Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 arnoo81

arnoo81

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 24 May 2010 - 03:57 PM

Hello,

My computer has recently been infected with the annoying Yahoo/Google search result links being redirect to various sites. I ran the defogger and I was able to run the DDS and saved the logs from it however when I ran the gmer my computer restarted during the scan the 2 times I attempted it. Let me know what I can do to resolve this. Thanks.



DDS (Ver_10-03-17.01) - NTFSx86
Run by CentanAV at 15:53:50.67 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2436 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\centanav\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Discovery User Input] c:\discovery\user input\userin32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: pbrc.edu\pinetest
Trusted Zone: pbrc.edu\pinetest
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {0B374B66-2ABD-11D5-9DE6-00B0D0236D7B} - hxxp://pine.pbrc.edu/cln/bin/PBRCCalendar.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250262986250
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://pine.pbrc.edu/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-14 340592]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-8-14 24064]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-29 198184]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-8-14 67904]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-4-10 77824]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-14 2066968]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [2009-10-16 20008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-8-14 144480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-14 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-14 42424]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2009-10-25 57600]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-8-14 64432]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

=============== Created Last 30 ================

2010-05-24 20:11:48 0 ----a-w- c:\documents and settings\centanav\defogger_reenable
2010-05-21 19:54:11 15 ----a-w- c:\documents and settings\centanav\settings.dat
2010-05-21 19:39:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 19:37:28 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-21 17:29:49 2 --shatr- c:\windows\winstart.bat
2010-05-21 17:29:35 0 d-----w- c:\program files\UnHackMe
2010-05-21 17:07:00 2374 ----a-w- c:\windows\system32\.crusader
2010-05-21 17:02:09 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-21 17:01:57 0 d-----w- c:\program files\Hitman Pro 3.5
2010-05-21 17:01:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-21 16:47:49 0 d-----w- c:\program files\CCleaner
2010-05-21 15:19:04 0 d-----w- c:\docume~1\centanav\applic~1\Malwarebytes
2010-05-21 15:18:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:18:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 15:18:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 15:18:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 14:58:46 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 14:58:46 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-21 14:57:35 0 d-----w- c:\docume~1\centanav\applic~1\F70CC47845092636EC1AFB8A7243B771
2010-05-20 20:31:57 0 d-----w- c:\program files\Free RAR Extract Frog
2010-05-19 21:08:29 29 ----a-w- c:\windows\DEBUGSM.INI
2010-05-19 21:06:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-05-19 21:06:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-05-19 20:59:04 9216 ----a-w- c:\windows\system32\escdev.dll
2010-05-19 20:59:04 0 d-----w- c:\program files\epson
2010-05-19 20:59:03 65793 ----a-w- c:\windows\system32\esfw54.bin
2010-05-19 20:59:03 63488 ----a-w- c:\windows\system32\eswia54.dll
2010-05-19 20:59:03 3584 ----a-w- c:\windows\system32\eswiaml.dll
2010-05-19 20:59:03 172032 ----a-w- c:\windows\system32\esint54.dll
2010-05-19 20:58:36 0 d-----w- C:\EPSON

==================== Find3M ====================

2010-05-24 20:20:19 20008 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 15:54:11.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 26 May 2010 - 11:43 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 May 2010 - 12:00 PM

Thanks for taking my case Myrti.

here is the OTL file

OTL logfile created on: 5/26/2010 11:48:12 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\centanav\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.97 Gb Total Space | 128.43 Gb Free Space | 86.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
Drive S: | 4830.75 Gb Total Space | 474.54 Gb Free Space | 9.82% Space Free | Partition Type: NTFS
Drive T: | 4830.75 Gb Total Space | 474.54 Gb Free Space | 9.82% Space Free | Partition Type: NTFS
Drive X: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
Drive Z: | 8254.01 Gb Total Space | 2555.41 Gb Free Space | 30.96% Space Free | Partition Type: NTFS

Computer Name: P002695-DT
Current User Name: CentanAV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/26 11:46:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\centanav\Desktop\OTL.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/11/19 12:26:54 | 000,455,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2009/08/17 22:54:54 | 012,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/07/16 12:08:38 | 001,253,152 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
PRC - [2009/07/16 12:04:56 | 000,376,096 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
PRC - [2009/06/22 14:21:40 | 001,044,480 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2009/06/17 12:49:07 | 000,476,448 | ---- | M] (Centennial Software Limited ) -- c:\CENTENN.IAL\AUDIT\xferwan.exe
PRC - [2009/06/17 12:49:05 | 001,004,832 | ---- | M] (Centennial Software Limited ) -- c:\CENTENN.IAL\AUDIT\cagent32.exe
PRC - [2009/06/11 21:46:46 | 000,656,384 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
PRC - [2009/04/10 12:08:18 | 001,810,432 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
PRC - [2009/04/10 12:08:00 | 000,077,824 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
PRC - [2009/04/02 17:33:16 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2009/02/27 13:42:50 | 002,066,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2009/02/27 13:42:46 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/12/11 19:53:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/12/11 19:53:40 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/09/29 08:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/09/29 08:07:00 | 000,026,672 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2008/05/29 18:57:22 | 000,298,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2008/05/29 18:57:22 | 000,198,184 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2008/05/29 18:57:22 | 000,141,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
PRC - [2008/05/29 18:57:22 | 000,128,552 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 04:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 04:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/03/14 04:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2006/10/12 15:57:08 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
PRC - [2006/06/20 23:36:22 | 001,207,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/06/20 23:36:00 | 000,187,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe


