Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

popups, odd files, and possible Macafee corruption


  • This topic is locked This topic is locked
20 replies to this topic

#1 rabbi79

rabbi79

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 26 May 2010 - 09:42 AM

On May 25, 2010, around 12:15AM I visited a website and got a popup that I needed to use Task Manager to close. Since then, I have been receiving other popups (only one at a time though), although I have been closing them with Task Manager also before they finish loading. (One was about winning a gift certificate or something...) Anyway, when I ran Macafee, I received a message to the effect that there was an attempt to alter its code, and that if it doesn't find anything, I should try etc... (I can't remember exactly what it said, sorry, although I think it mentioned rootkit). Macafee detected two files, but they were Matlab files that it always identifies as possible trojans for some reason (they are OK and have been identified previously by Macafee before the problem started). I received another popup online after the scan was completed.

Macafee's OnAccessScanLog is always running. It usually deletes files like "Deleted myname\howkc C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\howkc\Cookies\howkc@tribalfusion[2].txt\00000000.ie Cookie-Tribalfusion (Potentially Unwanted Program)". However, starting May 25 12:15AM, it started identifying files of the type "Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt\00000000.ie Cookie-Doubleclick (Potentially Unwanted Program)". I searched around and found the folder C:\Documents and Settings\ NetworkService\Application Data\Macromedia\Flash Player modified May 25 12:15AM. It has two folders, #SharedObjects and macromedia.com. The folder #SharedObjects contains the folder 2DJEBVEX, which contains folders for the following:
67.15.218.106
core.videoegg.com
flash.quantserve.com
is1.j.tv2n.net
player.grabnetworks.com
redir.adap.tv
ui.mevio.com
www.babelgum.com
www.blinkx.com
www.ncm.com

Here is the HijackThis logfile.

*************************************************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:51:40 AM, on 5/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\howkc\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cymail.iastate.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: MiKTeX
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8093 bytes


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 28 May 2010 - 06:03 AM

Hello again rabbi79,


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 May 2010 - 01:00 PM

Hi Syler,
Sorry we need to talk again! I have only really been hit 3 times in the last ten years, and
it kind of sucks that 2 of them happen to have occured two months apart! The computer has
been working great since the last fix.


***************Here is OTL.txt.**********************

OTL logfile created on: 5/28/2010 8:59:47 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\howkc\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 126.00 Mb Available Physical Memory | 25.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.20 Gb Total Space | 9.93 Gb Free Space | 29.03% Space Free | Partition Type:
NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORY
Current User Name: howkc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and
Settings\howkc\Desktop\OTL.exe
PRC - [2010/03/13 11:13:21 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program
Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/10/22 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/10/22 20:07:00 | 000,083,280 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\mcupdate.exe
PRC - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32
\mfevtps.exe
PRC - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/10/22 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/08/25 16:00:00 | 000,939,328 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\Common Framework\McScript_InUse.exe
PRC - [2009/08/25 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/25 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program
Files\McAfee\Common Framework\McTray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) --
C:\WINDOWS\explorer.exe
PRC - [2005/09/09 23:19:34 | 000,393,216 | ---- | M] (SigmaTel, Inc.) --
C:\WINDOWS\stsystra.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program
Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and
Settings\howkc\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) --
C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] --
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] --
C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] --
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] --
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] --
C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2009/10/22 20:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running]
-- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/10/22 20:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand |
Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/10/22 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand |
Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/10/22 20:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand |
Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/10/22 20:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System |
Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/10/22 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand |
Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel |
Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
[Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider)
[Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/11/29 04:36:56 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand |
Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/11/02 19:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel |
On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/09/09 23:15:32 | 001,032,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand |
Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] --
C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/05 03:32:16 | 000,045,312 | R--- | M] (Broadcom Corporation) [Kernel |
On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/22 03:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel |
On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 03:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel |
On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 03:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel |
On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot |
Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto |
Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand
| Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System |
Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System |
Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/09 10:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand |
Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] --
C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped]
-- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped]
-- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped]
-- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel |
Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled |
Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel |
Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel
| Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel
| Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel |
Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled
| Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" =
0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" =
0



IE - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\SOFTWARE\Microsoft\Internet
Explorer\Main,Start Page = http://cymail.iastate.edu/
IE - HKU\S-1-5-21-3240608773-437346229-4036777959-1005
\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}:
C:\Documents and Settings\All Users\Application
Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/13 11:16:14 | 000,000,000 | ---D
| M]


O1 HOSTS File: ([2010/04/10 17:07:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32
\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5
-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application
Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32
\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program
Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\..\Toolbar\WebBrowser: (no name) -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\..\Toolbar\WebBrowser: (no name) -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File
not found
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe
(McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee,
Inc.)
O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe
(OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee,
Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(RealNetworks, Inc.)
O4 - HKU\.DEFAULT..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File
not found
O4 - HKU\S-1-5-18..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File
not found
O4 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005..\Run: [DellSupportCenter] C:\Program
Files\Dell Support Center\bin\sprtcmd.exe File not found
O4 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005..\Run: [OM2_Monitor] C:\Program
Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005..\Run: [updateMgr] C:\Program
Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader
Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems
Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line
Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\howkc\Start Menu\Programs\Startup\MiKTeX [2006/05/02
23:28:53 | 000,000,000 | ---D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun =
67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun =
323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:
NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun
= 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:
NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun
= 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:
NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:
NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O7 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\..Trusted Domains: aol.com ([free]
http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
(Windows Genuine Advantage Validation Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-
1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-
1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-
1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.168.12 97.64.179.251
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program
Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel
Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\howkc\Local Settings\Application
Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\howkc\Local Settings\Application
Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [
NTFS ]
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell - "" = AutoRun
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun\command - "" =
E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 17:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte
Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.3IV2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx.com)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/05/28 08:57:07 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and
Settings\howkc\Desktop\OTL.exe
[2010/05/26 01:50:36 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and
Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 00:15:43 | 000,000,000 | ---D | C] -- C:\Documents and
Settings\NetworkService\Application Data\Macromedia
[2010/05/25 00:15:41 | 000,000,000 | ---D | C] -- C:\Documents and
Settings\NetworkService\Application Data\Adobe
[2010/05/19 23:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My
Documents\cancer modeling - UI
[2010/05/12 18:37:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My
Documents\baby stuff
[2007/02/25 22:41:42 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL

========== Files - Modified Within 30 Days ==========

[2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and
Settings\howkc\Desktop\OTL.exe
[2010/05/28 08:54:11 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1
-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/28 08:54:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/28 08:53:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/28 08:53:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/28 08:53:05 | 527,892,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/26 02:06:15 | 006,815,744 | -H-- | M] () -- C:\Documents and
Settings\howkc\NTUSER.DAT
[2010/05/26 02:05:38 | 000,000,278 | -HS- | M] () -- C:\Documents and
Settings\howkc\ntuser.ini
[2010/05/26 02:04:48 | 000,000,286 | ---- | M] () --
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/26 01:50:39 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and
Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 22:52:49 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/21 17:52:40 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\howkc\Local
Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 18:28:41 | 004,207,861 | ---- | M] () -- C:\Documents and Settings\howkc\My
Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/15 20:29:07 | 000,006,536 | ---- | M] () -- C:\Documents and Settings\howkc\My
Documents\SnoodPrf.21W
[2010/05/13 00:16:24 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/12 19:46:50 | 000,056,720 | ---- | M] () -- C:\Documents and Settings\howkc\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/28 21:50:41 | 001,630,565 | ---- | M] () -- C:\Documents and Settings\howkc\My
Documents\users_guide_PDE_models_chemotaxis.pdf

========== Files Created - No Company Name ==========

[2010/05/18 18:28:21 | 004,207,861 | ---- | C] () -- C:\Documents and Settings\howkc\My
Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/16 17:16:23 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1
-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/13 00:16:24 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/13 00:16:24 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/04/28 21:50:41 | 001,630,565 | ---- | C] () -- C:\Documents and Settings\howkc\My
Documents\users_guide_PDE_models_chemotaxis.pdf
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/01 02:18:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2008/11/01 00:07:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2008/04/09 18:56:39 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2008/02/20 01:27:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Netscape.INI
[2007/02/25 22:41:41 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/09/07 11:36:57 | 000,002,583 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/08/22 18:28:08 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\E8D44DD248.sys
[2006/08/17 00:56:33 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/17 00:56:33 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\48D24DD4E8.sys
[2006/05/09 14:26:21 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2006/05/02 20:31:58 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\maplec.dll
[2006/05/02 20:22:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/02 19:14:33 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/04/22 06:01:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/22 05:46:34 | 000,000,184 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/22 05:12:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/04/22 05:12:12 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/04/22 05:12:02 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/05/12 09:25:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/27 07:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/27 07:13:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain
MD5
-- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain
MD5
-- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/11 17:06:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/11 17:06:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/11 17:06:14 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

< >
< End of report >


*****************Here is Extras.txt.**********************


OTL Extras logfile created on: 5/28/2010 8:59:48 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\howkc\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 126.00 Mb Available Physical Memory | 25.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.20 Gb Total Space | 9.93 Gb Free Space | 29.03% Space Free | Partition Type:
NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORY
Current User Name: howkc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft
Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft
Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32
\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\D
omainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\S
tandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\S
tandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\D
omainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\S
tandardProfile\AuthorizedApplications\List]
"C:\Program Files\Maple 9.5\bin.win\mserver.exe" = C:\Program Files\Maple 9.5
\bin.win\mserver.exe:*:Enabled:mserver -- ()
"C:\Program Files\Maple 9.5\jre\bin\java.exe" = C:\Program Files\Maple 9.5
\jre\bin\java.exe:*:Enabled:java -- ()
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program
Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service --
(McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{062C5105-5163-48C5-A367-2DEE969E6C14}" = Intel® Visual Fortran Compiler 10.0 Integrations
in Microsoft Visual Studio*
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 19
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{27AB9BD6-4A3E-4BBD-8381-CD445E474936}" = Berkeley Madonna
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45FCADDB-0B29-457E-83A1-D245C62A716C}" = OLYMPUS Master 2
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{58D86F89-1D0E-4592-ADB5-273AADDDA58D}" = Intel® Debugger for applications running on IA-
32, Version 10.0
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86
8.0.50727.4053
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for
Mobile
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9A0ED01E-FD18-457A-AB9C-0835DCDB17BB}" = Microsoft Platform SDK (R2) (3790.2075)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AA951B10-7089-4D60-B288-516E641F48E6}" = McAfee Agent
"{AB6F4AB9-AC85-4002-9829-B6EEA55AE3A5}" = Microsoft Visual C++ 2005 Express Edition - ENU
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3282FB8-874B-4054-8356-9EB391A826F9}" = OLYMPUS muvee theaterPack
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC626866-0EA4-43A7-AB4B-D5749F7389EE}" = Intel® Fortran Compiler for IA-32 applications,
Version 10.0.025
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}" = QuickTime
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"3ivx D4 4.5.1" = 3ivx D4 4.5.1 (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AFPL Ghostscript 8.14" = AFPL Ghostscript 8.14
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"Berkeley Madonna" = Berkeley Madonna 8.0.1
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"Chime/Chime Pro for Communicator" = Chime/Chime Pro for Communicator
"Chime/Chime Pro for Internet Explorer" = Chime/Chime Pro for Internet Explorer
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"FLV Player" = FLV Player 2.0, build 24
"GSview 4.6" = GSview 4.6
"ie8" = Windows Internet Explorer 8
"LiveReg" = LiveReg (Symantec Corporation)
"Maple 9.5" = Maple 9.5
"Matlab 6.5.1" = MATLAB 6.5.1
"MatlabR2008b" = MATLAB R2008b
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"MDL ISIS Draw 2.5 Standalone" = MDL ISIS Draw 2.5 Standalone
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C++ 2005 Express Edition - ENU" = Microsoft Visual C++ 2005 Express Edition
- ENU
"MiKTeX" = MiKTeX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PCFriendly" = PCFriendly
"RealPlayer 12.0" = RealPlayer
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeXnicCenter_is1" = TeXnicCenter Version 1 Beta 6.21 (Fawkes)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3240608773-437346229-4036777959-1005
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Download Agent" = Download Agent
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/23/2010 12:29:36 AM | Computer Name = CORY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18904, fault address 0x00156331.

Error - 5/23/2010 12:29:42 AM | Computer Name = CORY | Source = Application Error | ID = 1001
Description = Fault bucket 1784812514.

Error - 5/23/2010 12:30:36 AM | Computer Name = CORY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18904, fault address 0x00156331.

Error - 5/23/2010 12:31:14 AM | Computer Name = CORY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18904, fault address 0x00156331.

