Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Taxpayer ID Numbers for 120 Million Brazilians Exposed Online

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Infected but not sure what

Started by tb12 , May 19 2010 04:33 PM

This topic is locked

52 replies to this topic

#1 tb12

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 19 May 2010 - 04:33 PM

Hi. After some activity in a help forum I was directed here. from here: http://www.bleepingcomputer.com/forums/t/316763/lost-at-sea/ ~ OB The issues began with the fake security alert trojan. After many attempts and running ATF Cleaner, SAS and MBAM the issues seemed resolved; however, IE8 began having issues including missing toolbar. IE8 and IE7 were uninstalled through control panel including updates. IE8 was downloaded and installed however, the search redirects recurred. Attempts to connect to microsoft update were not successful on either IE8 or Firefox. Tried from both direct typing and through the update button in Programs. Neither worked. Ran DDS in normal and both the txt and attachment follows. Attempted to run GMER in normal. It ran alright but froze when I tried to save it. I am running again now.
DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Thomas Bueschel at 14:52:22.79 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2159 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Thomas Bueschel\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.live.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p2 /q c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.ie5\ty1lsfzw.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.ie5\ko593jkv.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\content.sh!\ty1lsfzw.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\content.sh!\ko593jkv.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\Content.SH!
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WD Anywhere Backup Premium] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [Fdabavesazuyuf] rundll32.exe "c:\windows\eponulohu.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234296436968
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas~1\applic~1\mozilla\firefox\profiles\s11dry5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B42C2EEC-59CB-45C7-8354-A60C8CB163E0} - c:\documents and settings\thomas bueschel\local settings\application data\{B42C2EEC-59CB-45C7-8354-A60C8CB163E0}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-2-4 8960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2010-3-4 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-2-4 11264]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34248]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-2-4 16640]

=============== Created Last 30 ================

2010-05-19 19:48:48 0 ----a-w- c:\documents and settings\thomas bueschel\defogger_reenable
2010-05-18 22:05:06 0 dc-h--w- c:\windows\ie8
2010-05-14 19:13:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 19:12:58 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 19:12:58 0 d-----w- c:\docume~1\thomas~1\applic~1\SUPERAntiSpyware.com
2010-05-14 19:12:08 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-13 21:48:12 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-13 21:48:12 0 d-----w- c:\documents and settings\thomas bueschel\log
2010-05-07 14:48:48 96761 ----a-w- c:\windows\system32\276bd5d5.exe

==================== Find3M ====================

2010-05-17 13:20:58 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 19:17:01 61224 ----a-w- c:\documents and settings\thomas bueschel\GoToAssistDownloadHelper.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2002-09-11 14:26:52 63730 -c--a-w- c:\program files\viewsonicinstruct_xp.pdf
2009-04-06 13:48:44 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 14:53:39.34 ===============

Attached Files

Attach.txt 13.87KB 5 downloads

Edited by Orange Blossom, 19 May 2010 - 05:18 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 20 May 2010 - 01:25 PM

I finally was able to run GMER and save the file. Also ran a new DDS after GMER and both are set forth below. The DDS attach.txt file is attached. The problems are increasing. Today Firefox would not load; then would load but slowly. After completing and saving the GMER scan, a fatal error occurred with the stop code: 0x000000F4 (0x00000003, 0X88F8FB90, 0X88FD04, 0X805D2954).. After two tries the system rebooted but I have disconnected from the internet as a precaution. The scan information was transferred via key to a diffrent computer for deliverey here.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Thomas Bueschel at 13:11:54.31 on Thu 05/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2331 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Thomas Bueschel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.live.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p2 /q c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.ie5\ty1lsfzw.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.ie5\ko593jkv.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1\content.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\content.sh!\ty1lsfzw.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\content.sh!\ko593jkv.sh! c:\docume~1\thomas~1\locals~1\temp\tempor~1.sh!\Content.SH!
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WD Anywhere Backup Premium] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [Fdabavesazuyuf] rundll32.exe "c:\windows\eponulohu.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234296436968
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas~1\applic~1\mozilla\firefox\profiles\s11dry5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B42C2EEC-59CB-45C7-8354-A60C8CB163E0} - c:\documents and settings\thomas bueschel\local settings\application data\{B42C2EEC-59CB-45C7-8354-A60C8CB163E0}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-2-4 8960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-10 144704]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2010-3-4 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-2-4 11264]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34248]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-2-4 16640]