========== Modules (SafeList) ==========

MOD - [2010/05/26 11:46:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\centanav\Desktop\OTL.exe
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/06 18:47:44 | 002,478,640 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3697.dll -- (Akamai)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/11/19 12:26:54 | 000,455,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2009/07/16 12:04:56 | 000,376,096 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV - [2009/06/17 12:49:07 | 000,476,448 | ---- | M] (Centennial Software Limited ) [Auto | Running] -- c:\CENTENN.IAL\AUDIT\xferwan.exe -- (CentennialIPTransferAgent)
SRV - [2009/06/17 12:49:05 | 001,004,832 | ---- | M] (Centennial Software Limited ) [Auto | Running] -- c:\CENTENN.IAL\AUDIT\cagent32.exe -- (CentennialClientAgent)
SRV - [2009/04/10 12:08:00 | 000,077,824 | ---- | M] (Smith Micro Software, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe -- (SMManager)
SRV - [2009/02/27 13:42:50 | 002,066,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/02/27 13:42:46 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2008/12/11 19:53:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/05/29 18:57:22 | 000,198,184 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2010/05/25 13:11:16 | 000,020,008 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CDProbe.SYS -- (CdProbe)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/10/25 05:44:34 | 000,057,600 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SCR3XX2K.sys -- (SCR3XX2K)
DRV - [2009/05/18 13:26:54 | 000,339,456 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2008/12/11 19:27:54 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/12/01 17:13:42 | 003,452,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/20 12:23:12 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/09/29 08:07:00 | 000,340,592 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/09/29 08:07:00 | 000,090,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/09/29 08:07:00 | 000,074,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/09/29 08:07:00 | 000,064,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2008/09/29 08:07:00 | 000,062,704 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/09/29 08:07:00 | 000,042,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/06/05 11:58:18 | 000,144,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel®
DRV - [2008/06/04 14:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/03/28 11:14:02 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)
DRV - [2008/02/20 21:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/09/06 15:53:12 | 000,014,848 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys -- (DSI_SiUSBXp_3_1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"


[2010/05/20 15:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\centanav\Application Data\Mozilla\Extensions
[2010/05/20 15:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\centanav\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2007/04/03 13:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\centanav\Application Data\Mozilla\Firefox\Profiles\50dfp48f.default\extensions