Error - 5/25/2010 1:44:52 AM | Computer Name = CORY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
>
with error: The data is invalid.

Error - 5/25/2010 9:46:06 PM | Computer Name = CORY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
>
with error: The connection with the server was terminated abnormally

Error - 5/25/2010 9:46:06 PM | Computer Name = CORY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
>
with error: This network connection does not exist.

Error - 5/25/2010 9:46:06 PM | Computer Name = CORY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
>
with error: This network connection does not exist.

Error - 5/25/2010 11:53:26 PM | Computer Name = CORY | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/26/2010 2:01:17 AM | Computer Name = CORY | Source = McLogEvent | ID = 259
Description = The scan found detections. Scan engine version 5400.1158 DAT version
5993.

[ System Events ]
Error - 5/25/2010 6:23:00 PM | Computer Name = CORY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 6:31:33 PM | Computer Name = CORY | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{68696A38-C218-4A8A-B0E0-B4AC43B91292}. The
backup browser is stopping.

Error - 5/25/2010 11:50:16 PM | Computer Name = CORY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 11:50:16 PM | Computer Name = CORY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 11:53:31 PM | Computer Name = CORY | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{68696A38-C218-4A8A-B0E0-B4AC43B91292}. The
backup browser is stopping.

Error - 5/28/2010 9:53:33 AM | Computer Name = CORY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/28/2010 9:53:33 AM | Computer Name = CORY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/28/2010 9:54:29 AM | Computer Name = CORY | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 5/28/2010 10:01:12 AM | Computer Name = CORY | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 5/28/2010 10:01:12 AM | Computer Name = CORY | Source = Service Control Manager | ID =
7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 28 May 2010 - 01:28 PM

Yes it is a shame, I was hoping I would see you in this forum again but no worries though we will get you cleaned up.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O3 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\..\Toolbar\WebBrowser: (no name) -
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005\..\Toolbar\WebBrowser: (no name) -
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File
    not found
    O4 - HKU\.DEFAULT..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File
    not found
    O4 - HKU\S-1-5-18..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File
    not found
    O4 - HKU\S-1-5-21-3240608773-437346229-4036777959-1005..\Run: [DellSupportCenter] C:\Program
    Files\Dell Support Center\bin\sprtcmd.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\System32\SCCD3X02.DLL

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • Virustotal link
  • mbr.log

Thanks

unite.jpg


#5 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 May 2010 - 02:51 PM

*****RunFix results for OTL*********

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3240608773-437346229-4036777959-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\ not found.
File not found.
Registry value HKEY_USERS\S-1-5-21-3240608773-437346229-4036777959-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\ not found.
File not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
File C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\ALUAlert deleted successfully.
File C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ALUAlert not found.
File C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found.
Registry value HKEY_USERS\S-1-5-21-3240608773-437346229-4036777959-1005\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
File C:\Program not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: howkc
->Temp folder emptied: 571664 bytes
->Temporary Internet Files folder emptied: 3111601 bytes
->Java cache emptied: 2280548 bytes
->Flash cache emptied: 32930 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 14153747 bytes
->Flash cache emptied: 3570 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13143221 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 92804 bytes

Total Files Cleaned = 32.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: howkc
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05282010_141537

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




**************New OTL.txt**************************



OTL logfile created on: 5/28/2010 2:21:10 PM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\howkc\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 65.00 Mb Available Physical Memory | 13.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.20 Gb Total Space | 9.96 Gb Free Space | 29.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORY
Current User Name: howkc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
PRC - [2010/03/13 11:13:21 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/10/22 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/10/22 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/08/25 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/25 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/09 23:19:34 | 000,393,216 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2009/10/22 20:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/10/22 20:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/10/22 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/10/22 20:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/10/22 20:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/10/22 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/11/29 04:36:56 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/11/02 19:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/09/09 23:15:32 | 001,032,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/05 03:32:16 | 000,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/22 03:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 03:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 03:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/09 10:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cymail.iastate.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/13 11:16:14 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/04/10 17:07:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\howkc\Start Menu\Programs\Startup\MiKTeX [2006/05/02 23:28:53 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.186.142.200 129.186.1.200 129.186.78.200
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\howkc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\howkc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell - "" = AutoRun
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/28 14:15:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/28 08:57:07 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
[2010/05/26 01:50:36 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 00:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/25 00:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/19 23:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My Documents\cancer modeling - UI
[2010/05/12 18:37:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My Documents\baby stuff
[2007/02/25 22:41:42 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL

========== Files - Modified Within 30 Days ==========

[2010/05/28 14:18:55 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/28 14:18:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/28 14:17:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/28 14:17:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/28 14:17:36 | 527,892,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/28 14:17:04 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\howkc\NTUSER.DAT
[2010/05/28 14:16:45 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\howkc\ntuser.ini
[2010/05/28 14:15:05 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
[2010/05/26 01:50:39 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 22:52:49 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/21 17:52:40 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\howkc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 18:28:41 | 004,207,861 | ---- | M] () -- C:\Documents and Settings\howkc\My Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/15 20:29:07 | 000,006,536 | ---- | M] () -- C:\Documents and Settings\howkc\My Documents\SnoodPrf.21W
[2010/05/13 00:16:24 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/12 19:46:50 | 000,056,720 | ---- | M] () -- C:\Documents and Settings\howkc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/28 21:50:41 | 001,630,565 | ---- | M] () -- C:\Documents and Settings\howkc\My Documents\users_guide_PDE_models_chemotaxis.pdf

========== Files Created - No Company Name ==========

[2010/05/18 18:28:21 | 004,207,861 | ---- | C] () -- C:\Documents and Settings\howkc\My Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/16 17:16:23 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/13 00:16:24 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/13 00:16:24 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/04/28 21:50:41 | 001,630,565 | ---- | C] () -- C:\Documents and Settings\howkc\My Documents\users_guide_PDE_models_chemotaxis.pdf
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/01 02:18:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2008/11/01 00:07:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2008/04/09 18:56:39 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2008/02/20 01:27:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Netscape.INI
[2007/02/25 22:41:41 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/09/07 11:36:57 | 000,002,583 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/08/22 18:28:08 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\E8D44DD248.sys
[2006/08/17 00:56:33 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/17 00:56:33 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\48D24DD4E8.sys
[2006/05/09 14:26:21 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2006/05/02 20:31:58 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\maplec.dll
[2006/05/02 20:22:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/02 19:14:33 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/04/22 06:01:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/22 05:46:34 | 000,000,184 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/22 05:12:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/04/22 05:12:12 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/04/22 05:12:02 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/05/12 09:25:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/27 07:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/27 07:13:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
< End of report >