=============== Created Last 30 ================

2010-05-19 19:48:48 0 ----a-w- c:\documents and settings\thomas bueschel\defogger_reenable
2010-05-18 22:05:06 0 dc-h--w- c:\windows\ie8
2010-05-14 19:13:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 19:12:58 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 19:12:58 0 d-----w- c:\docume~1\thomas~1\applic~1\SUPERAntiSpyware.com
2010-05-14 19:12:08 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-13 21:48:12 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-13 21:48:12 0 d-----w- c:\documents and settings\thomas bueschel\log
2010-05-07 14:48:48 96761 ----a-w- c:\windows\system32\276bd5d5.exe

==================== Find3M ====================

2010-05-20 18:01:51 86016 ----a-w- c:\windows\DUMP29ee.tmp
2010-05-17 13:20:58 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 19:17:01 61224 ----a-w- c:\documents and settings\thomas bueschel\GoToAssistDownloadHelper.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2002-09-11 14:26:52 63730 -c--a-w- c:\program files\viewsonicinstruct_xp.pdf
2009-04-06 13:48:44 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 13:13:11.93 ===============
GMER:GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-20 12:56:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\uxtiiaow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAB6B878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAB6B8821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAB6B8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAB6B874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAB6B8835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAB6B8861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAB6B88CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAB6B88B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAB6B87CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAB6B88FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAB6B880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAB6B8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAB6B8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAB6B879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAB6B8937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAB6B88A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAB6B888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAB6B884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAB6B8923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAB6B890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAB6B8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAB6B8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAB6B8877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAB6B87F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAB6B88E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAB6B87E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAB6B87B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP AB6B87B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AB6B878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP AB6B87CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP AB6B87E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP AB6B87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP AB6B8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP AB6B8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP AB6B8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP AB6B8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP AB6B873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP AB6B877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP AB6B87FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP AB6B8891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP AB6B887B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 2 Bytes JMP AB6B88E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey + 3 80622067 4 Bytes [09, 2B, 90, 90] {OR [EBX], EBP; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP AB6B88A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP AB6B884F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP AB6B8825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP AB6B8839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP AB6B8865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP AB6B88D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP AB6B88BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP AB6B8811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP AB6B893B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP AB6B8913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP AB6B8927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259B6 5 Bytes JMP AB6B88FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9158000, 0x18FFBC, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C007C
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C006B
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C005A
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C003D
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FA5
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00A8
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0097
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F2A
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00C3
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F19
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C002C
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F76
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FC0
.text C:\WINDOWS\system32\dllhost.exe[576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F45
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FB7
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0042
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0016
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0031
.text C:\WINDOWS\system32\dllhost.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FAF
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F57
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F68
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0F79
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\dllhost.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0F9E
.text C:\WINDOWS\system32\dllhost.exe[576] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\dllhost.exe[576] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\dllhost.exe[576] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\dllhost.exe[576] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0078003D
.text C:\WINDOWS\system32\dllhost.exe[576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF009D
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F9E
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00DF
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00B8
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF010B
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0126
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00F0
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060045
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB0
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[836] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[836] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[836] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[836] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010D0075
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010D005A
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010D0F80
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010D003D
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010D001B
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010D00C1
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010D009A
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010D0F43
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010D0F54
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010D00F7
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010D002C
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateFileW 7C810800 3 Bytes JMP 010D0000
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateFileW + 4 7C810804 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreatePipe 7C81D83F 3 Bytes JMP 010D0F6F
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreatePipe + 4 7C81D843 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010D0FB9
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010D0FCA
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010D00D2
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010C0FC0
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010C0F6F
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010C0FE5
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010C001B
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010C0F8A
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010C0000
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010C002C
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010C0FA5
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010B0FB9
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 010B0044
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010B0FDE
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010B000C
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010B0033
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\lsass.exe[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\lsass.exe[848] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\lsass.exe[848] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[848] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\lsass.exe[848] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01090FC0
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570000
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025700B5
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02570FC0
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570FD1
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0257008E
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570058
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025700E6
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F9E
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570101
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02570F5E
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02570F43
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02570069
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02570011
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02570FAF
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0257003D
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02570022
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02570F79
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02560FC3
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02560F86
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02560F97
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0256000A
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02560039
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02560FB2
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550047
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550FBC
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550FD7
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0255002C
.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550011
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02530000
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02530011
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02530022
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02530FDB
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02540FEF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F600A6
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60095
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60084
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60073
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60FDB
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F600E8
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F600CB
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F7B
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60114
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60139
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60FA0
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600F9
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50040
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50F83
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50F9E
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F5002F
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FB7
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40FD2
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F4001D
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40042
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F20022
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F20033
.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 037A0000
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 037A0F90
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 037A0FAB
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 037A0FBC
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 037A0079
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 037A0FCD
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037A00C4
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037A00A7
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037A0F2B
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037A0F46
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037A0F1A
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 037A0054
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 037A0025
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 037A0096
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 037A0FDE
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 037A0FEF
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 037A0F61
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03200036
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03200FB6
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03200025
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03200014
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03200073
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03200FEF
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03200058
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03200047
.text C:\WINDOWS\System32\svchost.exe[1320] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 034D000A
.text C:\WINDOWS\System32\svchost.exe[1320] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 034C000A
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031B0031
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 031B0FA6
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031B0FD2
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031B0FEF
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031B0FB7
.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031B000C
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E3000A
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03000FE5
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A30054
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A30F5F
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A30F7C
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30F9E
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30F30
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A30082
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A30093
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A30F04
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A30EDF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30F8D
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A30065
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A30FC0
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A30F1F
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FC0
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F79
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20011
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A20F8A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A2002C
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A20FAF
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10042
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10FB7
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FE3
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FD2
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0047
.text C:\WINDOWS\system32\svchost.exe[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F2D
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10F52
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F10F63
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F1002C
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10011
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F10EFF
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F10047
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10EE4
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F1007D
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F10ED3
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F10F80
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F10F1C
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F10FA5
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F10FC0
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F10062
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F00014
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F00F79
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F00F8A
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF0025
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0FC6
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF0FAB
.text C:\WINDOWS\system32\svchost.exe[1576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF0FD7
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00ED0FC0
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[1576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F6F
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F8A
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0064
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE003D
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FA5
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE007F
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F37
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00A1
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F12
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00B2
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F5E
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0090
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F80
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FD1
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB003D
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\svchost.exe[1864] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1864] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1864] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1864] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[2080] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E1000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00380014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0038004A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00380FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0038002F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390F77
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390F92
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390FC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0039000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390FDE
.text C:\WINDOWS\Explorer.EXE[3388] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[3388] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[3388] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BA000C
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0033
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0FA2
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0022
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0055
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FB3
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\Explorer.EXE[3388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0044
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0029
.text C:\WINDOWS\Explorer.EXE[3388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F4B
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F66
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C004A
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0014
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F0C
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F1D
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C009B
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0080
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00AC
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C002F
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F3A
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[5292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0065
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0047
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0FBD
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0036
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B001B
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0084
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B000A
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0073
.text C:\WINDOWS\System32\svchost.exe[5292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0058
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0040005F
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00400FDE
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00400044
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0040000C
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00400FEF
.text C:\WINDOWS\System32\svchost.exe[5292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00400029
.text C:\WINDOWS\System32\svchost.exe[5292] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[5292] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00780FE5
.text C:\WINDOWS\System32\svchost.exe[5292] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00780FCA
.text C:\WINDOWS\System32\svchost.exe[5292] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00780FB9
.text C:\WINDOWS\System32\svchost.exe[5292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0FE5
.text C:\Program Files\Mozilla Firefox\firefox.exe[5848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