Hosts file not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [DellConnectionManager] C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell Inc.)
O4 - HKLM..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe (Centennial Software Limited )
O4 - HKLM..\Run: [EEventManager] C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\.DEFAULT..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: pbrc.edu ([citrix] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([citrix] https in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([connect] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([connect] https in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([cs] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([cs] https in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([go] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([go] https in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([pine] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([pinedev] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([pinetest] http in Trusted sites)
O15 - HKLM\..Trusted Domains: pbrc.edu ([repo] http in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([servicedesk] * in Local intranet)
O15 - HKLM\..Trusted Domains: pbrc.edu ([servicedesk] http in Local intranet)
O15 - HKLM\..Trusted Domains: pine ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([citrix] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([citrix] https in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([connect] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([connect] https in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([cs] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([cs] https in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([go] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([go] https in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([pine] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([pinedev] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([pinetest] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([repo] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([servicedesk] * in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pbrc.edu ([servicedesk] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: pine ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([citrix] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([citrix] https in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([connect] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([connect] https in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([cs] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([cs] https in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([go] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([go] https in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([pine] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([pinedev] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([pinetest] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([repo] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([servicedesk] * in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pbrc.edu ([servicedesk] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: pine ([]http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([citrix] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([citrix] https in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([connect] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([connect] https in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([cs] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([cs] https in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([go] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([go] https in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([pine] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([pinedev] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([pinetest] http in Trusted sites)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([repo] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([servicedesk] * in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pbrc.edu ([servicedesk] http in Local intranet)
O15 - HKU\S-1-5-21-1260519909-2147242331-367356602-5511\..Trusted Domains: pine ([]http in Local intranet)
O16 - DPF: {0B374B66-2ABD-11D5-9DE6-00B0D0236D7B} http://pine.pbrc.edu/cln/bin/PBRCCalendar.cab (VB Calendar Control Sample)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1250262986250 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} http://pine.pbrc.edu/viewer/activeXViewer/activexviewer.cab (Crystal Report Viewer Control)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.1.0...inAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.50.0.70 10.50.0.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbrc.edu
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - C:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/14 07:49:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{db9296bf-2303-11df-a103-0023ae911534}\Shell\AutoRun\command - "" = F:\Setup_FlipShare.exe -- File not found
O33 - MountPoints2\{db9296bf-2303-11df-a103-0023ae911534}\Shell\Setup FlipShare\command - "" = F:\Setup_FlipShare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: McAfeeEngineService - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.3IV2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx Technologies Pty. Ltd.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/14 02:30:20 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 11:46:22 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\centanav\Desktop\OTL.exe
[2010/05/26 03:00:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/05/25 13:22:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Desktop\wedding pics
[2010/05/24 11:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Desktop\logs
[2010/05/24 10:55:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Desktop\gmer
[2010/05/21 15:20:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\centanav\Recent
[2010/05/21 14:39:05 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/21 14:37:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/05/21 12:29:35 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/05/21 12:01:57 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/21 12:01:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/21 11:47:49 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/21 11:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/21 11:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/21 10:19:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Application Data\Malwarebytes
[2010/05/21 10:18:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/21 10:18:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/21 10:18:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/21 10:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/21 09:58:46 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/05/21 09:58:46 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/05/21 09:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Local Settings\Application Data\cddbvmamc
[2010/05/21 09:57:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Local Settings\Application Data\Windows Server
[2010/05/21 09:57:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Application Data\F70CC47845092636EC1AFB8A7243B771
[2010/05/20 15:31:57 | 000,000,000 | ---D | C] -- C:\Program Files\Free RAR Extract Frog
[2010/05/19 16:08:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Application Data\EPSON
[2010/05/19 16:06:45 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2010/05/19 16:01:57 | 000,501,912 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\PICSDK2.dll
[2010/05/19 16:01:57 | 000,108,704 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\PICEntry.dll
[2010/05/19 16:01:57 | 000,080,024 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\PICSDK.dll
[2010/05/19 16:01:57 | 000,051,360 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\EpPicPrt.dll
[2010/05/19 16:01:57 | 000,051,360 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\EpPicMgr.dll
[2010/05/19 16:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Application Data\InstallShield
[2010/05/19 15:59:04 | 000,009,216 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\escdev.dll
[2010/05/19 15:59:04 | 000,000,000 | ---D | C] -- C:\Program Files\epson
[2010/05/19 15:59:03 | 000,172,032 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\esint54.dll
[2010/05/19 15:59:03 | 000,063,488 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\eswia54.dll
[2010/05/19 15:59:03 | 000,003,584 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\eswiaml.dll
[2010/05/19 15:58:36 | 000,000,000 | ---D | C] -- C:\EPSON
[2010/05/19 15:12:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\centanav\Desktop\res
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/26 11:49:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C048E09E-2311-44FC-8DC6-8974A8FA0374}.job
[2010/05/26 11:46:22 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\centanav\Desktop\OTL.exe