**********Link for Virustotal********************

http://www.virustotal.com/analisis/2e1b632...51ca-1275075766


************mbr.log********************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82CDAD01]<<
kernel: MBR read successfully
user & kernel MBR OK

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 28 May 2010 - 03:34 PM

That doesn't look good, it looks like you have a rootkit there, let's try and confirm it.
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.

unite.jpg


#7 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 May 2010 - 03:34 PM

By the way, I will be on vacation for the next few days and won't be able to run any more fixes until Monday night. Thought I should let you know so the topic doesn't get closed due to lack of a response.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 28 May 2010 - 03:43 PM

That's fine I will keep the topic open, have a good vacation.

unite.jpg


#9 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 June 2010 - 12:59 PM

It was a great vacation, but now back to my sucky computer (granted it was made sucky by my own idiocy).

I ran GMER last night, clicking on "disable" for the wireless signal so I wouldn't
connect to one within reach while running the program. GMER was working fine for
the 3 hours I was monitoring it before going to bed around 12:30 AM. When I got
back to the computer in the morning, I had the following message:
bcmwltry.exe - Application Error. The application failed to initialize properly
(0xc0000142). Click on OK to terminate the application.
When I would click OK, it would just come up a couple seconds later. To get away
from it, I finally clicked OK, and then pressed SAVE on GMER to get the log file,
saving it as "vjx7pszc.log". When I tried to open the file, I received the message
C:\Documents and Settings\howkc\Desktop\vjx7pszc.log Insufficient resources exist to
complete the requested service.
The computer was essentially frozen, so I had to pull the battery to restart the
computer. Upon restarting, I received the message:
DELL Wireless WLAN Card Wireless Network Controller encountered a problem and needed
to close. This error occurred on 6/1/2010 at 1:32:13 AM.
I clicked for technical information about the error report:
C:\DOCUME~1\howkc\LOCALS~1\Temp\WERf970.dir00\BCMWLTRY.EXE.mdmp
C:\DOCUME~1\howkc\LOCALS~1\Temp\WERf970.dir00\appcompat.txt

