Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware hijacks browser; blocks network & help


  • This topic is locked This topic is locked
11 replies to this topic

#1 thomas2345

thomas2345

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 30 May 2010 - 04:10 PM

These services were off after attempting to fix the browser hijack and rebooting:
• DHCP client
• Remote Procedure Call Locater
• error reporting
• Help and Support (Tried to use these when network wouldn’t work)
• QOS RSVP
• Remote Desktop Help Session Manager
• Removable Storage
• Secondary Logon
• Themes (After re-boot, default visual themes are applied, rather than user’s.)
When I manually start these services in the console, everything works again and the browser hijack remains. This is the hijack: When click on link in Google search, results takes user to various "search" locations, rather destination requested.

Have following your instructions for posting except GMER run and log. GMER blue screens the infected machine.
Blue screen error message:
“Stop 0000145: {application error}
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.”
This occurred with and without the virtual CD driver enabled. The last attempt, GMER ran for several hours without complete the scan before the blue screen occurred. This is a 500 gigabyte drive with plenty of free space.

Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 21:10:15.96 on Sat 05/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.937 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB0.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.maidmarion.com/MOONBASE.htm"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DelReg] c:\program files\msi\overclockingcenter\DelReg.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache group\apache2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241419376926
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241419619364
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.33/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-3 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-3 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-3 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-3 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 gupdate1ca1c6f80aa25e4;Google Update Service (gupdate1ca1c6f80aa25e4);c:\program files\google\update\GoogleUpdate.exe [2009-8-13 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [2010-2-28 1684736]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\envy24hf.sys [2007-11-30 651712]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-3 34248]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\saih0461.sys [2009-5-7 182528]

=============== Created Last 30 ================

2010-05-30 02:40:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-30 02:40:30 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-30 02:40:30 0 d-----w- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2010-05-24 22:44:14 0 d-s---w- C:\ComboFix
2010-05-24 21:52:27 887328 ----a-w- c:\windows\system32\RTSndMgr.CPL
2010-05-24 21:51:51 1251872 ----a-w- c:\windows\RtlExUpd.dll
2010-05-24 21:45:47 0 d-----w- c:\program files\CCleaner
2010-05-23 01:45:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 01:45:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-22 23:00:28 452 --sha-r- c:\documents and settings\tom\ntuser.pol
2010-05-22 22:58:42 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-22 21:53:29 0 d-----w- c:\windows\system32\NtmsData
2010-05-19 23:34:09 129784 ------w- c:\windows\system32\pxafs.dll
2010-05-15 17:45:23 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-15 17:08:49 174 ----a-w- c:\windows\system32\MRT.INI
2010-05-09 00:56:54 0 d-----w- c:\program files\Algodoo
2010-05-05 23:02:30 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:02:30 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:02:29 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-05 23:02:29 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-05 23:02:27 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:02:27 8192 ----a-w- c:\windows\system32\drivers\changer.sys

==================== Find3M ====================

2010-05-01 00:22:46 358944 ----a-w- c:\windows\vncutil.exe
2010-05-01 00:22:40 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-05-01 00:22:34 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-05-01 00:22:34 19523616 ----a-w- c:\windows\RTHDCPL.EXE
2010-05-01 00:22:28 2177568 ----a-w- c:\windows\MicCal.exe
2010-04-30 23:56:24 6032928 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 00:11:22 41872 ----a-w- c:\windows\system32\xfcodec.dll

============= FINISH: 21:11:25.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 01 June 2010 - 03:41 PM

Hello and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 thomas2345

thomas2345
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 June 2010 - 06:56 PM

Hello Syler,

I've pasted the OTL reports below. FYI, I was finally able to complete a GMER scan by stopping some processes that for some reason where maxing out the processors when GMER was running. I've pasted the resulting GMER log below the other two reports.

I would have replied sooner but the automatic email notification didn't work. I'll re-check the settings when I finish here.

Thanks for your help.

Tom

OTL logfile created on: 6/2/2010 4:39:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.2 Folder = C:\Documents and Settings\Tom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 317.55 Gb Free Space | 68.18% Space Free | Partition Type: NTFS
Drive D: | 641.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 7.50 Gb Total Space | 7.45 Gb Free Space | 99.33% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETERS_PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/17 14:29:04 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/08 22:56:42 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/02/23 19:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files\MagicDisc\MagicDisc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/17 22:59:58 | 000,041,042 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
PRC - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\Apache2\bin\Apache.exe


========== Modules (SafeList) ==========

MOD - [2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
MOD - [2009/12/08 14:12:24 | 000,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/02/08 13:55:48 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/08/15 06:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Apache Group\Apache2\bin\Apache.exe -- (Apache2)