[2010/05/26 09:05:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/25 16:44:12 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\centanav\NTUSER.DAT
[2010/05/25 16:44:12 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\centanav\ntuser.ini
[2010/05/25 16:44:05 | 004,302,530 | -H-- | M] () -- C:\Documents and Settings\centanav\Local Settings\Application Data\IconCache.db
[2010/05/25 16:27:38 | 000,137,095 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\marriage license.pdf
[2010/05/25 13:15:35 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/25 13:14:54 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/25 13:14:54 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/25 13:14:54 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/25 13:11:16 | 000,020,008 | ---- | M] () -- C:\WINDOWS\System32\drivers\CDProbe.SYS
[2010/05/25 13:10:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/25 13:10:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/25 12:14:37 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/24 15:11:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\centanav\defogger_reenable
[2010/05/24 15:10:57 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\Defogger.exe
[2010/05/24 10:55:13 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\gmer.zip
[2010/05/24 10:54:49 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\dds.scr
[2010/05/24 09:10:17 | 003,696,145 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\alg.exe
[2010/05/24 09:07:06 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/21 14:57:49 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\centanav\settings.dat
[2010/05/21 12:39:21 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/21 12:39:21 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/05/21 12:39:21 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/05/21 12:07:00 | 000,002,374 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/05/21 10:18:16 | 000,003,316 | -HS- | M] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922P.manifest
[2010/05/21 10:18:16 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922C.manifest
[2010/05/21 10:18:16 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922S.manifest
[2010/05/21 10:18:16 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922O.manifest
[2010/05/19 16:08:29 | 000,000,029 | ---- | M] () -- C:\WINDOWS\DEBUGSM.INI
[2010/05/19 15:59:06 | 000,000,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
[2010/05/13 15:08:00 | 000,050,850 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\tommy.jpg
[2010/05/13 09:24:19 | 000,011,877 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\Pedometer Tracking Log.xlsx
[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:09:23 | 000,009,558 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\rehearsal.xlsx
[2010/04/26 13:19:01 | 000,050,937 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\info protection cert..pdf
[2010/04/26 12:57:31 | 000,000,545 | ---- | M] () -- C:\Documents and Settings\centanav\Desktop\Window.htm
[2010/04/26 12:04:57 | 000,230,824 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/25 16:27:38 | 000,137,095 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\marriage license.pdf
[2010/05/24 15:11:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\centanav\defogger_reenable
[2010/05/24 15:10:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\Defogger.exe
[2010/05/24 10:55:09 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\gmer.zip
[2010/05/24 10:54:45 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\dds.scr
[2010/05/24 09:10:17 | 003,696,145 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\alg.exe
[2010/05/21 14:54:11 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\centanav\settings.dat
[2010/05/21 14:42:35 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/21 12:29:49 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/05/21 12:07:00 | 000,002,374 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/05/21 12:02:09 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/21 09:57:55 | 000,003,316 | -HS- | C] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922P.manifest
[2010/05/21 09:57:55 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922C.manifest
[2010/05/21 09:57:55 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922S.manifest
[2010/05/21 09:57:55 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\centanav\Application Data\02000000a312e164922O.manifest
[2010/05/19 16:08:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2010/05/19 16:01:57 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/05/19 16:01:57 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/05/19 16:01:57 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2010/05/19 16:01:57 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/05/19 16:01:57 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/05/19 16:01:57 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/05/19 16:01:57 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/05/19 16:01:57 | 000,012,669 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_EN.cfg
[2010/05/19 16:01:57 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/05/19 16:01:57 | 000,006,478 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_PT.cfg
[2010/05/19 16:01:57 | 000,006,478 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_BP.cfg
[2010/05/19 16:01:57 | 000,006,366 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_FR.cfg
[2010/05/19 16:01:57 | 000,006,366 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_CF.cfg
[2010/05/19 16:01:57 | 000,006,226 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_ES.cfg
[2010/05/19 16:01:57 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/05/19 16:01:57 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/05/19 16:01:57 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/05/19 16:01:57 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/05/19 16:01:57 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/05/19 16:01:57 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/05/19 16:01:57 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/05/19 16:01:57 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/05/19 15:59:06 | 000,000,665 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
[2010/05/19 15:59:03 | 000,065,793 | ---- | C] () -- C:\WINDOWS\System32\esfw54.bin
[2010/05/13 15:10:36 | 000,050,850 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\tommy.jpg
[2010/04/26 15:09:23 | 000,009,558 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\rehearsal.xlsx
[2010/04/26 13:19:01 | 000,050,937 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\info protection cert..pdf
[2010/04/26 12:57:31 | 000,000,545 | ---- | C] () -- C:\Documents and Settings\centanav\Desktop\Window.htm
[2009/10/16 09:40:38 | 000,020,008 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDProbe.SYS
[2009/09/30 10:09:01 | 000,483,328 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2009/09/30 10:09:01 | 000,348,160 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2009/08/14 10:55:00 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2009/08/14 10:37:36 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/14 09:52:19 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/26 23:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2009/04/10 12:01:12 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/05/29 18:57:22 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\aicext.dll
[2008/02/19 01:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2006/11/09 16:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/06/30 12:58:44 | 000,176,128 | R--- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/06/30 12:58:44 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\bioapi100.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2008/12/11 19:41:38 | 000,407,064 | ---- | M] (Intel Corporation) MD5=046293B0696967A28644ACF01D3D086F -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2008/12/11 19:27:54 | 000,328,728 | ---- | M] (Intel Corporation) MD5=6C44FA574A17B31E12DDBBE973171728 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2008/12/11 19:27:54 | 000,328,728 | ---- | M] (Intel Corporation) MD5=6C44FA574A17B31E12DDBBE973171728 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2008/12/11 19:27:54 | 000,328,728 | ---- | M] (Intel Corporation) MD5=6C44FA574A17B31E12DDBBE973171728 -- C:\WINDOWS\system32\DRVSTORE\iaAHCI_D79DD148570FA99CFBDE048385C18BABF7B54A7F\iaStor.sys
[2009/02/11 12:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\OemDir\iaStor.sys
[2009/02/11 12:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/12/01 15:52:52 | 000,425,984 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/14 02:33:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/14 02:33:09 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/14 02:33:09 | 000,921,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/25 13:11:16 | 000,020,008 | ---- | M] () -- C:\WINDOWS\system32\drivers\CDProbe.SYS
[2010/05/24 09:07:06 | 000,015,944 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
< End of report >