Here is the GMER log file I saved:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-01 12:25:57
Windows 5.1.2600 Service Pack 3
Running: vjx7pszc.exe; Driver: C:\DOCUME~1\howkc\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF82447B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF8244676]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF8244610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF8244624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF824468A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF82446B6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF8244724]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF824470E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF824473A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF82447F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF8244766]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF8244662]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF82445D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF82445E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF82447CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF82447A2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF82446F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF82446E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF82446A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF824478E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF824477A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF824464E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF824463A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF82446CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF8244827]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF8244750]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF824480E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF82447E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP F82447E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP F82447BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP F82447FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP F8244812 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP F82447D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP F82445D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP F82445EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP F824463E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP F8244628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP F8244614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP F8244652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP F824482B mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP F82446E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP F82446D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP F8244754 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP F82446FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP F82446A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP F824467A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP F824468E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP F82446BA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP F8244728 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP F8244712 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP F8244666 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP F82447A6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP F824477E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 8061C174 7 Bytes JMP F824473E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP F8244792 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP F824476A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01240FEF
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0124006C
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01240F77
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01240051
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01240F94
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01240025
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0124009A
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01240F52
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012400BC
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01240F2D
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012400CD
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01240036
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01240FDE
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0124007D
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01240014
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01240FC3
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012400AB
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01230FCA
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01230F83
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01230FE5
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0123001B
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01230F9E
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01230000
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01230FAF
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [43, 89]
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01230036
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01220F95
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 01220FB0
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01220FD2
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01220FEF
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01220FC1
.text C:\WINDOWS\system32\services.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\services.exe[892] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[892] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\services.exe[892] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[892] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020086
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0102006B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0102005A
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0102003D
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0102002C
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020F80
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010200C8
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010200FE
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010200ED
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01020F54
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020F9B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010200AB
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0102001B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F6F
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010FA5
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0101002C
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010062
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01010051
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0053
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC8
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0038
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\lsass.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\lsass.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[904] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\lsass.exe[904] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\lsass.exe[904] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[904] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D7007F
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F94
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D7006E
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D700A6
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F5E
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700F7
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D700D2
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70112
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70051
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F6F
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D700B7
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D6007D
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60025
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60FB6
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60062
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0FAB
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0036
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FBC
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F001B
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FD7
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0025
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E3008E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E3007D
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30062
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30FDB
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E300CD
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E300B0
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300F2
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F59
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E3010D
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30FC0
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E3009F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30051
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E30F6A
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20F9E
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E2005B
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0FAD
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0038
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F001D
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FBE
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FE3
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D002C
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D003D
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04FB0000
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04FB0FA5
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04FB0FB6
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04FB009A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04FB0073
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04FB0051
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04FB0F6F
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04FB00AB
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04FB0F39
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04FB0F54
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04FB0F28
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04FB0062
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04FB001B
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04FB0F8A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04FB0FDB
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04FB002C
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04FB00D2
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04FA001B
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04FA0F83
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04FA0000
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04FA0FCA
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04FA0040
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04FA0FE5
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04FA0F9E
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1A, 8D]
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04FA0FAF
.text C:\WINDOWS\System32\svchost.exe[1184] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0173000A
.text C:\WINDOWS\System32\svchost.exe[1184] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1184] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04F9004E
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 04F90033
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04F90FCD
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04F90FEF
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04F90018
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04F90FDE
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04EF0FEF
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04EF000A
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04EF0FD4
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 04EF0FC3
.text C:\WINDOWS\System32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04F8000A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0060
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0F6B
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0F7C
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0039
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0FB2
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0F22
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F0F33
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00A7
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F0096
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F00B8
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0F97
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0F50
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F007B
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FA8
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0039
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E001E
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0F97
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0FB9
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0044
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0029
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0064
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0053
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0042
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F79
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0F9E
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F00AD
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F0090
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00F4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00D9
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0105
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0025
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F007F
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F00BE
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E005B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006E0F9E
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8E, 88]
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0FB7
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FD2
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0038
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FE3
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F57
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F68
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F30
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0078
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00AE
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F15
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0EF0
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0067
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0089
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[1748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE001E
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0F99
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0FBE
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F001D
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F002E
.text C:\WINDOWS\system32\svchost.exe[1748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FE3
.text C:\WINDOWS\system32\svchost.exe[1748] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1748] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[1748] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\system32\svchost.exe[1748] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[1748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0172000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01720F76
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01720075
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01720F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01720058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0172002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01720F3E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01720F5B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01720F19
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017200B2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01720EFE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01720047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0172001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01720086
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01720FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01720FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017200A1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01710FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01710039
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0171000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01710FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01710F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01710FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01710F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [91, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01710FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01700FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!system 77C293C7 5 Bytes JMP 01700042
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01700027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01700FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01700FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0170000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016F0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 016E0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 016E0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 016E0FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1884] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 016E0FBC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0085
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B0F90
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B0FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B0F5A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B00A2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B00D8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B00C7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011B00F3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011B0FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011B0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011B0F75
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011B0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011B0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011B0F49
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011A001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011A006C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011A0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011A0FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011A0FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011A0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011A0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011A0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01190055
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!system 77C293C7 5 Bytes JMP 01190FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01190029
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01190FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0119003A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0119000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01180FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01170FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0117000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01170FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2008] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01170FC3
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F51
