Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop ups and maybe more?


  • This topic is locked This topic is locked
23 replies to this topic

#1 Mitsukake

Mitsukake

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 May 2010 - 12:27 PM

Hello,

im in dire need of help with the recent issue which is. Ive been getting pop ups from my computer from advertisement due to one day going against my instincts for not downloading anything unless si know its safe, i went to download something to get something free from a different site whow as advertising for there own stuff if you do what they wanted. i ended up downloading Playsushi and gamevance as well as play sushi toolbar which i forgot what the name was exactly.

then eager to get more of what i wanted i took more servay. >_> how brutally cold of me due to it seemed to worsen it . at the time i didn't know and see any affect till the following morning. from then i worked endlessly with some friends online to fix this issue.I have tryed Using many programs such as, Spybot S&D, Ad-Aware, McAfee, Spyware doctor, and other tools. ive even tried doing a step by step guide to get rid of gamevances stuff but no luck.(which involved uninstalling deleting and removing the regrestry keys manually.) even system restore didn't help due to what ever the cause is i think its blocking it due to it always says [cant be restored to that points. no system changes where made.] and Ive tried 6 different restore points.

i have ran out of options. and have no where else to turn. so please oh please help me.

here is a log of my computer as of now (previded by HiJackThis)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:26:11 AM, on 5/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R3 - URLSearchHook: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100513142139.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} (CNxSysInfoCtrl Object) - http://s.nx.com/ActiveX/ocx/nxsysinfo.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7732 bytes



once again please help me. alot of info is on this computer and i have no way of whipping it clean if it came down to it.Thank you.

Edited by Mitsukake, 22 May 2010 - 01:29 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 25 May 2010 - 05:33 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 25 May 2010 - 05:05 PM

Alright thank you Elise,

here is the OTListIt.txt you asked for


OTL logfile created on: 5/25/2010 1:10:01 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Trung Ly\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1704 3408 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 150.57 Gb Free Space | 79.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.88 Gb Total Space | 212.56 Gb Free Space | 91.27% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OLYMPIC
Current User Name: Trung Ly
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 13:01:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trung Ly\My Documents\Downloads\OTL.exe
PRC - [2010/05/07 12:52:38 | 003,475,856 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\Xfire.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2010/04/02 13:02:44 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/02/24 01:15:10 | 002,937,528 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/03/27 23:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 13:01:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trung Ly\My Documents\Downloads\OTL.exe
MOD - [2010/05/07 12:52:48 | 000,962,448 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\xfire_toucan_42628.dll
MOD - [2010/02/17 21:08:00 | 000,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 17:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2003/02/21 04:42:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/22 01:20:31 | 001,314,704 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/27 23:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/05 21:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/02/04 08:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/10/04 14:33:14 | 000,115,312 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2009/08/13 16:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/08/06 07:50:00 | 007,753,888 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/08/28 17:05:12 | 000,055,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2006/03/31 22:32:40 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/23 19:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/04 12:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 12:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 12:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 12:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 12:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 12:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 12:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 12:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 12:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 12:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 12:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 12:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 12:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 12:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 12:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 06:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\URLSearchHook: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "XfireXO Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.theprizeday.com/today.php|http://search.conduit.com/?ctid=CT2304157&SearchSource=13"
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.459
FF - prefs.js..extensions.enabledItems: {52ED9673-0722-4A1D-B859-959FD56143DC}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: keyscrambler@qfx.software.corporation:2.6.0.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: {5e5ab302-7f65-44cd-8211-c1d4caaccea3}:2.5.6.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {E63605FC-D583-4C81-867F-9457BDB3EA1B}:4.6.0.2810
FF - prefs.js..extensions.enabledItems: {8141440E-08F0-4339-9959-5C31C6A69F23}:5.6.0.7190
FF - prefs.js..extensions.enabledItems: {E889F097-B0BE-471B-89AD-B86B6F04B506}:4.6.0.2670
FF - prefs.js..extensions.enabledItems: {AA1ACB70-B5F1-4037-909E-1F725B04D2A8}:1.6.0.3840
FF - prefs.js..extensions.enabledItems: {5909FC3D-7F8B-415d-A5D1-7C7E941E536E}:1.6.0.3960
FF - prefs.js..extensions.enabledItems: yespopupsV1@patheticcockroach.com:0.9.8b