here is the Extras file:

OTL Extras logfile created on: 5/26/2010 11:48:12 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\centanav\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.97 Gb Total Space | 128.43 Gb Free Space | 86.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
Drive S: | 4830.75 Gb Total Space | 474.54 Gb Free Space | 9.82% Space Free | Partition Type: NTFS
Drive T: | 4830.75 Gb Total Space | 474.54 Gb Free Space | 9.82% Space Free | Partition Type: NTFS
Drive X: | 4830.75 Gb Total Space | 924.81 Gb Free Space | 19.14% Space Free | Partition Type: NTFS
Drive Z: | 8254.01 Gb Total Space | 2555.41 Gb Free Space | 30.96% Space Free | Partition Type: NTFS

Computer Name: P002695-DT
Current User Name: CentanAV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"4961:UDP" = 4961:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4960:UDP" = 4960:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\AppliedBiosystems\SDS2.3\RQMgr.exe" = C:\AppliedBiosystems\SDS2.3\RQMgr.exe:*:Enabled:SDS2 -- (Applied Biosystems)
"C:\AppliedBiosystems\SDS2.3\SDS2.3.exe" = C:\AppliedBiosystems\SDS2.3\SDS2.3.exe:*:Enabled:SDS2 -- (Applied Biosystems)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02096E39-B6E4-A370-7F9E-E37F7EDB161F}" = Catalyst Control Center Localization Korean
"{037F48E3-13FF-1809-66EB-0CE972EA1F13}" = CCC Help German
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{05A84D76-4195-4F01-8930-A040229EC9BE}" = SDS v2.3 Rev A
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{13E80FCE-B691-B5D6-B061-0CD52BE68CCF}" = Catalyst Control Center Localization Italian
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{159F5927-9E49-43A2-4471-5AEA9A32A7AF}" = Catalyst Control Center Localization Turkish
"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin
"{1FEE7522-C65F-43A8-64A4-292934E93AFF}" = ccc-core-static
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel® Network Connections 13.0.42.0
"{2484631E-A7B3-4847-ACBB-4D881E6E9D5A}" = Dell ControlPoint Connection Manager
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{279D22E7-F4FF-344A-7E9C-27E7BAEB5C23}" = CCC Help Chinese Standard
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{39ADDC4A-3167-4043-17A4-00F39365E47D}" = Catalyst Control Center Localization Hungarian
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{46CBBDF8-55B5-40DB-B459-7B848394309C}" = EPSON File Manager
"{47BE58EA-9792-9706-4150-7A1BAF76052E}" = Catalyst Control Center Localization Portuguese
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = EPSON Event Manager
"{4C70B129-BDA1-8684-013D-1C06ABC308FD}" = Catalyst Control Center Graphics Full New
"{4C956AB5-2850-4EA6-DAAA-F8B9BF793CB7}" = ccc-utility
"{52A0629C-FBD8-4829-B804-234017871109}" = NI LabVIEW Run-Time Engine 7.1.1
"{59F537B8-67CA-4DC3-BC5D-03353EAD0007}" = Garmin ANT Agent
"{5A4DAE31-2CCE-E8DB-D51A-472A71F33E71}" = CCC Help Italian
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6688119C-6931-505B-F848-0D81645F1066}" = Catalyst Control Center Graphics Previews Common
"{67EDD823-135A-4D59-87BD-950616D6E857}" = EPSON Copy Utility 3
"{68111D00-6372-4531-4A63-FC3C00CAC16C}" = CCC Help Japanese
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{71F00DA5-D21D-4245-8FC1-85849BBAD00D}" = Dell ControlPoint System Manager
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74BC5C3F-FB90-2E6F-950E-EAE8B2CBA5E9}" = Catalyst Control Center Graphics Full Existing
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7D4018F6-9D7F-CAD3-64D6-F8C2EC69D484}" = Catalyst Control Center Core Implementation
"{81773B4D-6662-1B1C-DC24-003C99E59C6F}" = Catalyst Control Center Localization French
"{819D728C-71AF-EF69-222A-DF06525851D2}" = Catalyst Control Center Localization Chinese Standard
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{9265F28B-6782-A8E5-BBC2-902984740C0F}" = CCC Help Portuguese
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D4A51AB-287D-653E-3DDF-4151448637C6}" = CCC Help Spanish
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A7E900FD-A496-8286-A469-C7A5A3405B8E}" = ccc-core-preinstall
"{A8DD74DC-14C4-4BA0-8DF7-D84524D0B0D2}" = ST Microelectronics TPM Driver Installer
"{ABD96CD8-7D48-DC4F-DE59-C33883D4D663}" = Catalyst Control Center Localization Chinese Traditional
"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient CAC 6.1 AFR
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF36CE1D-FD2C-4BA0-93FA-1196785DD610}" = Adobe Flash Player 10 Plugin
"{AF7E4468-E364-4991-BC2A-6E8293E1055B}" = BioAPI Framework
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5DB0394-5D1D-255B-E1AF-0AE871538CA9}" = Skins
"{B82AB6E8-1A67-9C66-F369-1715D7756BF7}" = CCC Help Chinese Traditional
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2B38EE0-1DBA-11A7-1CA5-A911FAF521AD}" = Catalyst Control Center Graphics Light
"{C3FA63E2-AFD3-41FD-B48F-1D942CC71943}" = UPEK TouchChip Fingerprint Reader
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2F619FA-9904-11C3-1BC9-36DFEBECD80B}" = CCC Help French
"{D51FED8C-2A72-4D72-8CE3-7EB7D7673363}" = uMusic
"{DA2DF231-D6AB-8712-09F9-1C4CC9C39123}" = CCC Help Hungarian
"{DB2BF6CE-6584-5293-D7A5-DE40C237F714}" = CCC Help Korean
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E481DB0E-52F2-4EE0-9BDA-9EE173FA6EA2}" = Catalyst Control Center - Branding
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{EC67F478-4621-984C-D103-74C55854D18F}" = Catalyst Control Center Localization Japanese
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F7F23DFB-31E1-B7EC-7A6D-7668B595ADAE}" = FlipShare
"{F8102E51-AE00-2EA9-ED0C-09647D9D2BCD}" = CCC Help Turkish
"{F826ACD8-B6BD-F292-F4C1-483EF8E47D66}" = Catalyst Control Center Localization Spanish
"{F8B820F2-39D0-C7A6-0673-A033160279CB}" = Catalyst Control Center Localization German
"{FC788B78-9A40-8949-6558-9635477468C0}" = CCC Help English
"{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}" = Dell Security Device Driver Pack
"24DA573F901348FFDFF7717497830D45BE0C362E" = Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)
"35858E766EFC35B58A45C301DD358D503119A8FA" = Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15)
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"9D57DE505B6D8C710EF3B74BE638DBB936EED8A3" = Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Akamai" = Akamai NetSession Interface
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BioDAQ Monitor_is1" = BioDAQ Monitor 2.2.01
"CCleaner" = CCleaner
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"Free RAR Extract Frog" = Free RAR Extract Frog
"HECI" = Intel® Management Engine Interface
"ie8" = Windows Internet Explorer 8
"InstallShield_{05A84D76-4195-4F01-8930-A040229EC9BE}" = SDS v2.3 Rev A
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NI Uninstaller" = National Instruments Software
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"vixy converter BETA_is1" = vixy converter uninstall
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1260519909-2147242331-367356602-5511\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/24/2010 4:18:44 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b0f2f
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b0f2f Thread = UpdateStats


Error - 5/24/2010 4:18:46 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b0f2f
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b0f2f Thread = UpdateStats


Error - 5/24/2010 4:18:48 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b0f2f
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b0f2f Thread = UpdateStats


Error - 5/24/2010 4:18:50 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b0f2f
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b0f2f Thread = UpdateStats


Error - 5/24/2010 4:18:52 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b0f2f
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b0f2f Thread = UpdateStats


Error - 5/25/2010 1:11:56 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b00fa
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b00fa Thread = UpdateStats


Error - 5/25/2010 1:11:58 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b00fa
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b00fa Thread = UpdateStats


Error - 5/25/2010 1:12:00 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b00fa
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b00fa Thread = UpdateStats


Error - 5/25/2010 1:12:02 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b00fa
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b00fa Thread = UpdateStats


Error - 5/25/2010 1:12:04 PM | Computer Name = P002695-DT | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x001b00fa
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000000 0x001b00fa Thread = UpdateStats


[ OSession Events ]
Error - 10/12/2009 3:09:45 PM | Computer Name = P002695-DT | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6504.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 7957
seconds with 4920 seconds of active time. This session ended with a crash.

Error - 1/14/2010 12:11:55 PM | Computer Name = P002695-DT | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3805
seconds with 780 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/26/2010 2:43:46 PM | Computer Name = P002695-DT | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 2/1/2010 11:29:18 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:29:48 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:30:18 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:30:48 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:31:19 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:31:49 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:32:19 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:32:49 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.

Error - 2/1/2010 11:33:19 AM | Computer Name = P002695-DT | Source = DCOM | ID = 10010
Description = The server {ED081F25-6A77-4C89-B689-C6E15C582EC1} did not register
with DCOM within the required timeout.