========== Driver Services (SafeList) ==========

DRV - [2010/04/30 16:56:24 | 006,032,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/01/11 21:03:33 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/10/12 21:24:56 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/12 21:24:54 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/12 21:24:52 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/25 00:21:28 | 000,142,336 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtnicxp.sys -- (RTL8023xp)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/08/05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ambfilt.sys -- (Ambfilt)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/04/13 11:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/30 22:18:42 | 000,651,712 | ---- | M] (VIA - IC Ensemble, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\envy24hf.sys -- (Envy24HFS)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/08/08 10:25:06 | 000,182,528 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\saih0461.sys -- (SaiH0461)
DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (Monfilt)
DRV - [2004/08/03 22:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/04/14 12:08:00 | 000,044,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2004/04/14 12:08:00 | 000,021,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmfilter.sys -- (WmFilter)
DRV - [2004/04/14 12:08:00 | 000,014,432 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmhidlo.sys -- (WmHidLo)
DRV - [2004/04/14 12:08:00 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2004/04/14 12:08:00 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmvirhid.sys -- (WmVirHid)
DRV - [2003/10/15 17:52:50 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/24 15:23:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/05/24 13:44:40 | 000,395,774 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 13666 more lines...
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DelReg] C:\Program Files\MSI\OverclockingCenter\DelReg.exe ()
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe (Apache Software Foundation)
O4 - Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1241419376926 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1241419619364 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://a.download.toontown.com/sv1.0.38.33/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 22:48:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/27 01:47:12 | 000,000,000 | R--D | M] - D:\AutoRun -- [ CDFS ]
O32 - AutoRun File - [2003/08/27 01:47:12 | 000,000,059 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{d5f6c01c-0c6b-11df-bb07-0015f2361e73}\Shell\AutoRun\command - "" = I:\MI.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/03 14:34:54 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XFR1 - C:\WINDOWS\System32\xfcodec.dll ()
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/06/02 16:35:31 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2010/05/29 19:40:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/29 19:40:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Application Data\SUPERAntiSpyware.com
[2010/05/29 19:40:30 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/24 15:44:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/24 15:44:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/24 15:44:14 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/05/24 15:42:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/24 14:56:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tom\Recent
[2010/05/24 14:52:27 | 000,887,328 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.CPL
[2010/05/24 14:51:51 | 001,251,872 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlExUpd.dll
[2010/05/24 14:45:47 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/22 18:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/22 18:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/22 15:58:42 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/22 14:53:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/22 14:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/22 14:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/05/19 19:23:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/19 19:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/19 16:34:10 | 000,072,440 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe
[2010/05/19 16:34:09 | 001,628,920 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxsfs.dll
[2010/05/19 16:34:09 | 000,547,576 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\px.dll
[2010/05/19 16:34:09 | 000,510,712 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxdrv.dll
[2010/05/19 16:34:09 | 000,379,640 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxwave.dll
[2010/05/19 16:34:09 | 000,187,128 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxmas.dll
[2010/05/19 16:34:09 | 000,129,784 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxafs.dll
[2010/05/19 16:34:09 | 000,039,672 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\vxblock.dll
[2010/05/15 11:57:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/05/15 10:45:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/08 17:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\My Documents\Algodoo
[2010/05/08 17:56:54 | 000,000,000 | ---D | C] -- C:\Program Files\Algodoo
[2010/05/05 16:09:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 16:09:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 16:02:30 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/05/05 16:02:30 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/05/05 16:02:29 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/05/05 16:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Local Settings\Application Data\qosrsaufl
[2010/05/05 16:02:27 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/05/05 16:02:27 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2004/11/16 09:29:28 | 000,254,000 | ---- | C] ( ) -- C:\WINDOWS\System32\Audio3D.dll
[2004/11/16 09:29:28 | 000,254,000 | ---- | C] ( ) -- C:\WINDOWS\System32\A3D.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/02 16:34:49 | 000,267,725 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/02 16:34:29 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/02 16:23:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2010/05/31 15:52:02 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/31 15:52:02 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/31 15:52:02 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/31 15:29:37 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Tom\NTUSER.DAT
[2010/05/29 21:54:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tom\defogger_reenable
[2010/05/29 21:53:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Defogger.exe
[2010/05/29 21:49:25 | 000,032,155 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/29 21:13:48 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\gmer.zip
[2010/05/29 21:07:45 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\dds.scr
[2010/05/29 19:40:32 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/24 15:06:47 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tom\ntuser.ini
[2010/05/24 13:44:40 | 000,395,774 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/22 16:00:30 | 000,000,452 | RHS- | M] () -- C:\Documents and Settings\Tom\ntuser.pol
[2010/05/22 13:09:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/22 12:49:54 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/22 08:47:40 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/22 08:11:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/19 19:23:42 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/19 18:17:03 | 083,160,378 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0061.MOV
[2010/05/19 18:17:02 | 073,368,960 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0063.MOV
[2010/05/19 17:56:48 | 039,515,513 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0060.MOV
[2010/05/19 17:56:48 | 028,024,706 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0059.MOV
[2010/05/19 17:34:01 | 010,306,243 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0055.MOV
[2010/05/19 17:11:06 | 015,713,098 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0054.MOV
[2010/05/19 17:11:05 | 019,508,001 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0053.MOV
[2010/05/19 17:02:01 | 000,011,285 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\Lizzy.docx
[2010/05/19 16:33:01 | 000,379,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxwave.dll
[2010/05/19 16:33:01 | 000,187,128 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxmas.dll
[2010/05/19 16:32:59 | 000,072,440 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe
[2010/05/19 16:32:58 | 001,628,920 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxsfs.dll