Attached Files

Attach.txt 13.92KB 7 downloads

#3 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:07:09 AM

Posted 21 May 2010 - 10:26 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%SYSTEMDRIVE%\*.exe
netsvcs
msconfig
drivers32
CREATERESTOREPOINT
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Thanks

#4 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 21 May 2010 - 10:58 AM

OTL logfile created on: 5/21/2010 10:49:20 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Thomas Bueschel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.03 Gb Total Space | 277.97 Gb Free Space | 93.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.28 Gb Total Space | 916.43 Gb Free Space | 98.40% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TAB-OFFICE
Current User Name: Thomas Bueschel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/21 10:46:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thomas Bueschel\Desktop\OTL.exe
PRC - [2010/04/03 16:44:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/10 22:32:26 | 000,648,536 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2010/03/04 20:36:00 | 001,500,384 | ---- | M] (Memeo Inc.) -- C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
PRC - [2010/03/04 20:36:00 | 000,025,824 | ---- | M] (Memeo) -- C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/19 00:33:08 | 000,809,488 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/02/19 00:30:36 | 000,059,920 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\LBTWiz.exe
PRC - [2009/02/19 00:30:20 | 000,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
PRC - [2009/02/19 00:28:52 | 000,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/12/04 13:00:26 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/12/04 13:00:20 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/05/26 23:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/05/23 14:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 16:15:30 | 000,909,312 | ---- | M] (Realtek) -- C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
PRC - [2008/01/30 05:52:22 | 000,106,496 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
PRC - [2008/01/07 19:10:30 | 000,210,200 | ---- | M] (Yahoo!, Inc.) -- C:\Program Files\Yahoo!\browser\ycommon.exe
PRC - [2007/08/30 10:50:42 | 000,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/11/29 23:37:20 | 000,561,213 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/29 23:35:42 | 001,396,820 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/09/25 09:12:20 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/07/21 16:19:46 | 000,129,536 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\browser\ybrwicon.exe

========== Modules (SafeList) ==========

MOD - [2010/05/21 10:46:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thomas Bueschel\Desktop\OTL.exe
MOD - [2009/02/19 00:31:16 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/02/19 00:26:52 | 000,017,424 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\IMHook.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/14 07:00:00 | 000,181,760 | ---- | M] () -- C:\WINDOWS\eponulohu.dll
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/11/29 23:41:44 | 000,077,824 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2010/03/04 20:36:00 | 000,025,824 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe -- (MemeoBackgroundService)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/02/19 00:30:20 | 000,121,360 | ---- | M] (Logitech, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/02/04 01:14:39 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/12/04 13:00:26 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/01/30 05:52:22 | 000,106,496 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe)

========== Driver Services (SafeList) ==========

DRV - [2010/05/17 08:20:58 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2010/05/06 17:10:20 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/12/18 23:43:48 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/12/18 23:43:40 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/08/18 18:03:28 | 000,079,960 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2008/08/18 18:03:12 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/04 17:04:12 | 004,752,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/21 16:09:12 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/07/21 16:09:02 | 003,007,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,153,344 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmio.sys -- (dmio)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/03 11:13:48 | 000,011,264 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2007/11/20 01:14:08 | 000,016,640 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTLVLAN.SYS -- (RTLVLAN)
DRV - [2007/11/20 01:04:50 | 000,008,960 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 14:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/12/04 14:33:34 | 000,067,672 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/12/04 14:33:34 | 000,047,907 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2006/12/04 14:33:34 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/12/04 14:33:34 | 000,030,285 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2006/12/04 14:33:32 | 000,863,402 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/12/04 14:33:32 | 000,329,901 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2005/11/03 15:19:42 | 000,027,136 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2005/11/03 15:19:30 | 000,069,376 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B42C2EEC-59CB-45C7-8354-A60C8CB163E0}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/09 11:37:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B42C2EEC-59CB-45C7-8354-A60C8CB163E0}: C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\{B42C2EEC-59CB-45C7-8354-A60C8CB163E0} [2010/05/07 12:03:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/13 16:29:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/13 16:29:12 | 000,000,000 | ---D | M]