FF - HKLM\software\mozilla\Firefox\extensions\\FFToolbar@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2010\bdaphffext\
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/21 02:07:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{E63605FC-D583-4C81-867F-9457BDB3EA1B}: C:\Program Files\Automated Result Operator\4.6.0.2810\FF [2010/05/20 13:25:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{8141440E-08F0-4339-9959-5C31C6A69F23}: C:\Program Files\Count Access Advancer\5.6.0.7190\FF [2010/05/20 13:25:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{E889F097-B0BE-471B-89AD-B86B6F04B506}: C:\Program Files\Advanced Access Controller\4.6.0.2670\FF [2010/05/20 13:25:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{AA1ACB70-B5F1-4037-909E-1F725B04D2A8}: C:\Program Files\Customized Web Management\1.6.0.3840\FF [2010/05/20 13:26:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{5909FC3D-7F8B-415d-A5D1-7C7E941E536E}: C:\Program Files\Internet Content Assistant\1.6.0.3960\FF [2010/05/20 13:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/13 14:21:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/28 10:43:42 | 000,000,000 | ---D | M]

[2009/12/08 13:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Extensions
[2010/05/24 22:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions
[2010/02/11 00:42:27 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/01/22 22:00:55 | 000,000,000 | ---D | M] (XfireXO Toolbar) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}
[2010/04/30 19:36:57 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/08 13:26:27 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/12/08 14:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\keyscrambler@qfx.software.corporation
[2010/04/13 13:09:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\personas@christopher.beard
[2010/05/21 18:17:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\yespopupsV1@patheticcockroach.com
[2009/11/13 03:25:04 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\searchplugins\conduit.xml
[2010/05/24 22:46:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/20 13:27:06 | 000,000,000 | ---D | M] (BrowserZinc) -- C:\Program Files\Mozilla Firefox\extensions\{52ED9673-0722-4A1D-B859-959FD56143DC}
[2010/04/28 10:43:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/14 17:53:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/02/24 01:15:08 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009/09/21 11:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2010/05/22 00:42:49 | 000,395,292 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13652 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (KeyScramblerBHO Class) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll (Conduit Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20100513142139.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\Toolbar\WebBrowser: (XfireXO Toolbar) - {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - C:\Program Files\XfireXO\tbXfir.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\Trung Ly\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} http://s.nx.com/ActiveX/ocx/nxsysinfo.cab (CNxSysInfoCtrl Object)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 11:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/26 11:04:39 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/22 01:21:48 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/05/22 01:21:09 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/22 01:17:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/05/22 01:16:44 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/22 01:16:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/22 01:10:21 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/21 18:18:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Trung Ly\Recent
[2010/05/21 15:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/21 15:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/21 13:09:26 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/21 12:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/05/21 12:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/05/21 12:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/05/20 13:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Internet Content Assistant
[2010/05/20 13:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Content Assistant
[2010/05/20 13:26:20 | 000,000,000 | ---D | C] -- C:\Program Files\Customized Web Management
[2010/05/20 13:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Internet Connection Wizard
[2010/05/20 13:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Connection Wizard
[2010/05/20 13:25:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Advanced Access Controller
[2010/05/20 13:25:49 | 000,000,000 | ---D | C] -- C:\Program Files\Advanced Access Controller
[2010/05/20 13:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Count Access Advancer
[2010/05/20 13:25:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Count Access Advancer
[2010/05/20 13:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\Count Access Advancer
[2010/05/20 13:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Automated Result Operator
[2010/05/20 13:25:12 | 000,000,000 | ---D | C] -- C:\Program Files\Automated Result Operator
[2010/05/20 13:23:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\GamezJoint Toolbar
[2010/05/17 22:34:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Application Data\LolClient
[2010/05/17 22:22:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/05/17 22:15:24 | 000,000,000 | ---D | C] -- C:\Riot Games
[2010/05/15 10:38:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\My Documents\My Received Files
[2010/05/10 23:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Application Data\TS3Client
[2010/05/10 23:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\TeamSpeak 3 Client
[2010/04/29 21:49:22 | 000,000,000 | ---D | C] -- C:\Xpader
[2010/04/28 10:43:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/28 10:43:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/28 10:43:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/28 10:43:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 12:55:19 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\Trung Ly\ntuser.dat
[2010/05/25 12:52:52 | 000,248,739 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/05/25 12:49:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/25 12:48:35 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/05/25 12:48:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/25 12:48:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/25 12:48:08 | 1323,999,232 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/25 01:49:50 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Trung Ly\ntuser.ini
[2010/05/22 01:21:04 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/22 01:21:02 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/22 00:42:49 | 000,395,292 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/21 13:04:44 | 000,000,992 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/05/21 12:31:35 | 005,856,052 | -H-- | M] () -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\IconCache.db
[2010/05/21 12:25:25 | 000,151,552 | -H-- | M] () -- C:\SZKGFS.dat
[2010/05/15 10:39:58 | 000,438,892 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/15 10:39:58 | 000,380,680 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/15 10:39:58 | 000,052,968 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/07 12:52:46 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/27 17:16:24 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/26 19:56:58 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01005.Wdf
[2010/04/26 19:56:55 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/22 12:06:21 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/22 01:22:26 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/21 12:35:55 | 000,000,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/05/21 12:25:25 | 000,151,552 | -H-- | C] () -- C:\SZKGFS.dat
[2010/05/07 12:52:46 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/05/02 22:04:49 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/04/26 19:56:58 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01005.Wdf
[2010/04/26 19:56:55 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/02/26 23:22:08 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/27 03:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/26 09:12:43 | 000,000,465 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 09:12:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEB15613
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5160F090
< End of report >