[2010/05/19 16:32:57 | 000,129,784 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxafs.dll
[2010/05/19 16:32:56 | 000,510,712 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxdrv.dll
[2010/05/19 16:32:55 | 000,547,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\px.dll
[2010/05/19 16:32:55 | 000,039,672 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\vxblock.dll
[2010/05/19 15:12:40 | 045,854,902 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\peters pics. only!!!!! 336.mov
[2010/05/16 22:10:45 | 002,112,268 | -H-- | M] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\IconCache.db
[2010/05/15 10:08:49 | 000,000,174 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/05 16:08:39 | 000,010,559 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\luvina.docx
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/31 10:30:16 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\gmer.exe
[2010/05/29 21:54:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tom\defogger_reenable
[2010/05/29 21:53:41 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\Defogger.exe
[2010/05/29 21:13:46 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\gmer.zip
[2010/05/29 21:10:03 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\dds.scr
[2010/05/29 19:40:32 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/22 19:21:53 | 000,197,144 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/22 16:00:28 | 000,000,452 | RHS- | C] () -- C:\Documents and Settings\Tom\ntuser.pol
[2010/05/19 18:16:45 | 083,160,378 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0061.MOV
[2010/05/19 18:16:34 | 073,368,960 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0063.MOV
[2010/05/19 17:56:29 | 039,515,513 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0060.MOV
[2010/05/19 17:56:25 | 028,024,706 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0059.MOV
[2010/05/19 17:33:54 | 010,306,243 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0055.MOV
[2010/05/19 17:11:00 | 015,713,098 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0054.MOV
[2010/05/19 17:10:57 | 019,508,001 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0053.MOV
[2010/05/19 16:59:07 | 000,011,285 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\Lizzy.docx
[2010/05/15 10:08:49 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/05 16:03:31 | 000,010,559 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\luvina.docx
[2010/03/04 17:11:22 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/02/27 18:06:54 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2009/05/07 15:40:29 | 001,126,400 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461.Dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_10.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0C.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0A.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_07.dll
[2009/05/07 15:40:29 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_09.dll
[2009/05/07 15:40:29 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0402.dll
[2009/03/03 12:18:04 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/05/03 14:38:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/05/03 14:38:08 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/05/03 14:38:08 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 6/2/2010 4:39:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.2 Folder = C:\Documents and Settings\Tom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 317.55 Gb Free Space | 68.18% Space Free | Partition Type: NTFS
Drive D: | 641.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 7.50 Gb Total Space | 7.45 Gb Free Space | 99.33% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETERS_PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS4 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51000:TCP" = 51000:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51001:TCP" = 51001:TCP:*:Enabled:Adobe Version Cue CS4 Server
"1625:UDP" = 1625:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"1624:UDP" = 1624:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"1630:UDP" = 1630:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe:*:Enabled:fpupdate -- ()
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:*:Enabled:Adobe Version Cue CS4 Server -- (Adobe Systems Incorporated)
"C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe" = C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:*:Enabled:Star Wars™: Empire at War™: Forces of Corruption™ -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Program Files\Firefly Studios\CivCity Rome\CivCity Rome.exe" = C:\Program Files\Firefly Studios\CivCity Rome\CivCity Rome.exe:*:Disabled:CivCity Rome -- (Firefly Studios US)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}" = Adobe Flash Player 10 Plugin
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{083E277B-7976-4C5A-894E-C84A0966F14A}" = Adobe Setup
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 19
"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3A862C7D-0504-48BC-AEF8-7F7479C7C158}" = Apache HTTP Server 2.0.63
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E4B349F-10B5-4586-9D99-489A90A8B228}" = Sid Meier's Civilization 4 - Warlords
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}" = Adobe Fireworks CS4
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{52232EF4-CC12-4C21-ABCF-ADB79618302D}" = Adobe Soundbooth CS4 Codecs
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5EAD5443-7194-46CC-A055-428E6ABB1BAF}" = Adobe Encore CS4
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6592FDEC-2C1A-413A-9985-25FEC2F0848D}" = Star Wars Empire at War Forces of Corruption
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{7406DF60-016D-476B-A2C7-55D997592047}" = Adobe OnLocation CS4
"{76F4DD9B-C246-4BE0-00B6-3DE9ABF72299}" = Need For Speed Hot Pursuit 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{770A50A7-C6FA-3FF2-6F83-02DA56FF85F0}" = iTunesExport
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{819E24AA-DB15-4BA8-8D76-92BDF710610B}" = Adobe Setup
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{994E24A6-EC47-4201-8D0B-D4563B7AD66B}" = CivCity
"{996F1BF8-D7BB-40A1-80E3-13DF6C2866F0}" = American Civil War Gettysburg
"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6EC82A0-1414-475D-8AFD-469089F3080D}" = Adobe Contribute CS4
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A7A34FC9-DF24-4A36-00AD-D4EFE94CC116}" = SimCity 4 Deluxe
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AFD9E698-03C2-4E88-80A6-1496562D4304}" = Google SketchUp 7.1
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}" = Adobe Premiere Pro CS4 Functional Content
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B5408C28-8D1F-4D65-AA49-02FBD56136FF}" = WolfQuest
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B9242864-2841-4ADE-86E0-8F90F91B04DD}" = Logitech Gaming Software
"{B9F4561A-924D-4510-A85A-BB0960C338CB}" = Adobe Asset Services CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C938BE91-3BB5-4B84-9EF6-88F0505D0038}" = Adobe Premiere Pro CS4 Third Party Content
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D0E5A0E6-5947-4F21-B8AE-5129D153083B}" = ActivePerl 5.8.8 Build 822
"{D499F8DE-3F31-4900-9157-61061613704B}" = Adobe Premiere Pro CS4
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}" = Adobe Setup
"{EE353798-E875-42E0-B58D-7E6696182EA8}" = Adobe Media Encoder CS4 Dolby
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ActiveWorlds 4.2" = ActiveWorlds 4.2
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_6e02d32c7e5a9d9fc86bc91618cafda" = Adobe Premiere Pro CS4 Third Party Content
"Adobe_9f42804f89f9a287eff5269cd426478" = Adobe Soundbooth CS4 Codecs
"Adobe_d2f336b2c5feeb945c28b7a0a45170f" = Adobe Creative Suite 4 Master Collection
"Algodoo_is1" = Algodoo v1.7.1
"CCleaner" = CCleaner
"CoC" = Call of Combat
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Disney's Toontown Online" = Disney's Toontown Online
"FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"HyperCam 2" = HyperCam 2
"ie8" = Windows Internet Explorer 8
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"Liveupdate4_is1" = Liveupdate4
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OverclockingCenter_is1" = OverclockingCenter
"Phun_is1" = Algodoo Phun edition v5.28
"RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X
"ShakeCast" = USGS ShakeCast (remove only)
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Sony Eyetoy Webcam" = Sony Eyetoy Webcam
"SP1_9527A496-5DF9-412A-ADC7-168BA5379CA6" = Microsoft Flight Simulator X Service Pack 1
"SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X Service Pack 1
"SystemRequirementsLab" = System Requirements Lab
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"Zoo Tycoon 1.0" = Zoo Tycoon: Complete Collection