[2010/05/13 16:29:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Thomas Bueschel\Application Data\Mozilla\Extensions
[2010/05/21 10:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions
[2010/05/13 18:05:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/13 16:29:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe (Realtek)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Bluetooth Connection Assistant] File not found
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Fdabavesazuyuf] C:\WINDOWS\eponulohu.DLL ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WD Anywhere Backup Premium] C:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe (Memeo Inc.)
O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006..\Run: [DelayShred] c:\Program Files\McAfee\MSHR\ShrCL.exe ()
O4 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3418929384-891379033-4178932854-1006\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1234296436968 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\jmwinebxb.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/10/12 01:45:58 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O32 - AutoRun File - [2007/08/20 21:55:06 | 000,000,070 | RH-- | M] () - E:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\WDEULA.exe -- [2007/08/20 22:10:40 | 001,695,580 | ---- | M] (Western Digital )
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/04/25 16:28:57 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746478449557504)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/21 10:46:42 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thomas Bueschel\Desktop\OTL.exe
[2010/05/18 17:05:06 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/05/18 15:29:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\Yahoo
[2010/05/18 15:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2010/05/14 15:46:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Desktop\Autoruns
[2010/05/14 14:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/14 14:12:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Application Data\SUPERAntiSpyware.com
[2010/05/14 14:12:58 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/14 14:12:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/14 14:09:37 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Thomas Bueschel\Desktop\ATF-Cleaner.exe
[2010/05/13 16:54:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/05/13 16:48:12 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/05/13 16:48:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\log
[2010/05/13 16:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\My Documents\Downloads
[2010/05/13 16:29:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\Mozilla
[2010/05/13 16:29:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Application Data\Mozilla
[2010/05/13 16:29:11 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/10 17:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\My Documents\CLE
[2010/05/10 11:34:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server
[2010/05/07 12:29:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\bqnvdkwdh
[2010/05/07 12:03:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\{B42C2EEC-59CB-45C7-8354-A60C8CB163E0}
[2010/05/07 09:48:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Windows Search
[2010/05/07 09:47:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/04/27 17:02:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\avG
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/21 10:46:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thomas Bueschel\Desktop\OTL.exe
[2010/05/21 10:02:17 | 004,980,736 | -H-- | M] () -- C:\Documents and Settings\Thomas Bueschel\NTUSER.DAT
[2010/05/21 09:01:42 | 000,026,925 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/21 09:01:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/21 09:00:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/21 08:59:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/21 08:59:45 | 3220,160,512 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/20 17:07:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Thomas Bueschel\ntuser.ini
[2010/05/20 17:06:49 | 006,225,902 | -H-- | M] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\IconCache.db
[2010/05/19 14:51:28 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\dds.scr
[2010/05/19 14:48:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\defogger_reenable
[2010/05/19 14:46:57 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\Defogger.exe
[2010/05/18 17:21:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/17 16:04:43 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/05/17 15:59:09 | 000,010,303 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Application Data\Comma Separated Values (Windows).CAL
[2010/05/17 12:00:15 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\scan.job
[2010/05/17 08:20:58 | 000,328,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/05/14 16:06:06 | 000,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/14 16:02:07 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/14 14:13:02 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/14 14:04:54 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Thomas Bueschel\Desktop\ATF-Cleaner.exe