and here is the Extra.txt


OTL Extras logfile created on: 5/25/2010 1:10:01 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Trung Ly\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1704 3408 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 150.57 Gb Free Space | 79.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.88 Gb Total Space | 212.56 Gb Free Space | 91.27% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OLYMPIC
Current User Name: Trung Ly
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-4162173360-2909499422-1688867590-1006\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56841:TCP" = 56841:TCP:*:Enabled:Pando Media Booster
"56841:UDP" = 56841:UDP:*:Enabled:Pando Media Booster
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"57338:TCP" = 57338:TCP:*:Enabled:Pando Media Booster
"57338:UDP" = 57338:UDP:*:Enabled:Pando Media Booster
"8377:TCP" = 8377:TCP:*:Enabled:League of Legends Launcher
"8377:UDP" = 8377:UDP:*:Enabled:League of Legends Launcher
"8378:TCP" = 8378:TCP:*:Enabled:League of Legends Launcher
"8378:UDP" = 8378:UDP:*:Enabled:League of Legends Launcher

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- File not found
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- File not found
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- File not found
"C:\Nexon\Combat Arms\NMService.exe" = C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core -- File not found
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Documents and Settings\All Users\Application Data\Nexon\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\Nexon\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Documents and Settings\All Users\Application Data\Nexon\Common\NMService.exe" = C:\Documents and Settings\All Users\Application Data\Nexon\Common\NMService.exe:*:Enabled:Nexon Messenger Service -- (Nexon Corp.)
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Riot Games\League of Legends\air\LolClient.exe" = C:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- ()
"C:\Riot Games\League of Legends\game\League of Legends.exe" = C:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 20
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{95C5F81D-0779-4932-BE83-32AAF814F4B9}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}" = MapleStory
"{AC76BA86-7AD7-1033-7B44-000000000001}" = Adobe Reader 6.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7A9964C-A9A7-4714-B494-50067238876E}" = Fantasy Earth Zero
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online : Eberron Unlimited v01.11.00.812
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube to iPod Converter_is1" = Free YouTube to iPod Converter version 3.2
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"InstallShield_{B7A9964C-A9A7-4714-B494-50067238876E}" = Fantasy Earth Zero
"KeyScrambler" = KeyScrambler
"LSI Soft Modem" = LSI PCI-SV92PP Soft Modem
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee Total Protection
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"Uninstall_is1" = Uninstall 1.0.0.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"XfireXO Toolbar" = XfireXO Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4162173360-2909499422-1688867590-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 5/21/2010 9:19:37 PM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/22/2010 3:23:04 AM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/22/2010 4:24:51 AM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/22/2010 4:29:15 AM | Computer Name = OLYMPIC | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 5/22/2010 4:32:20 AM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/22/2010 11:31:48 AM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/23/2010 3:22:09 PM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/24/2010 8:08:58 PM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/25/2010 3:48:13 PM | Computer Name = OLYMPIC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 0016765DFF5A has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 5/25/2010 3:48:33 PM | Computer Name = OLYMPIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon