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1214440339-1606980848-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Call of Combat Lobby" = Call of Combat Lobby

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/2/2010 7:25:52 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:52 PM | Computer Name = PETERS_PC | Source = COM+ | ID = 135894
Description = A condition has occurred that indicates this COM+ application is in
an unstable state or is not functioning correctly. Assertion Failure: SUCCEEDED(hr)

Server
Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235} Server Application Instance
ID: {0036D0DA-1A8D-4520-9F1F-9FB6EEB4F214} Server Application Name: System Application
The
serious nature of this error has caused the process to terminate. Error Code = 0x8000ffff
: Catastrophic failure COM+ Services Internals Information: File: f:\xpsp3\com\com1x\src\comsvcs\tracker\trksvr\trksvrimpl.cpp,
Line: 3000 Comsvcs.dll file version: ENU 2001.12.4414.702 s

Error - 6/2/2010 7:25:57 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:57 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:57 PM | Computer Name = PETERS_PC | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\events\lcedisp.cpp(131),
hr = 80040206: Failed to CoCreate EventSystem objec

Error - 6/2/2010 7:25:58 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:58 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:58 PM | Computer Name = PETERS_PC | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041D from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/2/2010 7:25:58 PM | Computer Name = PETERS_PC | Source = COM+ | ID = 135894
Description = A condition has occurred that indicates this COM+ application is in
an unstable state or is not functioning correctly. Assertion Failure: SUCCEEDED(hr)

Server
Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235} Server Application Instance
ID: {1815774B-5952-4F08-BF96-D7A05FA062C0} Server Application Name: System Application
The
serious nature of this error has caused the process to terminate. Error Code = 0x8000ffff
: Catastrophic failure COM+ Services Internals Information: File: f:\xpsp3\com\com1x\src\comsvcs\tracker\trksvr\trksvrimpl.cpp,
Line: 3000 Comsvcs.dll file version: ENU 2001.12.4414.702 s

Error - 6/2/2010 7:38:23 PM | Computer Name = PETERS_PC | Source = Google Update | ID = 20
Description =

[ OSession Events ]
Error - 10/5/2009 7:59:40 PM | Computer Name = PETERS_PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2073
seconds with 960 seconds of active time. This session ended with a crash.

Error - 12/4/2009 2:02:46 AM | Computer Name = PETERS_PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1241
seconds with 300 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 6/2/2010 7:34:48 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/2/2010 7:34:55 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 6/2/2010 7:36:26 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:36:26 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:38:24 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:38:26 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:38:26 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:38:59 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 6/2/2010 7:40:27 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/2/2010 7:40:27 PM | Computer Name = PETERS_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}


< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 20:47:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\kwliapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA847878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8478821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8478738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA847874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8478835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8478861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA84788CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA84788B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA84787CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA84788FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA847880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8478710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8478724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA847879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA8478937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA84788A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA847888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA847884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA8478923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA847890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8478776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8478762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8478877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA84787F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA84788E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA84787E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA84787B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A84787B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A847878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP A84787CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP A84787E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP A84787A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP A8478714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP A8478728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP A8478766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A8478750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP A847873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP A847877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP A84787FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP A8478891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP A847887B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 2 Bytes JMP A84788E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey + 3 80622067 4 Bytes [E5, 27, 90, 90] {IN EAX, 0x27; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP A84788A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP A847884F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP A8478825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP A8478839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP A8478865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP A84788D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP A84788BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP A8478811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP A847893B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP A8478913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP A8478927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259B6 5 Bytes JMP A84788FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xB85AD114]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB189B380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012D004F
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012D0034
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012D0F5A
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012D0F6B
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012D0FA1
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012D0F1D
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012D0F2E
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012D0EEA
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012D0EFB
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012D00A8
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012D0F86
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012D0FDE
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012D0F3F
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012D0FBC
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012D0FCD
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012D0F0C
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012C0051
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012C0087
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012C0036
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012C001B
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012C006C
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012C000A
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012C0FCA
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 89]
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012C0FDB
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012B003D
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!system 77C293C7 5 Bytes JMP 012B002C
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012B0FC6
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012B001B
.text C:\WINDOWS\system32\services.exe[792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012B0000
.text C:\WINDOWS\system32\services.exe[792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[792] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 012A0FEF
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01080F92
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01080FA3
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01080087
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0108006C
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01080047
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01080F64
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01080F75
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010800C7
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01080F2E
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010800D8
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080FCA
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080FE5
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010800AC
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01080036
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01080025
.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01080F49
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070FB9
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01070F72
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0107000A
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070FD4
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0107002F
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01070F8D
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 89]
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FA8
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060055
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060FCA
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060FE5
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0106003A
.text C:\WINDOWS\system32\lsass.exe[804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0106001D
.text C:\WINDOWS\system32\lsass.exe[804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\lsass.exe[804] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\lsass.exe[804] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\lsass.exe[804] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\lsass.exe[804] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F97
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC008C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FB2
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC006F
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0043
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00D8
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F86
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0104
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F6B
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0115
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0054
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC00A7
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FCD
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00E9
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F72
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0014
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0F93
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FA4
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FE3
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FB5
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FC6
.text C:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E6002C
.text C:\WINDOWS\system32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E60047
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0F72
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B0067
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B0F8D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B0F9E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B0040
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B00B0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B009F
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B00C1
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B0F32
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011B0F0D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011B0FB9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011B0082
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011B0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011B001B
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011B0F43
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011A0047
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011A0FA2
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011A0036
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011A0025
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011A0069
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011A0058
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011A0FD1
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01190055
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 01190FD4
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01190029
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01190000
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01190044
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01190FEF
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F88
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80087
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80FA3
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E8006C
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80047
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E800BF
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F77
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800EB
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F52
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80F37
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E8000A
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80098
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80036
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80025
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E800DA
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70F75
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E70FDE
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70028
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E70F86
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [07, 89]
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70F97
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60FCF
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60064
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E6002E
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E6000C
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E6003F
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E6001D
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C001B
.text C:\WINDOWS\System32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50000
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0000
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F44
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F55
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F72
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F83
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0FAF
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA008C
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0065
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA00B8
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0F1F
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00C9
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0011
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0054
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FC0
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA009D
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90FA8
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90025
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D9005B
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90040
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D8002F
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80014
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80FB5
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FE3
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80F9A
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FC6
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\System32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C000A
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 3 Bytes JMP 010C0F66
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtectEx + 4 7C801A65 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 3 Bytes JMP 010C005B
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtect + 4 7C801AD8 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010C0F8D
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 3 Bytes JMP 010C0FA8
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExA + 4 7C801D57 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 3 Bytes JMP 010C0FD4
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryA + 4 7C801D7F 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 3 Bytes JMP 010C0F30
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoW + 4 7C801E58 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010C0F41
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 3 Bytes JMP 010C0F15
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessW + 4 7C80233A 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 3 Bytes JMP 010C00AE
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessA + 4 7C80236F 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 3 Bytes JMP 010C00C9
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetProcAddress + 4 7C80AE44 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 3 Bytes JMP 010C0FC3
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryW + 4 7C80AEEF 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010C0025
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010C006C
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010C0FE5
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010C0036
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010C009D
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010B0FB2
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010B0043
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010B0FC3
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010B0FD4
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010B0F86
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010B0F97
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2B, 89]
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010B001E
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010A004C
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 010A0027
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010A0FC1
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010A0FE3
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010A0016
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010A0FD2
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\System32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01090000
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A40000
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A4008C
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A40F97
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A40FA8
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A40FC3
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A40051
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A40F55
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A40F72
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A400BF
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A40F30
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A40F0B
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A40FD4
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A4001B
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A4009D
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A40040
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A40FE5
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A400AE
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A30FDE
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A30F79
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A3002F
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A30FEF
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A30040
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A3000A
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A30FA8
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 89]
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A30FB9
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A20031
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A20016
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A20FC1
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A20FEF
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A20FA6
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A20FD2
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0025
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0040
.text C:\WINDOWS\System32\svchost.exe[1500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A10FEF
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0089
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0078
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB005B
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB00C4
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0101
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00E6
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F4D
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0011
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0036
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00D5
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA002C
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0F76
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA001B
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F91
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA003D
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 001C0FB7
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!system 77C293C7 5 Bytes JMP 001C0042
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 001C0FD9
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 001C0FC8
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 001C0011
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[1720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F68
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F79
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0051
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0025
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0084
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F3C
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F06
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF009F
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00B0
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0036
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF000A
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F4D
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F21
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015B002F
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015B0FAF
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015B0FD4
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015B0FEF
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015B006C
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015B000A
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 015B005B
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015B004A
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015A0F90
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 015A001B
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015A0FBC
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015A0000
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015A0FA1
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015A0FD7
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01580000
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01580FE5
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01580FD4
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01580FB9
.text C:\WINDOWS\Explorer.EXE[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01590FE5
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF008E
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F99
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0073
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF003D
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00C1
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00B0
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F4A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00E3
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F39
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0062
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF009F
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF002C
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF001B
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00D2
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE002F
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0065
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0014
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE004A
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 001C0F89
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!system 77C293C7 5 Bytes JMP 001C0014
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 001C0FB5
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 001C0FA4
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 001C0FD2
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[2788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F4B
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F5C
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0F77
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0F94
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0036
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC0F29
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0065
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC00C2
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC00A7
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC0F0E
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FA5
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F3A
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0025
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[3768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC0096
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0FA8
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB002C
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB001B
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0FCA
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\System32\svchost.exe[3768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0051
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0033
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\System32\svchost.exe[3768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA000C
.text C:\WINDOWS\System32\svchost.exe[3768] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[3768] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0011
.text C:\WINDOWS\System32\svchost.exe[3768] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0022
.text C:\WINDOWS\System32\svchost.exe[3768] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FD1
.text C:\WINDOWS\System32\svchost.exe[5388] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\svchost.exe[5388] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\svchost.exe[5388] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F8D
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C000A
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C004A
.text C:\WINDOWS\System32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C002F
.text C:\WINDOWS\System32\svchost.exe[5388] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0123000A
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0041002C
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00410011
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410000
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410FE3
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00410FA1
.text C:\WINDOWS\System32\svchost.exe[5388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00410FC6
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D006E
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0053
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F79
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0036
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D001B
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F37
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0089
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0EFA
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F0B
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D00AE
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F94
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0000
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F5E
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FAF
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FCA
.text C:\WINDOWS\System32\dllhost.exe[5640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F26
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0F9A
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0025
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0000
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FB5
.text C:\WINDOWS\System32\dllhost.exe[5640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FD2
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FAF
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D002F
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FC0
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0000
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0F72
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F8D
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\System32\dllhost.exe[5640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0F9E
.text C:\WINDOWS\System32\dllhost.exe[5640] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00790FEF
.text C:\WINDOWS\System32\dllhost.exe[5640] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\dllhost.exe[5640] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00790FCA
.text C:\WINDOWS\System32\dllhost.exe[5640] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00790025
.text C:\WINDOWS\System32\dllhost.exe[5640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A783EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 02 June 2010 - 10:44 PM

Hi Tom,

Thanks for posting the Gmer log aswell, now I can see what's going on.