[2010/05/13 16:48:12 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/05/13 16:29:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/13 16:29:14 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/13 14:30:13 | 000,008,704 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/13 11:05:39 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\~$TTERHEAD.dotx
[2010/05/10 11:34:21 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/07 09:48:48 | 000,096,761 | ---- | M] () -- C:\WINDOWS\System32\276bd5d5.exe
[2010/05/06 10:38:44 | 000,161,722 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\wis schools gov.pdf
[2010/05/06 10:38:09 | 000,401,482 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\WIS School code.pdf
[2010/05/03 15:27:23 | 002,183,315 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\Backup-(2010-05-03).ipd
[2010/05/03 15:26:14 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\pool.bin
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 14:16:25 | 000,567,007 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\f433f prelim.pdf
[2010/04/28 14:16:06 | 000,567,007 | ---- | M] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\f433f.pdf
[2010/04/28 10:00:06 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WD Anywhere Backup Premium.lnk
[2010/04/28 09:28:46 | 000,015,846 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\myujs
[2010/04/27 17:05:33 | 000,015,902 | -HS- | M] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\1675011685
[2010/04/27 17:05:33 | 000,015,902 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1675011685
[2010/04/27 17:04:01 | 000,015,890 | -HS- | M] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\2146094125
[2010/04/27 17:04:01 | 000,015,890 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2146094125
[2010/04/27 17:02:40 | 000,015,890 | -HS- | M] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\myujs
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/20 11:33:30 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\gmer.exe
[2010/05/19 14:51:30 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\dds.scr
[2010/05/19 14:48:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\defogger_reenable
[2010/05/19 14:47:01 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\Defogger.exe
[2010/05/14 15:16:00 | 3220,160,512 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/14 14:13:02 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/13 16:29:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/13 16:29:14 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/13 11:05:39 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\~$TTERHEAD.dotx
[2010/05/07 09:48:48 | 000,096,761 | ---- | C] () -- C:\WINDOWS\System32\276bd5d5.exe
[2010/05/06 10:38:44 | 000,161,722 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\wis schools gov.pdf
[2010/05/06 10:38:09 | 000,401,482 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\WIS School code.pdf
[2010/05/03 15:27:11 | 002,183,315 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\Backup-(2010-05-03).ipd
[2010/05/03 15:26:14 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\My Documents\pool.bin
[2010/04/28 14:16:25 | 000,567,007 | ---- | C] () -- C:\Documents and Settings\Thomas Bueschel\Desktop\f433f prelim.pdf
[2010/04/28 10:00:06 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WD Anywhere Backup Premium.lnk
[2010/04/28 09:28:46 | 000,015,846 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\myujs
[2010/04/27 17:03:50 | 000,015,902 | -HS- | C] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\1675011685
[2010/04/27 17:03:50 | 000,015,902 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1675011685
[2010/04/27 17:03:48 | 000,015,890 | -HS- | C] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\2146094125
[2010/04/27 17:02:38 | 000,015,890 | -HS- | C] () -- C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\myujs
[2010/04/27 17:02:38 | 000,015,890 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2146094125
[2010/04/27 16:59:34 | 000,015,890 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\myujs
[2010/04/27 16:59:34 | 000,015,846 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\myujs
[2010/04/14 17:24:32 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/25 01:24:38 | 010,645,008 | ---- | C] () -- C:\WINDOWS\System32\jmwinebxb.dll
[2010/02/25 01:24:38 | 010,345,020 | ---- | C] () -- C:\WINDOWS\System32\foebxasuy.dll
[2010/02/25 01:24:38 | 009,660,923 | ---- | C] () -- C:\WINDOWS\System32\dllniloup.dll
[2010/02/25 01:24:38 | 009,640,386 | ---- | C] () -- C:\WINDOWS\System32\andorcoas.dll
[2010/02/25 01:24:38 | 005,440,043 | ---- | C] () -- C:\WINDOWS\System32\ebxevups.dll
[2010/02/25 01:24:38 | 005,353,539 | ---- | C] () -- C:\WINDOWS\System32\andpoandand.dll
[2010/02/25 01:24:38 | 005,184,896 | ---- | C] () -- C:\WINDOWS\System32\errriplinup.dll
[2010/02/25 01:24:38 | 005,088,430 | ---- | C] () -- C:\WINDOWS\System32\sheshesg.dll
[2010/02/25 01:24:38 | 004,864,195 | ---- | C] () -- C:\WINDOWS\System32\wiarloand.dll
[2010/02/25 01:24:38 | 003,110,486 | ---- | C] () -- C:\WINDOWS\System32\ejelopo.dll