< End of report >


Now for the gmer.log.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 15:01:39
Windows 5.1.2600 Service Pack 3
Running: sywh3jrv.exe; Driver: C:\DOCUME~1\TRUNGL~1\LOCALS~1\Temp\uxtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB817887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8178BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7E77DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7E77DF2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7E77E48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7E77D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7E77D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7E77D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7E77DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7E77E1E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7E77E72]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7E77E5E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7E77E32]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP B7E77E36 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B7E77E4C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B7E77E62 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP B7E77E22 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B7E77D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B7E77D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP B7E77E76 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B7E77DE0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B7E77DCA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B7E77DF6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B7E77DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB74D3380, 0x3DF295, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00920F52
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00920F6D
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00920F7E
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00920F9B
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00920FC0
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00920090
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0092007F
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00920F1C
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00920F2D
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009200D0
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00920047
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00920062
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\services.exe[884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009200AB
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070043
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060073
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[884] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C900D0
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C900B5
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90098
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90087
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900F7
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C9012A
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90119
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90145
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9006C
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90108
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C0005B
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FAF
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00036
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0F8B
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0F9C
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF000C
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FB7
.text C:\WINDOWS\system32\lsass.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\lsass.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00078
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00067
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00F8D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00F9E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FAF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B000C1
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B000B0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00101
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F68
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F57
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00040
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00089
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FCA
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FDB
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B000E6
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FA8
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0F79
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0036
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0014
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0025
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0F9A
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0FC6
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FAB
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F57
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0004C
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C0003B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00F72
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0008E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F3C
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F06
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000A9
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000BA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00F8D
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C0005D
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F2B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FA1
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FCD
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FBC
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01820000
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01820FEF
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0182001B
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03760FE5
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03760076
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03760F81
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03760F9C
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03760065
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03760FB9
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03760F5A
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037600AC
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037600D8
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037600BD
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03760F2E
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0376004A
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0376000A
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03760091
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0376001B
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03760FCA
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03760F49
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03750FA8
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03750F79
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03750FC3
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03750FDE
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03750040
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03750FEF
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03750025
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03750014
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01850F95
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 01850FA6
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01850FC1
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01850FE3
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01850016
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01850FD2
.text C:\WINDOWS\System32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01830000
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01840011
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01840000
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01840022
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0184003F
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790056
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790045
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790F6B
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790F7C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FA8
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F15
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790067
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007900A4
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790093
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007900B5
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790F97
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790F3C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790FC3
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790014
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00790078
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780FCD
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780F75
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780014
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780F86
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00780FA1
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FBC
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770FBC
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FCD
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0077000C
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FDE
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770029
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009E007D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009E0F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E0FA5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009E0062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009E0FDB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009E0F57
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009E00A9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E0F06
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009E0F21
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009E00BA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009E0FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009E008E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009E0047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009E0036
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009E0F3C
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0F79
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D001B
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0040
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 88]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0FAF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009C0F9A
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 009C0FB5
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009C0FC6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009C0FD7
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0065
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0054
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0043
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0F86
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FB2
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C0F53
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C009B
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0F27
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C0F38
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C00DB
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0F97
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C008A
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C00C0
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B002F
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0054
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B0FDE
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F97
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006B0FB2
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0FC3
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660F97
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660FB2
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660022
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660FE3
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00650014
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[3344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\Explorer.EXE[3344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[3344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090025
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F7E
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F99
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FB6
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0073
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B003D
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00BA
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00A9
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F3C
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F57
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0058
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B008E
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FD1
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[3344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00CB
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0014
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F97
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A004A
.text C:\WINDOWS\Explorer.EXE[3344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0025
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F86
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0F97
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC6
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[3344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[3344] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[3344] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 002D000A
.text C:\WINDOWS\Explorer.EXE[3344] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 002D0027
.text C:\WINDOWS\Explorer.EXE[3344] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\Explorer.EXE[3344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000
.text C:\Program Files\Mozilla Firefox\firefox.exe[3744] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E8FA4 C:\Program Files\Xfire\xfire_toucan_42628.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E90A4 C:\Program Files\Xfire\xfire_toucan_42628.dll (Xfire Toucan DLL/Xfire Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1948] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1948] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



hope this helps. ill be keeping tabs daily for your reply.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 25 May 2010 - 10:07 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 26 May 2010 - 02:24 AM