Download TDLfix and save it to your desktop.
  • Close all the open windows.
  • Double-click TDLfix.exe to run the tool.
  • Type the following bold line, into the command window and press Enter:
dmload
  • The application shall restart the computer immediately and runs after restart.
  • Tell me if the computer rebooted and ran to completion.
Note: The tool currently only supports Windows XP.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O4 - HKLM..\Run: [nwiz] File not found
    O4 - HKU\S-1-5-21-1214440339-1606980848-1417001333-1004..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • MBAM log

Thanks

unite.jpg


#5 thomas2345

thomas2345
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 June 2010 - 12:20 AM

Hi Syler,

Here's the log from the OTL Run Fix (Subsequent OTL scan and Malwarebytes logs follow):

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1214440339-1606980848-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Shockwave Updater deleted successfully.
File not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41661 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 17890752 bytes
->Flash cache emptied: 3001 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3166854 bytes
->Java cache emptied: 14 bytes
->Flash cache emptied: 16903 bytes

User: Peter
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 23834841 bytes
->Flash cache emptied: 16765 bytes

User: Tom
->Temp folder emptied: 5269101 bytes
->Temporary Internet Files folder emptied: 17840881 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 50707 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6401586 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10453618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 127910245 bytes

Total Files Cleaned = 204.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Peter
->Flash cache emptied: 0 bytes

User: Tom
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.2 log created on 06022010_213412

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

And here's the subsequent OTL scan log:
OTL logfile created on: 6/2/2010 10:01:16 PM - Run 2
OTL by OldTimer - Version 3.2.5.2 Folder = C:\Documents and Settings\Tom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 317.71 Gb Free Space | 68.21% Space Free | Partition Type: NTFS
Drive D: | 641.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 7.50 Gb Total Space | 7.45 Gb Free Space | 99.32% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETERS_PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
PRC - [2010/05/19 12:00:00 | 000,501,872 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Tom\Local Settings\Temp\Google Toolbar\gtb26.tmp.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/08 22:56:42 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/02/23 19:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files\MagicDisc\MagicDisc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/17 22:59:58 | 000,041,042 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
PRC - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\Apache2\bin\Apache.exe


========== Modules (SafeList) ==========

MOD - [2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
MOD - [2009/12/08 14:12:24 | 000,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/02/08 13:55:48 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/08/15 06:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2008/01/17 22:58:36 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Apache Group\Apache2\bin\Apache.exe -- (Apache2)


========== Driver Services (SafeList) ==========

DRV - [2010/04/30 16:56:24 | 006,032,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/01/11 21:03:33 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/10/12 21:24:56 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/12 21:24:54 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/12 21:24:52 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/25 00:21:28 | 000,142,336 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtnicxp.sys -- (RTL8023xp)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/08/05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ambfilt.sys -- (Ambfilt)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/04/13 11:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/30 22:18:42 | 000,651,712 | ---- | M] (VIA - IC Ensemble, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\envy24hf.sys -- (Envy24HFS)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/08/08 10:25:06 | 000,182,528 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\saih0461.sys -- (SaiH0461)
DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (Monfilt)
DRV - [2004/08/03 22:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/04/14 12:08:00 | 000,044,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2004/04/14 12:08:00 | 000,021,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmfilter.sys -- (WmFilter)
DRV - [2004/04/14 12:08:00 | 000,014,432 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmhidlo.sys -- (WmHidLo)
DRV - [2004/04/14 12:08:00 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2004/04/14 12:08:00 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmvirhid.sys -- (WmVirHid)
DRV - [2003/10/15 17:52:50 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/24 15:23:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/05/24 13:44:40 | 000,395,774 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 13666 more lines...
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DelReg] C:\Program Files\MSI\OverclockingCenter\DelReg.exe ()
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [{054A0513-3E59-4c06-B932-D5A2EBF46C55}] C:\Documents and Settings\Tom\Local Settings\Temp\Google Toolbar\gtb26.tmp.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe (Apache Software Foundation)
O4 - Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1241419376926 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1241419619364 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://a.download.toontown.com/sv1.0.38.33/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 22:48:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/27 01:47:12 | 000,000,000 | R--D | M] - D:\AutoRun -- [ CDFS ]
O32 - AutoRun File - [2003/08/27 01:47:12 | 000,000,059 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{d5f6c01c-0c6b-11df-bb07-0015f2361e73}\Shell\AutoRun\command - "" = I:\MI.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/02 21:34:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/02 21:22:31 | 000,000,000 | ---D | C] -- C:\vir
[2010/06/02 21:20:20 | 000,005,888 | ---- | C] (Microsoft Corp., Veritas Software.) -- C:\WINDOWS\System32\drivers\tmpdmload.sys
[2010/06/02 21:20:20 | 000,000,000 | ---D | C] -- C:\backup
[2010/06/02 16:35:31 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2010/05/29 19:40:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/29 19:40:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Application Data\SUPERAntiSpyware.com
[2010/05/29 19:40:30 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/24 15:44:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/24 15:44:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/24 15:44:14 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/05/24 15:42:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/24 14:56:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tom\Recent
[2010/05/24 14:52:27 | 000,887,328 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.CPL
[2010/05/24 14:51:51 | 001,251,872 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlExUpd.dll
[2010/05/24 14:45:47 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/22 18:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/22 18:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/22 15:58:42 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/22 14:53:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/22 14:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/22 14:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/05/19 19:23:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/19 19:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/19 16:34:10 | 000,072,440 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe
[2010/05/19 16:34:09 | 001,628,920 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxsfs.dll
[2010/05/19 16:34:09 | 000,547,576 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\px.dll
[2010/05/19 16:34:09 | 000,510,712 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxdrv.dll
[2010/05/19 16:34:09 | 000,379,640 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxwave.dll
[2010/05/19 16:34:09 | 000,187,128 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxmas.dll
[2010/05/19 16:34:09 | 000,129,784 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxafs.dll
[2010/05/19 16:34:09 | 000,039,672 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\vxblock.dll
[2010/05/15 11:57:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/05/15 10:45:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/08 17:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\My Documents\Algodoo
[2010/05/08 17:56:54 | 000,000,000 | ---D | C] -- C:\Program Files\Algodoo
[2010/05/05 16:09:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 16:09:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 16:02:30 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/05/05 16:02:30 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/05/05 16:02:29 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/05/05 16:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Local Settings\Application Data\qosrsaufl
[2010/05/05 16:02:27 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/05/05 16:02:27 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2004/11/16 09:29:28 | 000,254,000 | ---- | C] ( ) -- C:\WINDOWS\System32\Audio3D.dll
[2004/11/16 09:29:28 | 000,254,000 | ---- | C] ( ) -- C:\WINDOWS\System32\A3D.dll