[2010/02/25 01:24:38 | 003,087,365 | ---- | C] () -- C:\WINDOWS\System32\errripaas.dll
[2010/02/25 01:24:38 | 003,032,285 | ---- | C] () -- C:\WINDOWS\System32\pgiani.dll
[2010/02/25 01:24:38 | 002,618,274 | ---- | C] () -- C:\WINDOWS\System32\etblindll.dll
[2010/02/25 01:24:38 | 002,335,330 | ---- | C] () -- C:\WINDOWS\System32\winway.dll
[2010/02/25 01:24:38 | 002,004,601 | ---- | C] () -- C:\WINDOWS\System32\ywlow.dll
[2010/02/25 01:24:38 | 001,800,605 | ---- | C] () -- C:\WINDOWS\System32\yaebxy.dll
[2010/02/25 01:24:38 | 001,779,789 | ---- | C] () -- C:\WINDOWS\System32\yjmcos.dll
[2010/02/25 01:24:38 | 001,631,262 | ---- | C] () -- C:\WINDOWS\System32\aarriph.dll
[2010/02/25 01:24:38 | 001,616,020 | ---- | C] () -- C:\WINDOWS\System32\asetelo.dll
[2009/08/24 14:50:41 | 000,000,168 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/07 10:56:34 | 000,017,408 | ---- | C] () -- C:\WINDOWS\WD.ShellExtension.WicIO.dll
[2009/02/10 17:17:26 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/02/10 13:26:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2009/02/09 17:02:26 | 000,000,101 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2009/02/04 03:53:42 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/02/04 01:31:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/04 01:16:18 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/25 16:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 11:16:27 | 000,181,760 | ---- | C] () -- C:\WINDOWS\eponulohu.dll
[2008/04/25 11:16:11 | 000,153,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\dmio.sys
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/29 23:24:10 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 13:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 13:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 07:00:00 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/04/25 04:21:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/04/25 04:21:09 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/04/25 04:21:09 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
< End of report >
OTL Extras logfile created on: 5/21/2010 10:49:20 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Thomas Bueschel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.03 Gb Total Space | 277.97 Gb Free Space | 93.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.28 Gb Total Space | 916.43 Gb Free Space | 98.40% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TAB-OFFICE
Current User Name: Thomas Bueschel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1700:TCP" = 1700:TCP:*:Enabled:MioNet Remote Drive Access 0
"1701:TCP" = 1701:TCP:*:Enabled:MioNet Remote Drive Access 1
"1702:TCP" = 1702:TCP:*:Enabled:MioNet Remote Drive Access 2
"1703:TCP" = 1703:TCP:*:Enabled:MioNet Remote Drive Access 3
"1704:TCP" = 1704:TCP:*:Enabled:MioNet Remote Drive Access 4
"1705:TCP" = 1705:TCP:*:Enabled:MioNet Remote Drive Access 5
"1706:TCP" = 1706:TCP:*:Enabled:MioNet Remote Drive Access 6
"1707:TCP" = 1707:TCP:*:Enabled:MioNet Remote Drive Access 7
"1708:TCP" = 1708:TCP:*:Enabled:MioNet Remote Drive Access 8
"1709:TCP" = 1709:TCP:*:Enabled:MioNet Remote Drive Access 9
"1641:TCP" = 1641:TCP:*:Enabled:MioNet Remote Drive Verification
"1647:TCP" = 1647:TCP:*:Enabled:MioNet Storage Device Configuration
"5432:UDP" = 5432:UDP:*:Enabled:MioNet Storage Device Discovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\MioNet\MioNetManager.exe" = C:\Program Files\MioNet\MioNetManager.exe:*:Enabled:MioNetManager -- File not found
"C:\Program Files\MioNet\jvm\bin\MioNet.exe" = C:\Program Files\MioNet\jvm\bin\MioNet.exe:*:Enabled:MioNet -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}" = McAfee Virtual Technician
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 15
"{2877881B-0736-42AB-B312-D4457D57E56D}" = BlackBerry Device Software Updater
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{51B833D8-66B0-4E72-92B9-4E4977EF37F2}" = WD Drive Manager (x86)
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68131B0A-D78D-4aed-B74E-33A6C7324E50}" = WD Anywhere Backup
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{88253B77-33C9-4A9D-9E4C-4579E39D9158}" = Diagnostics Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8CECA47C-EF15-423a-9D06-816571D752C2}" = WD Anywhere Backup Premium
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9EDA3DD1-130D-4EE1-A3D2-5A3D795CC8C9}" = MFCLOC
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A48D9EED-4B4A-4E74-B223-383CC0757352}" = WD Anywhere Backup Premium Extension
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_932" = Adobe Acrobat 9.3.2 - CPSID_53951
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"276bd5d5" = Contextual Tool Profitmuse
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"BASICR" = Microsoft Office Basic 2007
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVApplication1" = SureThing CD Labeler Deluxe 3.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Applications" = AT&T Yahoo! Applications
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3418929384-891379033-4178932854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/18/2010 5:46:01 PM | Computer Name = TAB-OFFICE | Source = Application Error | ID = 1001
Description = Fault bucket 1819802311.

