 03:49 AM

Hello again,

P2P WARNING
-------------------
Going over your logs I noticed that you have eMule installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall eMule, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cforchan

cforchan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 21 April 2010 - 06:42 PM

Thank you for your timely response! I have removed eMule as you indicated and installed and ran Combofix. Here is the log...

ComboFix 10-04-21.01 - EndUser 04/21/2010 19:30:02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.393 [GMT -4:00]
Running from: c:\documents and settings\EndUser\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-13 21:36 . 2010-04-13 21:36 -------- d-----w- c:\documents and settings\EndUser\Local Settings\Application Data\Western Digital
2010-04-10 01:03 . 2010-04-10 01:04 -------- d-----w- c:\program files\Cobian Backup 8
2010-04-07 16:19 . 2010-04-07 16:19 5918775 ------w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-02 21:14 . 2010-04-02 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-04-02 20:30 . 2008-04-13 18:45 32128 -c----w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-02 20:30 . 2008-04-13 18:45 32128 ------w- c:\windows\system32\drivers\usbccgp.sys
2010-04-01 23:27 . 2010-04-01 23:27 48 ---h--w- c:\windows\system32\ezsidmv.dat
2010-04-01 23:27 . 2010-04-05 12:07 -------- d-----w- c:\documents and settings\EndUser\Application Data\skypePM
2010-04-01 23:26 . 2010-04-07 12:13 -------- d-----w- c:\documents and settings\EndUser\Application Data\Skype
2010-04-01 23:25 . 2010-04-01 23:25 -------- d-----w- c:\program files\Common Files\Skype
2010-04-01 23:25 . 2010-04-01 23:26 -------- d-----r- c:\program files\Skype
2010-04-01 23:25 . 2010-04-01 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-01 00:59 . 2010-04-01 00:59 -------- d-----w- c:\program files\iPod
2010-04-01 00:58 . 2010-04-01 01:00 -------- d-----w- c:\program files\iTunes
2010-04-01 00:58 . 2010-04-01 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 00:52 . 2010-04-01 00:53 -------- d-----w- c:\program files\QuickTime
2010-04-01 00:45 . 2010-04-01 00:45 -------- d-----w- c:\program files\Bonjour
2010-04-01 00:41 . 2010-04-01 00:41 73000 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 23:35 . 2010-02-15 17:54 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-21 23:17 . 2009-08-30 21:54 -------- d-----w- c:\program files\eMule
2010-04-15 19:04 . 2008-08-20 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 18:57 . 2009-05-12 04:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-15 18:57 . 2009-05-12 04:26 -------- d-----w- c:\program files\SpywareBlaster
2010-04-08 21:06 . 2009-04-07 21:37 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-07 16:20 . 2009-05-13 05:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 16:05 . 2007-01-16 20:30 94656 ------w- c:\documents and settings\EndUser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 12:19 . 2009-11-21 20:44 -------- d-----w- c:\program files\McAfee
2010-04-02 21:28 . 2008-05-24 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-04-02 08:37 . 2009-05-06 03:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-01 00:59 . 2008-05-24 13:17 -------- d-----w- c:\program files\Common Files\Apple
2010-03-30 04:46 . 2009-05-13 05:12 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-05-13 05:12 20824 ------w- c:\windows\system32\drivers\mbam.sys
2010-03-23 12:57 . 2009-11-11 21:52 79488 ------w- c:\documents and settings\EndUser\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-05-23 11:41 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 14:16 . 2009-10-02 21:34 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-04 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ------w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ------w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2009-05-06 07:27 . 2009-05-06 07:27 401720 ------w- c:\program files\HiJackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-11-23 163840]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-01 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 88209]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2009-11-23 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1220:TCP"= 1220:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/22/2009 7:54 PM 93320]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [5/23/2008 8:26 PM 91830]
S3 UXDCMN;UXDCMN;\??\c:\documents and settings\EndUser\My Documents\Winstress\UXDCMN.SYS --> c:\documents and settings\EndUser\My Documents\Winstress\UXDCMN.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-21 17:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-21 17:22]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-04-07 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-05-06 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\EndUser\Application Data\Mozilla\Firefox\Profiles\2tr13r6a.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 19:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?8?1?2??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\McAfee\VirusScan\scriptsn.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-04-21 19:38:52
ComboFix-quarantined-files.txt 2010-04-21 23:38

Pre-Run: 74,339,385,344 bytes free
Post-Run: 74,689,544,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B2847D570FF8AD4552124DCC2B8E8585


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 22 April 2010 - 05:12 AM

Hi there,

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Norton.


UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 cforchan

cforchan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 22 April 2010 - 08:57 PM

Java successfully uninstalled and re-installed as indicated. I'm confused when you say that I am running 2 Anti-virus programs since the only one I am aware I have was McAfee. I also couldn't find Norton in Add/Remove programs to remove it. Please advise?

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4023

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/22/2010 9:50:09 PM
mbam-log-2010-04-22 (21-50-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 158641
Time elapsed: 1 hour(s), 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 23 April 2010 - 03:03 AM

Hi, no worries about Norton, most likely some leftovers.

Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 cforchan

cforchan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 April 2010 - 03:19 PM

Hi There. I was able to successfully run Norton Removal tool. ESET Online Scanner found no threats and no report was generated. Thank you so much for your timely responses and your assistance in helping me troubleshoot and fix my issues.

Can you confirm that you require additional scanning?

Thank you in advance.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 25 April 2010 - 03:32 PM

Hi, thats great news smile.gif

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 cforchan

cforchan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 26 April 2010 - 06:49 AM

Hi Again! I have read your last post and completed uninstall for Combofix. Also deleted DDS, GMER and OTL.

Thank you so much for all of your help in getting my computer back up and running. You are my hero!! thumbup2.gif

Regards,

Chantelle

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 AM

Posted 26 April 2010 - 07:04 AM

Thank you for your kind words smile.gif

This topic will now be closed. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users