========== Files - Modified Within 30 Days ==========

[2010/06/02 21:40:24 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/02 21:40:24 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/02 21:40:24 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/02 21:36:53 | 000,267,725 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/02 21:36:40 | 000,032,155 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/06/02 21:36:40 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/02 21:36:38 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/02 21:35:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/02 21:35:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/02 21:35:16 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Tom\NTUSER.DAT
[2010/06/02 21:20:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tom\ntuser.ini
[2010/06/02 21:20:20 | 000,001,186 | ---- | M] () -- C:\dmload.reg
[2010/06/01 14:04:26 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2010/05/29 21:54:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tom\defogger_reenable
[2010/05/29 21:53:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Defogger.exe
[2010/05/29 21:13:48 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\gmer.zip
[2010/05/29 21:07:45 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\dds.scr
[2010/05/29 19:40:32 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/24 13:44:40 | 000,395,774 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/22 16:00:30 | 000,000,452 | RHS- | M] () -- C:\Documents and Settings\Tom\ntuser.pol
[2010/05/22 13:09:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/22 08:47:40 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/19 19:23:42 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/19 18:17:03 | 083,160,378 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0061.MOV
[2010/05/19 18:17:02 | 073,368,960 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0063.MOV
[2010/05/19 17:56:48 | 039,515,513 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0060.MOV
[2010/05/19 17:56:48 | 028,024,706 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0059.MOV
[2010/05/19 17:34:01 | 010,306,243 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0055.MOV
[2010/05/19 17:11:06 | 015,713,098 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0054.MOV
[2010/05/19 17:11:05 | 019,508,001 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\FILE0053.MOV
[2010/05/19 17:02:01 | 000,011,285 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\Lizzy.docx
[2010/05/19 16:33:01 | 000,379,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxwave.dll
[2010/05/19 16:33:01 | 000,187,128 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxmas.dll
[2010/05/19 16:32:59 | 000,072,440 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe
[2010/05/19 16:32:58 | 001,628,920 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxsfs.dll
[2010/05/19 16:32:57 | 000,129,784 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxafs.dll
[2010/05/19 16:32:56 | 000,510,712 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\pxdrv.dll
[2010/05/19 16:32:55 | 000,547,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\px.dll
[2010/05/19 16:32:55 | 000,039,672 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\vxblock.dll
[2010/05/19 15:12:40 | 045,854,902 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\peters pics. only!!!!! 336.mov
[2010/05/16 22:10:45 | 002,112,268 | -H-- | M] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\IconCache.db
[2010/05/15 10:08:49 | 000,000,174 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/05 16:08:39 | 000,010,559 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\luvina.docx

========== Files Created - No Company Name ==========

[2010/06/02 21:20:20 | 000,001,186 | ---- | C] () -- C:\dmload.reg
[2010/05/31 10:30:16 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\gmer.exe
[2010/05/29 21:54:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tom\defogger_reenable
[2010/05/29 21:53:41 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\Defogger.exe
[2010/05/29 21:13:46 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\gmer.zip
[2010/05/29 21:10:03 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\dds.scr
[2010/05/29 19:40:32 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/22 19:21:53 | 000,197,144 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/22 16:00:28 | 000,000,452 | RHS- | C] () -- C:\Documents and Settings\Tom\ntuser.pol
[2010/05/19 18:16:45 | 083,160,378 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0061.MOV
[2010/05/19 18:16:34 | 073,368,960 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0063.MOV
[2010/05/19 17:56:29 | 039,515,513 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0060.MOV
[2010/05/19 17:56:25 | 028,024,706 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0059.MOV
[2010/05/19 17:33:54 | 010,306,243 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0055.MOV
[2010/05/19 17:11:00 | 015,713,098 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0054.MOV
[2010/05/19 17:10:57 | 019,508,001 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\FILE0053.MOV
[2010/05/19 16:59:07 | 000,011,285 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\Lizzy.docx
[2010/05/15 10:08:49 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/05 16:03:31 | 000,010,559 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\luvina.docx
[2010/03/04 17:11:22 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/02/27 18:06:54 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2009/05/07 15:40:29 | 001,126,400 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461.Dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_10.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0C.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0A.dll
[2009/05/07 15:40:29 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_07.dll
[2009/05/07 15:40:29 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_09.dll
[2009/05/07 15:40:29 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0402.dll
[2009/03/03 12:18:04 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4166

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/2/2010 10:18:01 PM
mbam-log-2010-06-02 (22-18-01).txt

Scan type: Quick scan
Objects scanned: 131741
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Going to reboot now and hope for the best. Thanks for your help.

Tom

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 03 June 2010 - 08:03 AM

That's looking better, can you tell me how the machine is running and if you are still having any problems?