heres is the ComboFix Log


ComboFix 10-05-25.02 - Trung Ly 05/26/2010 0:12.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1263.657 [GMT -7:00]
Running from: c:\documents and settings\Trung Ly\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-22 19:06 . 2010-05-22 08:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-22 08:21 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-22 08:21 . 2010-05-22 08:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-22 08:17 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-22 08:17 . 2010-05-22 08:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-22 08:16 . 2010-05-22 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-22 08:16 . 2010-05-22 08:17 -------- d-----w- c:\program files\Lavasoft
2010-05-22 08:10 . 2010-05-22 08:10 388096 ----a-r- c:\documents and settings\Trung Ly\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-22 08:10 . 2010-05-22 08:10 -------- d-----w- c:\program files\Trend Micro
2010-05-21 22:59 . 2010-05-22 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 22:59 . 2010-05-22 01:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 20:09 . 2010-05-22 01:15 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-21 19:28 . 2010-05-21 19:26 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-21 19:25 . 2010-05-21 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-05-21 19:25 . 2010-05-21 19:25 151552 ---ha-w- C:\SZKGFS.dat
2010-05-21 19:24 . 2010-05-21 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-21 19:24 . 2010-05-21 19:24 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 20:28 . 2010-05-20 20:28 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\Internet Content Assistant
2010-05-20 20:26 . 2010-05-20 20:26 -------- d-----w- c:\program files\Internet Content Assistant
2010-05-20 20:26 . 2010-05-20 20:26 -------- d-----w- c:\program files\Customized Web Management
2010-05-20 20:26 . 2010-05-20 20:26 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\Internet Connection Wizard
2010-05-20 20:26 . 2010-05-20 20:26 -------- d-----w- c:\program files\Internet Connection Wizard
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\Advanced Access Controller
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\program files\Advanced Access Controller
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\Count Access Advancer
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\program files\Common Files\Count Access Advancer
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\program files\Count Access Advancer
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\Automated Result Operator
2010-05-20 20:25 . 2010-05-20 20:25 -------- d-----w- c:\program files\Automated Result Operator
2010-05-20 20:23 . 2010-05-22 01:15 -------- d-----w- c:\documents and settings\Trung Ly\Local Settings\Application Data\GamezJoint Toolbar
2010-05-18 05:34 . 2010-05-18 05:34 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\LolClient
2010-05-18 05:26 . 2010-05-18 05:26 38784 ----a-w- c:\documents and settings\Trung Ly\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-18 05:22 . 2010-05-18 05:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-18 05:15 . 2010-05-18 05:15 -------- d-----w- C:\Riot Games
2010-05-11 06:28 . 2010-05-11 07:56 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\TS3Client
2010-05-11 06:26 . 2010-05-11 06:27 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-05-07 19:52 . 2010-05-07 19:52 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-30 04:49 . 2010-05-07 02:15 -------- d-----w- C:\Xpader
2010-04-28 17:43 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 07:00 . 2010-01-11 21:41 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\Xfire
2010-05-26 04:49 . 2009-12-08 21:16 -------- d-----w- c:\program files\Xfire
2010-05-25 23:04 . 2009-12-08 20:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-22 01:18 . 2010-04-15 00:55 -------- d-----w- c:\program files\Spyware Doctor
2010-05-22 01:18 . 2009-12-08 20:50 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-21 20:04 . 2010-05-21 19:35 992 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-18 05:15 . 2010-04-15 04:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 04:59 . 2009-12-08 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-28 17:43 . 2010-04-01 00:53 -------- d-----w- c:\program files\Java
2010-04-28 00:16 . 2010-04-15 01:51 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-04-15 01:51 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-04-15 01:51 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-04-15 01:51 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-04-15 01:51 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2010-04-15 01:51 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2010-04-15 01:51 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-04-15 01:51 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-28 00:16 . 2010-01-06 01:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-01-06 01:04 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 02:56 . 2010-04-27 02:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2010-04-27 02:56 . 2010-04-27 02:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-21 00:30 . 2010-04-21 00:30 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\Turbine
2010-04-21 00:30 . 2010-04-21 00:30 131 ----a-w- c:\documents and settings\Trung Ly\Local Settings\Application Data\fusioncache.dat
2010-04-20 23:22 . 2010-04-20 23:22 -------- d-----w- c:\program files\Turbine
2010-04-19 23:00 . 2010-04-23 02:11 22419256 ----a-w- c:\program files\osu!install.exe
2010-04-16 21:19 . 2010-04-15 01:21 -------- d-----w- c:\program files\McAfee
2010-04-15 01:59 . 2009-12-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-15 01:53 . 2010-04-15 01:53 -------- d-----w- c:\program files\McAfeeMOBK
2010-04-15 01:53 . 2010-04-15 01:53 -------- d-----w- c:\program files\McAfee Online Backup
2010-04-15 01:52 . 2010-04-15 01:22 -------- d-----w- c:\program files\Common Files\Mcafee
2010-04-15 01:51 . 2010-04-15 01:51 -------- d-----w- c:\program files\McAfee.com
2010-04-15 01:23 . 2010-01-07 01:58 -------- d-----w- c:\program files\SiteAdvisor
2010-04-15 01:03 . 2010-04-15 01:03 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\BitDefender
2010-04-15 01:03 . 2010-04-14 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-15 00:54 . 2010-04-14 22:26 -------- d-----w- c:\program files\Spyware Doctor(2)
2010-04-15 00:53 . 2010-04-14 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-14 23:11 . 2010-04-14 23:11 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-04-14 23:05 . 2010-04-14 23:05 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-14 23:05 . 2010-04-14 23:05 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-14 22:57 . 2010-04-14 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-14 06:10 . 2010-04-14 06:10 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-14 06:10 . 2010-04-14 06:10 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-14 06:08 . 2010-04-14 06:08 -------- d-----w- c:\program files\MSXML 4.0
2010-04-02 03:07 . 2009-12-08 22:02 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-04-02 03:07 . 2009-12-08 22:02 -------- d-----w- c:\program files\DVDVideoSoft
2010-04-01 00:54 . 2010-04-01 00:54 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 03:51 . 2010-02-27 06:23 -------- d-----w- c:\documents and settings\Trung Ly\Application Data\Ventrilo
2010-03-28 00:23 . 2009-12-22 22:30 24928 ----a-w- c:\documents and settings\Trung Ly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-28 00:19 . 2010-03-28 00:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-12 02:29 . 2010-03-12 02:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-12 02:29 . 2010-03-12 02:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-09 11:09 . 2009-11-30 00:28 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 20:01 . 2010-03-01 20:01 1794784 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\NMService.exe
2010-03-01 20:01 . 2010-03-01 20:01 774888 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMDll.dll
2010-03-01 20:01 . 2010-03-01 20:01 475888 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMResource.dll
2010-03-01 20:01 . 2010-03-01 20:01 307944 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmcogame.dll
2010-03-01 20:01 . 2010-03-01 20:01 176864 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGM.exe
2010-03-01 20:01 . 2010-03-01 20:01 131808 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\nxgame.dll
2010-03-01 20:01 . 2010-03-01 20:01 103136 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\npNxGame.dll
2010-02-26 05:43 . 2009-11-30 00:28 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2009-11-30 00:23 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-28 00:16 . 2010-04-15 01:51 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 19:53 2349080 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 04:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 04:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 04:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-24 2937528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]