Error - 5/18/2010 5:53:32 PM | Computer Name = TAB-OFFICE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/18/2010 5:53:32 PM | Computer Name = TAB-OFFICE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/18/2010 5:53:32 PM | Computer Name = TAB-OFFICE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/18/2010 5:53:32 PM | Computer Name = TAB-OFFICE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/18/2010 6:12:28 PM | Computer Name = TAB-OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2010 3:17:04 PM | Computer Name = TAB-OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2010 3:17:07 PM | Computer Name = TAB-OFFICE | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 5/19/2010 5:18:11 PM | Computer Name = TAB-OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application d9nyfiro.exe, version 1.0.15.15281, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2010 8:02:08 PM | Computer Name = TAB-OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application d9nyfiro.exe, version 1.0.15.15281, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/17/2010 9:08:10 AM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/17/2010 9:21:28 AM | Computer Name = TAB-OFFICE | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/17/2010 9:21:45 AM | Computer Name = TAB-OFFICE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
atapi PCIIde

Error - 5/18/2010 5:57:17 PM | Computer Name = TAB-OFFICE | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Internet Explorer 8 for Windows XP.

Error - 5/18/2010 6:22:30 PM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register
with DCOM within the required timeout.

Error - 5/19/2010 3:26:44 PM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/19/2010 3:28:44 PM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/19/2010 3:30:44 PM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/20/2010 4:06:18 PM | Computer Name = TAB-OFFICE | Source = DCOM | ID = 10010
Description = The server {D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E} did not register
with DCOM within the required timeout.