< End of report >




#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 26 May 2010 - 02:11 PM

Hi,

Please try running gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 May 2010 - 02:56 PM

Myrti,

here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-26 14:50:02
Windows 5.1.2600 Service Pack 3
Running: l580dyg9.exe; Driver: C:\DOCUME~1\centanav\LOCALS~1\Temp\pxdiapob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9CE31C8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9CE3086]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9CE3020]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9CE3034]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9CE309A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9CE30C6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9CE3134]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9CE311E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9CE314A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9CE3208]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9CE3176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9CE3072]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9CE2FE4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9CE2FF8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9CE31DC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9CE31B2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9CE3108]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9CE30F2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9CE30B0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9CE319E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9CE318A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9CE305E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9CE304A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9CE30DC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9CE3237]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9CE3160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9CE321E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9CE31F2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP B9CE31F6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B9CE31CC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9CE320C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9CE3222 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP B9CE31E0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9CE2FE8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9CE2FFC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP B9CE304E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B9CE3038 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP B9CE3024 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP B9CE3062 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9CE323B mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP B9CE30F6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9CE30E0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 7 Bytes JMP B9CE3164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP B9CE310C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9CE30B4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9CE308A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9CE309E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9CE30CA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP B9CE3138 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP B9CE3122 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9CE3076 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP B9CE31B6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP B9CE318E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 806255F8 7 Bytes JMP B9CE314E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP B9CE31A2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259B6 5 Bytes JMP B9CE317A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8D84000, 0x1B601E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01440FE5
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0144005B
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01440F66
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01440F77
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01440F9E
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01440040
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0144007D
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01440F41
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01440F09
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014400A2
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014400BD
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01440FAF
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01440000
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0144006C
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01440025
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01440FD4
.text C:\WINDOWS\System32\svchost.exe[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01440F24
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01430FCA
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0143006C
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0143001B
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0143000A
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01430051
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01430FE5
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01430FAF
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 89]
.text C:\WINDOWS\System32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01430040
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01420042
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 01420031
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01420016
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01420FE3
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01420FC1
.text C:\WINDOWS\System32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01420FD2
.text C:\WINDOWS\System32\svchost.exe[552] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01400FEF
.text C:\WINDOWS\System32\svchost.exe[552] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0140000A
.text C:\WINDOWS\System32\svchost.exe[552] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0140001B
.text C:\WINDOWS\System32\svchost.exe[552] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01400040
.text C:\WINDOWS\System32\svchost.exe[552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01410FEF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01400000
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01400091
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01400F9C
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01400076
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01400FB9
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01400051
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01400F64
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014000AC
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01400F27
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01400F38
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01400F0C
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01400FCA
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01400FEF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01400F81
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01400036
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01400025
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01400F53
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013F0FD4
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013F0076
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013F001B
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013F000A
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013F005B
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013F0FEF
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 013F0040
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013F0FB9
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013E0038
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 013E0FAD
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013E001D
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013E0FC8
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013D0FEF
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01360FE5
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01360051
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01360F5C
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01360036
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01360025
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01360F9E
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01360073
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01360062
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01360EDA
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01360EF5
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01360098
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01360F83
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01360FCA
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01360F37
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0136000A
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01360FB9
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01360F10
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0135002C
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01350F8D
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0135001B
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0135000A
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01350F9E
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01350FEF
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01350FAF
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 89]
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01350FC0
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01340053
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!system 77C293C7 5 Bytes JMP 01340038
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01340016
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01340FEF
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01340027
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01340FD2
.text C:\WINDOWS\system32\lsass.exe[800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01330FEF
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30087
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30F92
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30FAD
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30076
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F6B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C300B3
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F35
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F46
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300E9
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C300A2
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C300C4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20051
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20F94
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C20040
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FE3
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C1002C
.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0091
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0076
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0065
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0FA8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA004A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA00C4
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA00B3
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0F3C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA00DF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0F2B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0FC3
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0014
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA00A2
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA002F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F61
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FC3
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D9005E
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90014
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90F97
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D90FA8
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F9, 88]
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D9002F
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D8003D
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80FC3
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80022
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D10000
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D10F5F
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D10054
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D10F7C
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D10039
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D10FA8
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D10F44
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D10080
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D10F29
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D100B8
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D10F0E
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D10F97
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D10FE5
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D1006F
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D10FC3
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D10FD4
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D100A7
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D00033
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D00F94
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D00022
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D00011
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D00FA5
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D00000
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02D00FC0
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 8A]
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D00FD1
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CF0FA1
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CF0FB2
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CF0FDE
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CF0FCD
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CF0018
.text C:\WINDOWS\System32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CE0FE5
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02CD000A
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02CD001B
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02CD0FD4
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E005A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E0F6F
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0F80
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E003D
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E0FB6
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E0F2D
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0075
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E00AB
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E009A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E00BC
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E0FA5
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E0F4A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E002C
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E0F1C
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0FDB
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D0F8A
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008D002C
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D0011
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D0051
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008D0FAF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AD, 88]
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0FC0
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0FAB
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0036
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0011
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0FC6
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90073
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90058
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90047
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90F8A
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A9002C
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A90F3E
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90F59
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A900D0
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900AB
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A900E1
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90F9B
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A90084
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A9001B
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90FCA
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A90F2D
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A80F5E
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A80F79
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A80F8A
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70033
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FDE
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01B7000A
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01B70025
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01B70040
.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01B70051
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC005B
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F66
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F8D
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC004A
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC002F
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC0080
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F44
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0F0C
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0F1D
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC00B6
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FA8
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F55
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC009B
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB007D
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0062
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CB0047
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0FCA
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0025
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0F9A
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FB5
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0014
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0FD2
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FDB
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015E0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015E0F52
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015E0047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015E0F79
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015E0F8A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015E002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015E007D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015E0F35
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015E00A2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015E0F13
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015E0EE4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015E0F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015E0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015E006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015E0FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015E0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015E0F24
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015D0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015D0F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015D0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015D0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015D004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015D0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 015D0FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7D, 89] {JGE 0xffffffffffffff8b}
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015D0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015C0031
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!system 77C293C7 5 Bytes JMP 015C0F9C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015C0FC8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015C000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015C0FAD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015C0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015B0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F2000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20F3A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F2002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20F55
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F2004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F02
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F20ECC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F1F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F20FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F20EDD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F1001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10091
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F1006C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F1000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F1005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00F92
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F0001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F00FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0073
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F7E
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F9B
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FAC
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00BC
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00AB
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F45
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00DE
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00EF
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0084
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00CD
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B9003D
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90FBD
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B9007A
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B9005F
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9004E
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80056
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FC1
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8000C
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006F
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A004A
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F70
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009B
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A008A
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F0C
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1D
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00C0
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F5F
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0014
.text C:\WINDOWS\Explorer.EXE[3500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F38
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029002C
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029007D
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDB
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290062
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FC0
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[3500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290047
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0033
.text C:\WINDOWS\Explorer.EXE[3500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0018
.text C:\WINDOWS\Explorer.EXE[3500] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[3500] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[3500] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[3500] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\Explorer.EXE[3500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019E0FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 9D142D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 26 May 2010 - 03:07 PM