c:\documents and settings\Trung Ly\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-7 3475856]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56841:TCP"= 56841:TCP:Pando Media Booster
"56841:UDP"= 56841:UDP:Pando Media Booster
"57338:TCP"= 57338:TCP:Pando Media Booster
"57338:UDP"= 57338:UDP:Pando Media Booster
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 1:21 AM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/14/2010 6:51 PM 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [4/14/2010 6:53 PM 54776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1314704]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/14/2010 6:51 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/14/2010 6:51 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/14/2010 6:51 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/14/2010 6:51 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [4/14/2010 6:51 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/14/2010 6:51 PM 55456]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/8/2009 2:01 PM 115312]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/14/2010 6:51 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/14/2010 6:51 PM 88480]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/14/2010 6:51 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/14/2010 6:51 PM 83496]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 08:20]
.
.
------- Supplementary Scan -------
.
DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} - hxxp://s.nx.com/ActiveX/ocx/nxsysinfo.cab
FF - ProfilePath - c:\documents and settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|http://search.conduit.com/?ctid=CT2304157&SearchSource=13
FF - component: c:\documents and settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\Advanced Access Controller\4.6.0.2670\FF\components\AACFFAddOn.dll
FF - component: c:\program files\Automated Result Operator\4.6.0.2810\FF\components\AROFFAddOn.dll
FF - component: c:\program files\Count Access Advancer\5.6.0.7190\FF\components\CAAFFAddOn.dll
FF - component: c:\program files\Customized Web Management\1.6.0.3840\FF\components\CWMFFAddOn.dll
FF - component: c:\program files\Internet Content Assistant\1.6.0.3960\FF\components\ICAFFAddOn.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Nexon\NGM\npNxGame.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-26 00:19:25
ComboFix-quarantined-files.txt 2010-05-26 07:19

Pre-Run: 161,527,545,856 bytes free
Post-Run: 161,503,993,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D0E0CA2E78BE0656C51E1B0D206A6405


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 26 May 2010 - 03:08 AM

Hello again, please let me know how things are running now.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 27 May 2010 - 12:23 AM

heres the logs from malwarebytes'

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4147

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/26/2010 10:15:41 PM
mbam-log-2010-05-26 (22-15-41).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 231959
Time elapsed: 1 hour(s), 9 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3de88beb-f271-484a-ba71-01d30f439f0c} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50ad41d2-b1f0-47cc-9ea7-395355eaeebd} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ceb185e-81a5-46d3-bc20-c555d605afbd} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a72522ba-9ff3-4c83-abc6-9b476728a396} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5762628-ae15-4ca6-96c4-b00dd17f3419} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d062e03e-65ca-49e4-9b15-31938ba98922} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Explorer\Bars\{cac89ff9-34a9-4431-8cfe-292a47f843bc} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Explorer\Bars\{b72681c0-a222-4b21-a0e2-53a5a5ca3d411} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{8141440e-08f0-4339-9959-5c31c6a69f23} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{e63605fc-d583-4c81-867f-9457bdb3ea1b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{e889f097-b0be-471b-89ad-b86b6f04b506} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




unfortunate it is still running the same. slightly faster but no drastic changes. still getting pop-ups of the same sites. also gained something new. which was whenever start up Firefox another tab other then my homepage pops up for a different search engen. this happened about 1 day ago before i started installing the things you said to try.

would you want me to make a list of the pop-up sites to see if that will help resolve it any faster?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 27 May 2010 - 11:49 AM

Hello again,

Do you have this problem only with firefox or also with Internet explorer (please experiment a bit if you do not use Internet explorer usually).