You don't have the latest version of Java, you should run JavaRa to clean up any older Java, then
download and install the latest version from here.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • ESET report
  • mbr.log
  • New DDS log

Thanks

unite.jpg


#7 thomas2345

thomas2345
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 June 2010 - 11:41 PM

Hi Syler,

Working okay so far. However, ESET found this:

C:\vir\dmload.sys.old Win32/Olmarik.ZC trojan

Delete this?

Here's the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

And a new DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 21:38:51.14 on Thu 06/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1149 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DelReg] c:\program files\msi\overclockingcenter\DelReg.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache group\apache2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241419376926
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241419619364
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.33/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-3 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-3 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-3 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-3 40552]
S2 gupdate1ca1c6f80aa25e4;Google Update Service (gupdate1ca1c6f80aa25e4);c:\program files\google\update\GoogleUpdate.exe [2009-8-13 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [2010-2-28 1684736]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\envy24hf.sys [2007-11-30 651712]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-3 34248]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\saih0461.sys [2009-5-7 182528]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2010-06-03 23:27:19 0 d-----w- c:\program files\ESET
2010-06-03 05:13:43 0 d-----w- c:\docume~1\tom\applic~1\Malwarebytes
2010-06-03 05:13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 05:13:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-03 05:13:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 05:13:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 04:34:12 0 d-----w- C:\_OTL
2010-06-03 04:22:31 0 d-----w- C:\vir
2010-06-03 04:20:20 5888 ----a-w- c:\windows\system32\drivers\tmpdmload.sys
2010-06-03 04:20:20 1186 ----a-w- C:\dmload.reg
2010-06-03 04:20:20 0 d-----w- C:\backup
2010-05-30 02:40:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-30 02:40:30 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-30 02:40:30 0 d-----w- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2010-05-24 22:44:14 0 d-s---w- C:\ComboFix
2010-05-24 21:52:27 887328 ----a-w- c:\windows\system32\RTSndMgr.CPL
2010-05-24 21:51:51 1251872 ----a-w- c:\windows\RtlExUpd.dll
2010-05-24 21:45:47 0 d-----w- c:\program files\CCleaner
2010-05-23 01:45:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 01:45:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-22 23:00:28 452 --sha-r- c:\documents and settings\tom\ntuser.pol
2010-05-22 22:58:42 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-22 21:53:29 0 d-----w- c:\windows\system32\NtmsData
2010-05-19 23:34:09 129784 ------w- c:\windows\system32\pxafs.dll
2010-05-15 17:45:23 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-15 17:08:49 174 ----a-w- c:\windows\system32\MRT.INI
2010-05-09 00:56:54 0 d-----w- c:\program files\Algodoo
2010-05-05 23:02:30 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:02:30 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:02:29 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-05 23:02:29 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-05 23:02:27 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:02:27 8192 ----a-w- c:\windows\system32\drivers\changer.sys

==================== Find3M ====================

2010-05-01 00:22:46 358944 ----a-w- c:\windows\vncutil.exe
2010-05-01 00:22:40 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-05-01 00:22:34 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-05-01 00:22:34 19523616 ----a-w- c:\windows\RTHDCPL.EXE
2010-05-01 00:22:28 2177568 ----a-w- c:\windows\MicCal.exe
2010-04-30 23:56:24 6032928 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 21:39:21.07 ===============


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 04 June 2010 - 04:37 PM

your logs are looking fine to me now.

The detection that eset found is a backup from TDLfix, you can clean that up now.


Close all the open windows, double-click TDLfix.exe to run the tool.
In the window ype del and press Enter, this will clean up the backup.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremely important to keep windows up to date with the latest service pack and patches. This will
prevent you from getting the malware which uses vulnerabilities found in windows to exploit your computer.
The easiest way to do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware
to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed
applications that are regularly patched to fix vulnerabilities. You can check these by visiting
Calendar of Updates or you can install Secunia PSI.

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically
mean that, what you are doing will not make a permenant changes to your system, unless you allow it too.
So you can be surfing the web inside Sandboxie then if you happen to stumble upon a bad site and get
infected, you can simply delete the Sanbox and all is gone. Having said that, it can not be considered 100%
secure as no program can be, but it can be a great help and is an excellent program. You can find a download
link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install
Firefox and install some addons that will make the browser even safer. You can download the latest version
of Firefox here, if you already have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#9 thomas2345

thomas2345
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 05 June 2010 - 12:24 PM

Hi Syler,

Two issues remain:

1) Following reboots I get the following error: "Generic Host Process for Win 32 Services encountered a problem and needs to close." Our system malfunctions related to services being shut down by the malware.

2) In computer properties, System Restore tab, the "Turn off System Restore" check box was grayed out (unavailable). It said it was disabled by Group Policy. I figured out how to enable this control in gpedit.msc and was able to complete the deletion of previous restore points and re-enable System Restore.

I'm going to reboot again to see if that setting stuck.

Thanks for all your help so far.

Tom

Edited by thomas2345, 05 June 2010 - 12:57 PM.


#10 thomas2345

thomas2345
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 05 June 2010 - 01:08 PM

Hi Syler,

I successfully reenabled the "Turn Off System Restore" checkbox and was able to delete old restore points and re-enable System Restore. Following reboot to confirm this, the service host error did not reappear. I had seen it on the last several reboots until now.

Was something lurking in one of the restore points?

Regardless, the issue appears resolved and I thank you again for your help.

Tom

Edited by thomas2345, 05 June 2010 - 01:09 PM.


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 06 June 2010 - 09:11 AM

Hi Tom,

Good job on getting your restore points cleaned out, malware will usually end up in your restore points, that is why
we advise to clean them out after an infection has been cleaned out otherwise you could end up restoring it.

The Generic Host Process error is quite a common one and could be caused by several things, so I can not really
say what caused. Anyway Im glad all your issues are resolved now and your very welcome.

unite.jpg


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:15 AM

Posted 10 June 2010 - 07:53 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users