Hi,

please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 May 2010 - 03:35 PM

Myrti,

here is the combofix log:

ComboFix 10-05-26.01 - CentanAV 05/26/2010 15:24:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2506 [GMT -5:00]
Running from: c:\documents and settings\centanav\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\centanav\Application Data\02000000a312e164922C.manifest
c:\documents and settings\centanav\Application Data\02000000a312e164922O.manifest
c:\documents and settings\centanav\Application Data\02000000a312e164922P.manifest
c:\documents and settings\centanav\Application Data\02000000a312e164922S.manifest
c:\documents and settings\centanav\Application Data\F70CC47845092636EC1AFB8A7243B771
c:\documents and settings\centanav\Application Data\F70CC47845092636EC1AFB8A7243B771\enemies-names.txt
c:\documents and settings\centanav\Local Settings\Application Data\Windows Server
c:\documents and settings\centanav\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\centanav\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\hlp.dat

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-21 19:54 . 2010-05-21 19:57 15 ----a-w- c:\documents and settings\centanav\settings.dat
2010-05-21 19:39 . 2010-05-12 16:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 19:37 . 2010-05-21 19:37 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-21 17:29 . 2010-05-21 17:39 2 --shatr- c:\windows\winstart.bat
2010-05-21 17:29 . 2010-05-24 15:02 -------- d-----w- c:\program files\UnHackMe
2010-05-21 17:02 . 2010-05-24 14:07 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-21 17:01 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-21 17:01 . 2010-05-21 17:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-21 16:47 . 2010-05-21 16:47 -------- d-----w- c:\program files\CCleaner
2010-05-21 16:37 . 2010-05-21 16:37 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-21 15:19 . 2010-05-21 15:19 -------- d-----w- c:\documents and settings\centanav\Application Data\Malwarebytes
2010-05-21 15:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:18 . 2010-05-21 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 15:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 15:18 . 2010-05-21 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 14:58 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 14:58 . 2008-04-14 05:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\centanav\Local Settings\Application Data\cddbvmamc
2010-05-20 20:31 . 2010-05-20 20:31 -------- d-----w- c:\program files\Free RAR Extract Frog
2010-05-19 21:08 . 2010-05-19 21:08 -------- d-----w- c:\documents and settings\centanav\Application Data\EPSON
2010-05-19 21:06 . 2008-04-14 05:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-05-19 21:06 . 2008-04-14 05:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-05-19 20:59 . 2010-05-19 21:00 -------- d-----w- c:\program files\epson
2010-05-19 20:59 . 2006-08-24 22:00 9216 ----a-w- c:\windows\system32\escdev.dll
2010-05-19 20:59 . 2006-10-13 05:00 65793 ----a-w- c:\windows\system32\esfw54.bin
2010-05-19 20:59 . 2006-10-13 05:00 63488 ----a-w- c:\windows\system32\eswia54.dll
2010-05-19 20:59 . 2006-05-23 05:00 172032 ----a-w- c:\windows\system32\esint54.dll
2010-05-19 20:59 . 2006-03-10 05:00 3584 ----a-w- c:\windows\system32\eswiaml.dll
2010-05-19 20:58 . 2010-05-19 21:05 -------- d-----w- C:\EPSON

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 20:29 . 2009-10-16 14:40 20008 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2010-05-26 20:29 . 2010-01-25 17:50 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-25 17:14 . 2009-11-05 09:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-19 21:06 . 2009-08-14 13:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 21:05 . 2009-08-14 13:06 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-19 21:01 . 2010-05-19 21:01 -------- d-----w- c:\documents and settings\centanav\Application Data\InstallShield
2010-05-12 08:00 . 2009-08-14 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2004-03-15 23:51 . 2004-03-15 23:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 . 5D567A625ECB5B4728130E4B31CA87EF . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-12 186904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-27 796184]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-04-10 1810432]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-06-17 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [8/14/2009 8:06 AM 24064]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/29/2008 6:57 PM 198184]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 7:00 AM 14336]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [7/16/2009 12:04 PM 376096]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/14/2009 10:12 AM 67904]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [4/10/2009 12:08 PM 77824]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/14/2009 9:48 AM 2066968]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [10/16/2009 9:40 AM 20008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/14/2009 8:08 AM 144480]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/25/2009 5:44 AM 57600]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/14/2009 10:12 AM 64432]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{C048E09E-2311-44FC-8DC6-8974A8FA0374}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: pbrc.edu\pinetest
Trusted Zone: pbrc.edu\pinetest
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {0B374B66-2ABD-11D5-9DE6-00B0D0236D7B} - hxxp://pine.pbrc.edu/cln/bin/PBRCCalendar.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\Ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-05-26 15:32:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 20:32

Pre-Run: 137,887,850,496 bytes free
Post-Run: 139,165,319,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3531CAC7C963BF017622D3289E08978A


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 26 May 2010 - 03:39 PM

Hi,

please run the following script:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
SRPeek:
C:\windows\system32\ws2_32.dll
c:\windows\system32\user32.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


C:\windows\system32\ws2_32.dll
c:\windows\system32\user32.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 May 2010 - 04:36 PM