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D003C
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F62
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F7F
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FA1
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F40
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D007C
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F11
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D00AA
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D00CF
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F90
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FDE
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0061
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FB2
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FCD
.text C:\Program Files\Messenger\msmsgs.exe[3108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0099
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FCD
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0058
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C002C
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C003D
.text C:\Program Files\Messenger\msmsgs.exe[3108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0011
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F8D
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0011
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0000
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D004A
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F9E
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\Program Files\Messenger\msmsgs.exe[3108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002E0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3108] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002F0000
.text C:\Program Files\Messenger\msmsgs.exe[3108] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002F0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3108] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002F001B
.text C:\Program Files\Messenger\msmsgs.exe[3108] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002F002C
.text C:\WINDOWS\Explorer.EXE[3800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[3800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[3800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F79
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FC0
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F94
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FA5
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0FAB
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0FBC
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0FCD
.text C:\WINDOWS\Explorer.EXE[3800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[176] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405995] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[176] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 9FBDBD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\Program Files\Microsoft Plus! Photo Story 2 LE\Res\PlusDME.CHM 499414 bytes
File C:\Program Files\Microsoft Plus! Photo Story 2 LE\Res\PS2TryUI.dll 8967680 bytes executable
File C:\Program Files\Microsoft Plus! Photo Story 2 LE\Res\TrialUI.dll 564224 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\slr.dll.managed_manifest 5587 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\agcore.dll 4510024 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\coreclr.dll 3077968 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\de 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\de\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\de\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\de\mscorrc.dll 10576 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\de\system.resources.dll 10080 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\es 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\es\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\es\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\es\mscorrc.dll 10576 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\es\system.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\fr 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\fr\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\fr\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\fr\mscorrc.dll 10064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\fr\system.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\it 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\it\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\it\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\it\mscorrc.dll 10064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\it\system.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ja 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ja\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ja\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ja\mscorrc.dll 10064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ja\system.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ko 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ko\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ko\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ko\mscorrc.dll 10064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\ko\system.resources.dll 10080 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\Microsoft.VisualBasic.dll 235368 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\mscorlib.dll 1460048 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\mscorrc.dll 10064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.1.0.30716.0.dll 876872 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll 876872 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrlui.dll 171856 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\Silverlight.Configuration.exe 282480 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\Silverlight.ConfigurationUI.dll 543096 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Core.dll 288600 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\system.dll 235336 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Net.dll 194384 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Runtime.Serialization.dll 415608 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.ServiceModel.dll 468840 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.ServiceModel.Web.dll 75632 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Windows.Browser.dll 137064 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Windows.dll 1062744 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\System.Xml.dll 325456 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hans 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hans\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hans\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hans\mscorrc.dll 9552 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hans\system.resources.dll 9568 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hant 0 bytes
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hant\Microsoft.VisualBasic.resources.dll 10112 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hant\mscorlib.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hant\mscorrc.dll 9552 bytes executable
File C:\Program Files\Microsoft Silverlight\3.0.50106.0\zh-Hant\system.resources.dll 10592 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\cmddefui.dll 471552 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudio.DesignUI.dll 3072 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudio.EditorsUI.dll 16384 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudio.ExportTemplateUI.dll 3584 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudio.ToolBoxControlInstallerUI.dll 3584 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudio.Windows.FormsUI.dll 5120 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VisualStudioUI.dll 3072 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\Microsoft.VSDesignerUI.dll 30720 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\msenc80ui.dll 7680 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\msenvui.dll 1150976 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\UpgradeReport.xslt 12276 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\VCExpressmui.dll 491520 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\vslogui.dll 36352 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\vsmsoui.dll 1405952 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\vsslnui.dll 9216 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\1033\VsWizUI.dll 47616 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Brief.vsk 14231 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\cmddef.dll 27648 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\compluslm.dll 257024 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\custsat.dll 33792 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\dbghelp.dll 1038848 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\dteproperties.tlb 27112 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Emacs.vsk 14691 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent\1033\DefaultContent.xml 72907 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML\XMLLinks 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML\XMLLinks\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML\XMLLinks\1033\context.xml 784 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML\XMLLinks\1033\msdntrn.xml 195 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\HTML\XMLLinks\def_ctx.xml 246 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\MakeZipExe.exe 19456 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspSqlEnum.dll 862936 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspSqlTDiagM.dll 43736 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspWmiEnum.dll 43736 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.WizardFramework.dll 126976 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.WizardFrameworkVS.dll 40960 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\msdis150.dll 438272 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\msenc80.dll 107520 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\msenv.dll 9102848 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\msobj80.dll 57856 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\mspdb80.dll 172032 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\mspdbcore.dll 257024 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Data.Interop.dll 32768 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Data.xml 348666 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.DataTools.dll 1966080 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.DataTools.Interop.dll 36864 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Debugger.dll 40960 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.ExportTemplate.dll 167936 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.ImportProjectFolderWizard.Dll 327680 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Package.LanguageService.xml 310598 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Shell.Design.xml 145214 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Shell.xml 299068 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.TemplateWizard.dll 73728 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.ToolBoxControlInstaller.dll 36864 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspBatchParser.dll 352472 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspConnectionInfo.dll 142040 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspGridControl.dll 199384 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspRegSvrEnum.dll 64216 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspServiceBrokerEnum.dll 39640 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspSmo.dll 1551064 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PEVerify.exe 67264 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PEVerify.exe.config 181 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ProjectAggregator.dll 24064 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\CppCodeProvider.dll 102400 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualC.VSCodeProvider.dll 49152 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.DebuggerVisualizers.dll 49152 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.DebuggerVisualizers.xml 8956 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.TemplateWizardInterface.dll 15872 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.TemplateWizardInterface.xml 12122 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCCodeModel.dll 106496 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCCodeModel.xml 541391 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCProject.dll 12288 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCProject.xml 21975 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCProjectEngine.dll 139264 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.VCProjectEngine.xml 391623 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\VsWebSite.Interop.dll 49152 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\RequiredPermissions.dll 192512 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\symsrv.dll 115200 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\UserControlTestContainer.exe 19456 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\htmlpage.htm 248 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\NewFileItems.vsdir 609 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\stylesht.css 10 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\textfile.txt 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\xmlpage.xml 43 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\xmlschem.xsd 359 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress\NewFileItems\xsltfile.xslt 393 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress.exe 208576 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress.exe.config 807 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress.exe.manifest 1034 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpress.prf 33680 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCExpressmnu.dll 33280 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Visualui.TTF 14204 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VS SCC 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\vslog.dll 108544 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\vssln.dll 114176 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\vstlbinf.dll 156160 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VsWizard.dll 448000 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Xml 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Xml\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Xml\1033\Microsoft.XmlEditorUI.dll 129536 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Xml\Microsoft.XmlEditor.dll 724992 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ZipExeStub.exe 26824 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.Data.ConnectionUI.Dialog.dll 393216 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.Data.ConnectionUI.dll 6144 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.Data.ConnectionUI.xml 6103 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.ConfigurationUI.dll 3072 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.Data.dll 151552 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Microsoft.VisualStudio.vspSmoEnum.dll 207576 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\mspdbsrv.exe 112832 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\compsvcspkgui.dll 24064 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\disco.xsl 5413 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\HelpWatermark.htm 2348 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\localservices.htm 1299 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\localservices.xsl 2906 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\solutionservices.htm 1299 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\solutionservices.xsl 1685 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\styles.css 2664 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\uddi.htm 1285 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\uddi.xsl 1547 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\webdirprjui.dll 147456 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\1033\wsdl.xsl 8814 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Compsvcspkg.dll 180224 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\1033\msdbgui.dll 216576 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\1033\NatDbgDEUI.dll 23040 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\1033\NatDbgEEUI.dll 7168 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\1033\vsdebugui.dll 333824 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\autoexp.dat 53646 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\avvspkdh.dll 20992 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\cpde.dll 487424 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\dbgeng.dll 3584 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\ecbuild.dll 62976 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\encmgr.dll 60928 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\mcee.dll 449024 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\mcee_mc.dat 11229 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\metade.dll 41472 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\msdia80.dll 621056 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\NatDbgDE.dll 904192 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\NatDbgEE.dll 304640 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\shmetapdb.dll 637440 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\vcencbld.dll 45056 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\Visualizers 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\Visualizers\Microsoft.VisualStudio.Debugger.DataSetVisualizer.dll 49152 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\vsdebug.dll 1311744 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\schemas 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\schemas\xml 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\schemas\xml\ASP.tlb 18556 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\topband.jpg 7856 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\watermark.jpg 6378 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\watermark_uddi.jpg 7960 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\webdirprj.dll 353280 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\errlook.exe 64192 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\errlook.hlp 7427 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\makehm.exe 32448 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vcvars.txt 1036 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT\1033 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT\1033\vdt80pui.dll 166400 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT\1033\vdt80ui.dll 180224 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT\vdt80.dll 3987456 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\VDT\vdt80p.dll 627200 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat 1402 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\IA64block_text.htm 110 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\baseline.dat 26404 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\BITS_Text.htm 746 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\contents.htm 48012 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\CustomText.1033.dll 42496 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\deffactory.dat 762 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\DeleteTemp.exe 62664 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\dlmgr.dll 239616 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\eula.1033.txt 31128 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\ExpressKnownIssues.htm 73851 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\ExpressUI.dll 932352 bytes executable
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\gencomp.dll 0 bytes
File C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\HtmlLite.dll 0 bytes