Please click Start > All Programs > Mozilla Firefox and select the option to start Firefox (safemode). This will run Firefox without any add ons. Please let me know if it still shows the pop ups when doing this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 27 May 2010 - 03:50 PM

ive played around with it in safe mode. it dose not have anything for pop ups other then that other tab that isn't my homepage , for what i start it up.

internet explorer dose not have any of the issue that fire fox dose.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 28 May 2010 - 01:44 AM

Okay, that means we know where to start looking now, which is in the Firefox Add ons smile.gif

Can you please rerun OTL and post me the log (no need for extra.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 28 May 2010 - 03:13 AM

OTL logfile created on: 5/28/2010 1:15:51 AM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Trung Ly\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1704 3408 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 151.64 Gb Free Space | 79.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.88 Gb Total Space | 212.56 Gb Free Space | 91.27% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OLYMPIC
Current User Name: Trung Ly
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 01:15:05 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trung Ly\My Documents\Downloads\OTL(2).exe
PRC - [2010/05/07 12:52:38 | 003,475,856 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\Xfire.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2010/04/02 13:02:44 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/03/27 23:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 01:15:05 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trung Ly\My Documents\Downloads\OTL(2).exe
MOD - [2010/05/07 12:52:48 | 000,962,448 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\xfire_toucan_42628.dll
MOD - [2010/02/17 21:08:00 | 000,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 17:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2003/02/21 04:42:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/27 23:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/05 21:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/10/04 14:33:14 | 000,115,312 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2009/08/13 16:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/08/06 07:50:00 | 007,753,888 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/08/28 17:05:12 | 000,055,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2006/03/31 22:32:40 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/23 19:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/04 12:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 12:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 12:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 12:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 12:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 12:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 12:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 12:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 12:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 12:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 12:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 12:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 12:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 12:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 12:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 06:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\URLSearchHook: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "XfireXO Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.theprizeday.com/today.php|http://search.conduit.com/?ctid=CT2304157&SearchSource=13"
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.459
FF - prefs.js..extensions.enabledItems: {52ED9673-0722-4A1D-B859-959FD56143DC}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: keyscrambler@qfx.software.corporation:2.6.0.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: {5e5ab302-7f65-44cd-8211-c1d4caaccea3}:2.5.6.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AA1ACB70-B5F1-4037-909E-1F725B04D2A8}:1.6.0.3840
FF - prefs.js..extensions.enabledItems: {5909FC3D-7F8B-415d-A5D1-7C7E941E536E}:1.6.0.3960
FF - prefs.js..extensions.enabledItems: yespopupsV1@patheticcockroach.com:0.9.8b

FF - HKLM\software\mozilla\Firefox\extensions\\FFToolbar@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2010\bdaphffext\
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/21 02:07:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{AA1ACB70-B5F1-4037-909E-1F725B04D2A8}: C:\Program Files\Customized Web Management\1.6.0.3840\FF [2010/05/20 13:26:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{5909FC3D-7F8B-415d-A5D1-7C7E941E536E}: C:\Program Files\Internet Content Assistant\1.6.0.3960\FF [2010/05/20 13:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/13 14:21:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/28 10:43:42 | 000,000,000 | ---D | M]