Myrti,

combofix log:

ComboFix 10-05-26.01 - CentanAV 05/26/2010 16:19:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2609 [GMT -5:00]
Running from: c:\documents and settings\centanav\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\centanav\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-21 19:54 . 2010-05-21 19:57 15 ----a-w- c:\documents and settings\centanav\settings.dat
2010-05-21 19:39 . 2010-05-12 16:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 19:37 . 2010-05-21 19:37 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-21 17:29 . 2010-05-21 17:39 2 --shatr- c:\windows\winstart.bat
2010-05-21 17:29 . 2010-05-24 15:02 -------- d-----w- c:\program files\UnHackMe
2010-05-21 17:02 . 2010-05-24 14:07 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-21 17:01 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-21 17:01 . 2010-05-21 17:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-21 16:47 . 2010-05-21 16:47 -------- d-----w- c:\program files\CCleaner
2010-05-21 16:37 . 2010-05-21 16:37 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-21 15:19 . 2010-05-21 15:19 -------- d-----w- c:\documents and settings\centanav\Application Data\Malwarebytes
2010-05-21 15:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 15:18 . 2010-05-21 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 15:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 15:18 . 2010-05-21 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 14:58 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 14:58 . 2008-04-14 05:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\centanav\Local Settings\Application Data\cddbvmamc
2010-05-20 20:31 . 2010-05-20 20:31 -------- d-----w- c:\program files\Free RAR Extract Frog
2010-05-19 21:08 . 2010-05-19 21:08 -------- d-----w- c:\documents and settings\centanav\Application Data\EPSON
2010-05-19 21:06 . 2008-04-14 05:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-05-19 21:06 . 2008-04-14 05:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-05-19 20:59 . 2010-05-19 21:00 -------- d-----w- c:\program files\epson
2010-05-19 20:59 . 2006-08-24 22:00 9216 ----a-w- c:\windows\system32\escdev.dll
2010-05-19 20:59 . 2006-10-13 05:00 65793 ----a-w- c:\windows\system32\esfw54.bin
2010-05-19 20:59 . 2006-10-13 05:00 63488 ----a-w- c:\windows\system32\eswia54.dll
2010-05-19 20:59 . 2006-05-23 05:00 172032 ----a-w- c:\windows\system32\esint54.dll
2010-05-19 20:59 . 2006-03-10 05:00 3584 ----a-w- c:\windows\system32\eswiaml.dll
2010-05-19 20:58 . 2010-05-19 21:05 -------- d-----w- C:\EPSON

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 20:29 . 2009-10-16 14:40 20008 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2010-05-26 20:29 . 2010-01-25 17:50 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-25 17:14 . 2009-11-05 09:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-19 21:06 . 2009-08-14 13:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 21:05 . 2009-08-14 13:06 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-19 21:01 . 2010-05-19 21:01 -------- d-----w- c:\documents and settings\centanav\Application Data\InstallShield
2010-05-12 08:00 . 2009-08-14 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2004-03-15 23:51 . 2004-03-15 23:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 . 5D567A625ECB5B4728130E4B31CA87EF . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-26_20.30.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2010-05-26 19:55 68156 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-26 20:33 68156 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-26 20:33 435260 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-05-26 19:55 435260 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-12 186904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-27 796184]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-04-10 1810432]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-06-17 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [8/14/2009 8:06 AM 24064]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/29/2008 6:57 PM 198184]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 7:00 AM 14336]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [7/16/2009 12:04 PM 376096]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [4/10/2009 12:08 PM 77824]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/14/2009 9:48 AM 2066968]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [10/16/2009 9:40 AM 20008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/14/2009 8:08 AM 144480]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/25/2009 5:44 AM 57600]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/14/2009 10:12 AM 67904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/14/2009 10:12 AM 64432]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{C048E09E-2311-44FC-8DC6-8974A8FA0374}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: pbrc.edu\pinetest
Trusted Zone: pbrc.edu\pinetest
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {0B374B66-2ABD-11D5-9DE6-00B0D0236D7B} - hxxp://pine.pbrc.edu/cln/bin/PBRCCalendar.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-26 16:22:01
ComboFix-quarantined-files.txt 2010-05-26 21:22
ComboFix2.txt 2010-05-26 20:32

Pre-Run: 139,173,875,712 bytes free
Post-Run: 139,160,989,696 bytes free

- - End Of File - - 458717438D824AC1CE0B8552569F7775


I didn't know how you wanted me to display the results for the Jotti scan so I have pasted the links for the scan results. For both files nothing was found!!

Jotti ws2_32.dll scan:

http://virusscan.jotti.org/en/scanresult/5...d4a41cf7d741a14

Jotti user32.dll scan:

http://virusscan.jotti.org/en/scanresult/6...a5e350fd5b0280b


Also I have tried a few search and do not seem to be getting redirected anymore!!!!!!!

Armand

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 26 May 2010 - 05:58 PM

Hi,

do you have your Windows CD at hand and could we use it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 26 May 2010 - 06:24 PM

Myrti,

I do not have the windows CD as this is my office computer. Is it necessary that I have it? Thanks.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 27 May 2010 - 04:35 AM

Hi,

two of your system files have been modified and I would have liked to replace them with clean copies. We would have needed your Windows CD for that. It seems we'll skip this step.

Please run a scan with Eset next:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 27 May 2010 - 10:32 AM

Good Morning Myrti,

I ran the ESET online scan and there were no infected files found. I would have posted the report however upon completion of the scan my only option was to click 'Finish'. There was nothing about list of found threats or export text file.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 29 May 2010 - 11:03 AM

Hi,

great to hear that. How is your PC doing?

Before we get to the final step please update your java:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 arnoo81

arnoo81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 01 June 2010 - 09:21 AM

Good Morning Myrti,

PC has been running great. I have removed all old Java programs and updated to the newest version.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users