---- EOF - GMER 1.0.15 ----


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 01 June 2010 - 02:56 PM

Ok let's try get your computer working rite again.
  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.

unite.jpg


#11 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 June 2010 - 07:00 PM

18:48:17:046 0224 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
18:48:17:046 0224 ================================================================================
18:48:17:046 0224 SystemInfo:

18:48:17:046 0224 OS Version: 5.1.2600 ServicePack: 3.0
18:48:17:046 0224 Product type: Workstation
18:48:17:046 0224 ComputerName: CORY
18:48:17:046 0224 UserName: howkc
18:48:17:046 0224 Windows directory: C:\WINDOWS
18:48:17:046 0224 Processor architecture: Intel x86
18:48:17:046 0224 Number of processors: 1
18:48:17:046 0224 Page size: 0x1000
18:48:17:046 0224 Boot type: Normal boot
18:48:17:046 0224 ================================================================================
18:48:17:484 0224 Initialize success
18:48:17:484 0224
18:48:17:484 0224 Scanning Services ...
18:48:18:515 0224 Raw services enum returned 351 services
18:48:18:531 0224
18:48:18:546 0224 Scanning Drivers ...
18:48:19:265 0224 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
18:48:19:375 0224 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:48:19:437 0224 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:48:19:453 0224 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
18:48:19:578 0224 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:48:19:625 0224 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
18:48:19:796 0224 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
18:48:19:812 0224 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
18:48:19:843 0224 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
18:48:19:937 0224 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
18:48:20:093 0224 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
18:48:20:187 0224 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
18:48:20:296 0224 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
18:48:20:328 0224 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
18:48:20:359 0224 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
18:48:20:484 0224 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
18:48:20:718 0224 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
18:48:20:812 0224 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
18:48:20:906 0224 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
18:48:21:062 0224 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:48:21:109 0224 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:48:21:234 0224 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:48:21:296 0224 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:48:21:421 0224 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
18:48:21:578 0224 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
18:48:21:796 0224 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:48:21:828 0224 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
18:48:21:843 0224 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:48:21:859 0224 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
18:48:21:968 0224 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:48:22:015 0224 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:48:22:078 0224 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:48:22:109 0224 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
18:48:22:140 0224 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
18:48:22:156 0224 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
18:48:22:171 0224 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
18:48:22:203 0224 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
18:48:22:359 0224 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
18:48:22:781 0224 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:48:22:859 0224 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:48:22:906 0224 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:48:22:953 0224 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:48:23:015 0224 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:48:23:046 0224 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
18:48:23:093 0224 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:48:23:140 0224 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
18:48:23:421 0224 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
18:48:23:531 0224 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
18:48:23:734 0224 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:48:23:781 0224 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:48:23:828 0224 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:48:23:875 0224 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:48:23:906 0224 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:48:23:953 0224 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:48:24:015 0224 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:48:24:046 0224 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:48:24:078 0224 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:48:24:109 0224 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:48:24:281 0224 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
18:48:24:406 0224 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
18:48:24:546 0224 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
18:48:24:781 0224 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:48:24:984 0224 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
18:48:25:109 0224 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
18:48:25:156 0224 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:48:25:312 0224 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
18:48:25:500 0224 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:48:25:531 0224 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
18:48:25:765 0224 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:48:25:953 0224 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:48:26:000 0224 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:48:26:031 0224 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:48:26:078 0224 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:48:26:125 0224 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:48:26:156 0224 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:48:26:187 0224 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:48:26:203 0224 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:48:26:234 0224 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:48:26:265 0224 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
18:48:26:328 0224 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:48:26:359 0224 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:48:26:406 0224 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
18:48:26:500 0224 mfeapfk (4d81c0e4ed846e9a70b881891a5598ab) C:\WINDOWS\system32\drivers\mfeapfk.sys
18:48:26:812 0224 mfeavfk (ff75f47ec2a9ea3e780a9d08daba1276) C:\WINDOWS\system32\drivers\mfeavfk.sys
18:48:26:921 0224 mfebopk (5a3b000fdccf826ffb74e76b0474c856) C:\WINDOWS\system32\drivers\mfebopk.sys
18:48:27:046 0224 mfehidk (8e6b4e55d3a33b92693f7081ec018c39) C:\WINDOWS\system32\drivers\mfehidk.sys
18:48:27:187 0224 mferkdet (fa097d72a439c3a387fe38a654df44c5) C:\WINDOWS\system32\drivers\mferkdet.sys
18:48:27:468 0224 mfetdik (a45d0c099a478de5cbd0d6e8466becd5) C:\WINDOWS\system32\drivers\mfetdik.sys
18:48:27:609 0224 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:48:27:765 0224 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:48:27:796 0224 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:48:27:875 0224 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:48:27:921 0224 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:48:27:968 0224 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
18:48:28:078 0224 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:48:28:156 0224 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:48:28:437 0224 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:48:28:468 0224 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:48:28:500 0224 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:48:28:531 0224 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:48:28:578 0224 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:48:28:609 0224 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:48:28:750 0224 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:48:28:781 0224 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:48:28:812 0224 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:48:28:843 0224 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:48:28:859 0224 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:48:28:890 0224 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:48:28:921 0224 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:48:28:937 0224 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:48:29:000 0224 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:48:29:140 0224 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:48:29:281 0224 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:48:29:359 0224 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:48:29:421 0224 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:48:29:484 0224 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:48:29:515 0224 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:48:29:546 0224 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:48:29:562 0224 PCI (3e66c9851558d5dcac6faea20e8eaaa8) C:\WINDOWS\system32\DRIVERS\pci.sys
18:48:29:562 0224 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 3e66c9851558d5dcac6faea20e8eaaa8, Fake md5: a219903ccf74233761d92bef471a07b1
18:48:29:562 0224 File "C:\WINDOWS\system32\DRIVERS\pci.sys" infected by TDSS rootkit ... 18:48:31:406 0224 Backup copy found, using it..
18:48:31:718 0224 will be cured on next reboot
18:48:31:890 0224 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:48:31:937 0224 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:48:32:031 0224 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
18:48:32:171 0224 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
18:48:32:234 0224 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:48:32:250 0224 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:48:32:281 0224 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:48:32:328 0224 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:48:32:453 0224 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
18:48:32:468 0224 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
18:48:32:515 0224 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
18:48:32:546 0224 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
18:48:32:578 0224 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
18:48:32:828 0224 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:48:32:859 0224 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:48:32:890 0224 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:48:32:906 0224 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:48:32:937 0224 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:48:32:968 0224 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:48:33:000 0224 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:48:33:046 0224 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:48:33:093 0224 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:48:33:140 0224 SbcpHid (30d94039a729571146eb9d736ec1aadd) C:\WINDOWS\system32\Drivers\SbcpHid.sys
18:48:33:265 0224 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
18:48:33:390 0224 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:48:33:453 0224 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:48:33:578 0224 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:48:33:593 0224 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:48:33:765 0224 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
18:48:33:812 0224 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
18:48:33:843 0224 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:48:33:875 0224 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:48:33:937 0224 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
18:48:34:078 0224 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
18:48:34:156 0224 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
18:48:34:312 0224 STHDA (0467a93b1e7fda167e01fdec79783154) C:\WINDOWS\system32\drivers\sthda.sys
18:48:34:578 0224 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:48:34:656 0224 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:48:34:812 0224 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
18:48:34:921 0224 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
18:48:35:046 0224 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
18:48:35:078 0224 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
18:48:35:250 0224 SynTP (35d5b3632e0bcebe27b391157de05996) C:\WINDOWS\system32\DRIVERS\SynTP.sys
18:48:35:468 0224 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:48:35:562 0224 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:48:35:609 0224 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:48:35:750 0224 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:48:35:796 0224 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:48:35:843 0224 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
18:48:35:984 0224 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
18:48:36:078 0224 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
18:48:36:156 0224 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
18:48:36:390 0224 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
18:48:36:546 0224 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
18:48:36:875 0224 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
18:48:37:187 0224 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
18:48:37:656 0224 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
18:48:37:937 0224 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
18:48:38:000 0224 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:48:38:046 0224 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
18:48:38:171 0224 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:48:38:203 0224 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:48:38:234 0224 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:48:38:265 0224 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:48:38:296 0224 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:48:38:312 0224 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:48:38:375 0224 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
18:48:38:421 0224 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:48:38:453 0224 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:48:38:531 0224 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:48:38:609 0224 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:48:38:781 0224 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
18:48:38:984 0224 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:48:39:031 0224 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:48:39:031 0224 Reboot required for cure complete..
18:48:39:640 0224 Cure on reboot scheduled successfully
18:48:39:640 0224
18:48:39:640 0224 Completed
18:48:39:640 0224
18:48:39:640 0224 Results:
18:48:39:640 0224 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:48:39:640 0224 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:48:39:640 0224
18:48:39:656 0224 KLMD(ARK) unloaded successfully