Error - 5/21/2010 10:42:05 AM | Computer Name = TAB-OFFICE | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

< End of report >

#5 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:07:09 AM

Posted 21 May 2010 - 11:52 AM

Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following
files one by one and click Submit.

C:\WINDOWS\eponulohu.DLL
C:\WINDOWS\System32\jmwinebxb.dll
C:\WINDOWS\System32\andpoandand.dll
C:\WINDOWS\System32\yaebxy.dll

Then please copy the link at the top of the page and post the link to the results.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/

Download and Run MBR Rootkit Scan

Please download MBR Rootkit Detector and save it on your desktop.
Go to Start >> Run then copy and paste the following line into the run box
"%userprofile%\desktop\mbr.exe" -t
Select Run when you recieve a Security Warning
The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
A log file will the be created on your desktop where you ran mbr.exe from.
Copy and paste the contents of mbr.log on your next reply.

#6 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 21 May 2010 - 12:31 PM

As requested:

C:\WINDOWS\eponulohu.DLL http://www.virustotal.com/analisis/600f5b8...6bd5-1274461822

C:\WINDOWS\System32\jmwinebxb.dll http://www.virustotal.com/analisis/ca6fc8d...697b-1274462217

C:\WINDOWS\System32\andpoandand.dll http://www.virustotal.com/analisis/74d302d...ca81-1274462597

C:\WINDOWS\System32\yaebxy.dll http://www.virustotal.com/analisis/a75768e...1c0b-1274462767

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC4ECEC]<<
kernel: MBR read successfully
user & kernel MBR OK

#7 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:07:09 AM

Posted 21 May 2010 - 12:34 PM

Ok let's get you cleaned up.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

#8 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 21 May 2010 - 01:35 PM

Difficulties with Combo fix. Download from first site would not allow saving (through Firefox). Download second site worked. Closed windows and disabled anti virus for 45 minutes (McAfee). Ran combo fix; began okay but there was no saving registry message. Appeared to download and install console; accepted EULA etc. Began to scan then went to blue screen; fatal error with message Bad_Pool_Call. Rebooted and deleted combo fix. Returned to BC on IE8 and downloaded again from he first site. Download worked but required I change name to save. Did so and ran Combo fix. Went through the registry save. Even though I had disabled McAfee, received a message that it was not disabled. Rechecked and disabled email protect and everything else in the AV. Again got a message the AV was not disabled but CF would run anyway and seemed to run okay. The scan started but again went blue with same message and error code 0x000000c2(0x00000007, 0x00000cd4, 0x15FFF44D, 0x80535819).
What now?

#9 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:07:09 AM

Posted 21 May 2010 - 02:18 PM

Can you try running it in safemode please, can you also tell me if the recovery console is successfully installed,
if it is you should get the option to boot into the recovery console just after the machine starts.

#10 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 21 May 2010 - 03:01 PM

Rebooted into safe mode. It appears the recoverey console is present. Disabled AV (McAfee) and ran CF. Registry was saved and scan began. Fairly quickly a message opped and said rootkit detected must reboot. Absent other instructions I pressed okay. The system rebooted into normal mode and the scan resumed proceeding through 50+ levels. Several files and folders were deleted by CF. It then self rebooted again to normal windows. The preparing Log Report message appeared as did a fail to initiate message from Windows, two.dll files. I recognized a part of the string as among the files deleted by CF. After several minutes one failed to initialize warning disappeared but the second remained. Eventually I clicked okay. It has now been about 20 minutes and the preparing log report message still remains. It appears the program may have stalled. I am communicating on a different computer as i disconnected the subject computer from the internet as a precaution. Ideas?

#11 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:07:09 AM

Posted 21 May 2010 - 03:09 PM

Go into task manager and look for the following processes:

sed.exe, grep.exe, pev.exe, cfxxx.exe

End these processes if they are there, this should free up combofix, if the log
doesn't pop up have a look for it at C:\ComboFix.txt

#12 tb12

Topic Starter

Members
107 posts
OFFLINE

Local time:01:09 AM

Posted 21 May 2010 - 03:34 PM

no sed.exe; no grep.exe, no cfxxx.exe. There is a PEV.cfxxe which keeps jumping around the task manager screen. once caught by right click and end process clicked a message appears that operation could not be completed; the operation is not valid for this process. The preparing log message remains on the desktop.