[2009/12/08 13:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Extensions
[2010/05/26 16:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions
[2010/02/11 00:42:27 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/01/22 22:00:55 | 000,000,000 | ---D | M] (XfireXO Toolbar) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}
[2010/04/30 19:36:57 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/08 13:26:27 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/12/08 14:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\keyscrambler@qfx.software.corporation
[2010/04/13 13:09:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\personas@christopher.beard
[2010/05/21 18:17:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\extensions\yespopupsV1@patheticcockroach.com
[2009/11/13 03:25:04 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Trung Ly\Application Data\Mozilla\Firefox\Profiles\1sxfbsif.default\searchplugins\conduit.xml
[2010/05/26 16:37:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/20 13:27:06 | 000,000,000 | ---D | M] (BrowserZinc) -- C:\Program Files\Mozilla Firefox\extensions\{52ED9673-0722-4A1D-B859-959FD56143DC}
[2010/04/28 10:43:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/14 17:53:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/02/24 01:15:08 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009/09/21 11:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2010/05/26 00:16:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (KeyScramblerBHO Class) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20100513142139.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\..\Toolbar\WebBrowser: (XfireXO Toolbar) - {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\Trung Ly\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9709739B-4909-489B-A1F7-148C74F16EEE} http://s.nx.com/ActiveX/ocx/nxsysinfo.cab (CNxSysInfoCtrl Object)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 11:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/26 11:04:39 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-4162173360-2909499422-1688867590-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/27 13:23:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/05/26 21:00:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Application Data\Malwarebytes
[2010/05/26 21:00:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/26 21:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/26 21:00:38 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/26 21:00:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/26 00:25:46 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/26 00:10:23 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/26 00:08:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/26 00:08:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/26 00:08:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/26 00:08:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/26 00:08:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/26 00:08:03 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/22 01:21:09 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/22 01:16:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/22 01:10:21 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/21 18:18:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Trung Ly\Recent
[2010/05/21 15:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/21 15:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/21 13:09:26 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/21 12:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/05/21 12:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/05/21 12:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/05/20 13:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Internet Content Assistant
[2010/05/20 13:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Content Assistant
[2010/05/20 13:26:20 | 000,000,000 | ---D | C] -- C:\Program Files\Customized Web Management
[2010/05/20 13:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Internet Connection Wizard
[2010/05/20 13:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Connection Wizard
[2010/05/20 13:25:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Advanced Access Controller
[2010/05/20 13:25:49 | 000,000,000 | ---D | C] -- C:\Program Files\Advanced Access Controller
[2010/05/20 13:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Count Access Advancer
[2010/05/20 13:25:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Count Access Advancer
[2010/05/20 13:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\Count Access Advancer
[2010/05/20 13:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\Automated Result Operator
[2010/05/20 13:25:12 | 000,000,000 | ---D | C] -- C:\Program Files\Automated Result Operator
[2010/05/20 13:23:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\GamezJoint Toolbar
[2010/05/17 22:34:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Application Data\LolClient
[2010/05/17 22:22:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/05/17 22:15:24 | 000,000,000 | ---D | C] -- C:\Riot Games
[2010/05/15 10:38:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\My Documents\My Received Files
[2010/05/10 23:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Trung Ly\Application Data\TS3Client
[2010/05/10 23:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\TeamSpeak 3 Client
[2010/04/29 21:49:22 | 000,000,000 | ---D | C] -- C:\Xpader
[2010/04/28 10:43:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/28 10:43:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/28 10:43:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/28 10:43:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/27 23:01:54 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/05/27 13:31:57 | 000,248,739 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/05/27 13:27:20 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/27 13:27:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/27 13:27:14 | 1323,999,232 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/27 13:26:09 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\Trung Ly\ntuser.dat
[2010/05/27 13:26:09 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Trung Ly\ntuser.ini
[2010/05/27 13:26:02 | 002,663,678 | -H-- | M] () -- C:\Documents and Settings\Trung Ly\Local Settings\Application Data\IconCache.db
[2010/05/27 13:00:52 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/26 00:16:57 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/26 00:16:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/26 00:10:28 | 000,000,270 | RHS- | M] () -- C:\boot.ini
[2010/05/22 01:21:04 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/21 13:04:44 | 000,000,992 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/05/21 12:25:25 | 000,151,552 | -H-- | M] () -- C:\SZKGFS.dat
[2010/05/15 10:39:58 | 000,438,892 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/15 10:39:58 | 000,380,680 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/15 10:39:58 | 000,052,968 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/07 12:52:46 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/26 00:10:28 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2010/05/26 00:10:25 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/26 00:08:57 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/26 00:08:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/26 00:08:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/26 00:08:57 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/26 00:08:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/22 01:22:26 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/21 12:35:55 | 000,000,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/05/21 12:25:25 | 000,151,552 | -H-- | C] () -- C:\SZKGFS.dat
[2010/05/07 12:52:46 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/05/02 22:04:49 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/02/26 23:22:08 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/27 03:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/26 09:12:43 | 000,000,465 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 09:12:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEB15613
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5160F090
< End of report >

Edited by Mitsukake, 28 May 2010 - 03:24 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 28 May 2010 - 05:28 AM

Hello again, please run the following fix and let me know if anything has changed.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    [2010/05/20 13:27:06 | 000,000,000 | ---D | M] (BrowserZinc) -- C:\Program Files\Mozilla Firefox\extensions\{52ED9673-0722-4A1D-B859-959FD56143DC}
    FF - prefs.js..extensions.enabledItems: {52ED9673-0722-4A1D-B859-959FD56143DC}:1.0

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 May 2010 - 02:17 AM

everything seems to be working the same it was beforhand of my issues. only thing now to get rid of is the tab that opens up when i start fire fox . how do i do so?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:34 AM

Posted 29 May 2010 - 03:16 AM

Please try to be as detailed as possible. How does the tab look, is it empty or does it have an address?

What you could do is, backup your FF profile and addons (I believe you can export/backup it all), uninstall Firefox, reinstall it and import your backed up data. Since you mentioned this tab also comes up with all Add ons disabled, this ought to solve the issue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Mitsukake

Mitsukake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 May 2010 - 04:36 PM

the address is http://www.hotebar.com/

and it shows up with a white page with a search bar with a smiley face with a magnifier glass but that's when its fully done loaded. when its loading the address is http://www.theprizeday.com/today.php

and i wouldn't know where to find those files to back up.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users