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 02 June 2010 - 02:20 AM

It looks like that has taken care of it, your computer should be running better now, please let me know
how it's running and post a new OTL log, thanks.

unite.jpg


#13 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 02 June 2010 - 01:00 PM

It appears to be running properly again. I am no longer getting the popups, the "odd" folders that I found are no longer there, and cookies are being deleted with on-access scan from the proper locations again at CORY/howkc instead of NT AUTHORITY/SYSTEM. Here is the new OTL log:

OTL logfile created on: 6/2/2010 12:44:13 PM - Run 3
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\howkc\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 291.00 Mb Available Physical Memory | 58.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.20 Gb Total Space | 9.95 Gb Free Space | 29.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CORY
Current User Name: howkc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
PRC - [2010/03/13 11:13:21 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/10/22 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/10/22 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/08/25 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/25 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/09 23:19:34 | 000,393,216 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/10/22 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/08/25 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2009/10/22 20:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/10/22 20:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/10/22 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/10/22 20:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/10/22 20:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/10/22 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/11/29 04:36:56 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/11/02 19:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/09/09 23:15:32 | 001,032,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/05 03:32:16 | 000,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/22 03:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 03:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 03:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/09 10:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cymail.iastate.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/13 11:16:14 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/04/10 17:07:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\howkc\Start Menu\Programs\Startup\MiKTeX [2006/05/02 23:28:53 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.186.1.200 129.186.78.200 129.186.142.200
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\howkc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\howkc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell - "" = AutoRun
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2c29e798-f98c-11de-b044-001422a6c072}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/31 10:41:12 | 000,998,736 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\howkc\Desktop\TDSSKiller.exe
[2010/05/28 14:15:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/28 08:57:07 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
[2010/05/26 01:50:36 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 00:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/25 00:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/19 23:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My Documents\cancer modeling - UI
[2010/05/12 18:37:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\howkc\My Documents\baby stuff
[2007/02/25 22:41:42 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL

========== Files - Modified Within 30 Days ==========

[2010/06/02 12:38:28 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/06/02 12:38:27 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/06/02 12:23:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/02 12:22:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/02 12:22:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/02 12:22:48 | 527,892,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/01 19:01:04 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\howkc\NTUSER.DAT
[2010/06/01 19:00:53 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\howkc\ntuser.ini
[2010/05/31 21:03:10 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\howkc\Desktop\vjx7pszc.exe
[2010/05/31 10:41:12 | 000,998,736 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\howkc\Desktop\TDSSKiller.exe
[2010/05/28 14:46:50 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\howkc\Desktop\mbr.exe
[2010/05/28 08:57:21 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\howkc\Desktop\OTL.exe
[2010/05/26 01:50:39 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\howkc\Desktop\HijackThis.exe
[2010/05/25 22:52:49 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/21 17:52:40 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\howkc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 18:28:41 | 004,207,861 | ---- | M] () -- C:\Documents and Settings\howkc\My Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/15 20:29:07 | 000,006,536 | ---- | M] () -- C:\Documents and Settings\howkc\My Documents\SnoodPrf.21W
[2010/05/13 00:16:24 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/12 19:46:50 | 000,056,720 | ---- | M] () -- C:\Documents and Settings\howkc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

========== Files Created - No Company Name ==========

[2010/05/31 21:03:01 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\howkc\Desktop\vjx7pszc.exe
[2010/05/28 14:46:48 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\howkc\Desktop\mbr.exe
[2010/05/18 18:28:21 | 004,207,861 | ---- | C] () -- C:\Documents and Settings\howkc\My Documents\AHPC_differentiation_31910_singlespaced-DS.pdf
[2010/05/16 17:16:23 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3240608773-437346229-4036777959-1005.job
[2010/05/13 00:16:24 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/13 00:16:24 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/01 02:18:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2008/11/01 00:07:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2008/04/09 18:56:39 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2008/02/20 01:27:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Netscape.INI
[2007/02/25 22:41:41 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/09/07 11:36:57 | 000,002,583 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/08/22 18:28:08 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\E8D44DD248.sys
[2006/08/17 00:56:33 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/17 00:56:33 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\48D24DD4E8.sys
[2006/05/09 14:26:21 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2006/05/02 20:31:58 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\maplec.dll
[2006/05/02 20:22:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/02 19:14:33 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/04/22 06:01:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/22 05:46:34 | 000,000,184 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/22 05:12:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/04/22 05:12:12 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/04/22 05:12:02 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/05/12 09:25:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/27 07:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/27 07:13:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
< End of report >


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:05 PM

Posted 02 June 2010 - 10:40 PM

That's looking better to me, let's do one more check to ake sure their is nothing else lurking.

Please run a BitDefender Online Scan

Note: Only works with internet explorer
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on more details, then click the detected problems tab and click, click here to export the scan report.
  • Save the report to your desktop as results.txt and post it in your next reply.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Bitdefender report
  • New HijackThis log

Thanks

unite.jpg


#15 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 03 June 2010 - 11:00 AM

I went to bitdefender, clicked start scanner, agreed to EULA,
click start, then:
First time I did this, clicked bar to allow ActiveX, got the message that
Dr Watson Postmortem Debugger has encountered a problem and needs
to close. We are sorry for the inconvenience.
Second time I did this, I got the message that Internet Explorer has
closed this webpage to help protect your computer. A malfunctioning or
malicious add-on has caused Internet Explorer to close this webpage.

Here is the HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:55:51 AM, on 6/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\howkc\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cymail.iastate.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - Startup: MiKTeX
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7461 bytes





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users