Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with Daughter's Laptop Computer


  • This topic is locked This topic is locked
15 replies to this topic

#1 Torvald

Torvald

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 16 June 2010 - 08:17 PM

Hello,

I need help fixing my daughter's laptop computer; it is a Dell Inspiron 1501 with Windows 7 Home Premium.

While using her computer, a message popped up asking if she wanted to download & install Windows Defender, and she mistakenly clicked "Yes", whereupon several programs quickly installed themselves before she could turn the laptop off.

Based on what she told me, once the laptop was restarted she kept getting web browser redirects (using firefox), the laptop would run very slow, strange error messages would pop up, MBAM would not run, virus warnings would appear, and she could not download any more Windows updates.

She tried to fix it herself by going back to an earlier Restore Point, but that only partially fixed things, so she then asked me to help.

Here is what I've done to date, as far as I can remember:

1. Ran SAS in regular windows mode on 06-13-10; found lots of infections, including Rootkit.TDSS and Trojan.Dropper/ADR-WV. (Only some got cleaned, though)

2. Ran SAS again in windows safe mode on 06-13-10; found the more serious infections again, but they seemed to get cleaned this time.

3. Ran SAS once more in regular windows mode on 06-14-10; seemed to be clean this time.

4. Reinstalled and ran MBAM in regular windows mode on 06-14-10; found different infections, including Trojan.Tracur and Trojan.Agent; seemed to clean the problems.

5. Ran MBAM again in regular mode on 06-14-10; seemed to still be clean.

6. Just to be safe, ran TDSSKiller.exe; did not appear to find or fix anything.

7. Deleted her old Windows Restore Points.

8. Repeatedly tried downloading & installing Windows Updates. Would go through the entire process, then end up failing, with error code 646 "Windows update encountered an unknown error".

9. Foolishly tried running some error 646 'fix-it' programs downloaded from the Internet, but they either did not work or asked me to purchase them, so I removed them all.

10. Ran GMER several times in regular windows mode on 06-15-10; However, each time it would eventually give a windows error code and then restart.

11. Ran on-demand scan on 06-15-10 with McAfee VirusScan; No viruses were detected.

12. Successfully ran DDS on 06-16-10.

13. Disabled windows auto-restart on system failure.

14. Ran GMER on 06-16-10 in regular windows mode; Windows crashed, giving the following error code: 0x000000F4 (0x00000003, 0x85F3A768, 0x85F3A8D4, 0x83071D90)

15. Ran GMER in windows safe mode - it finally worked this time.

Although SAS and MBAM seemed to fix most infections, the fact that her laptop still keeps failing to install Windows Updates indicates to me that there is still something wrong.

Therefore, I am posting the DDS log file below, and am attaching zipped copies of the other log files, in hopes that someone can help me.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jennie at 19:04:39.18 on Wed 06/16/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1918.1111 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Temp\DDS\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar =
uSearch Page =
uStart Page = hxxp://www.myspace.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jennie\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jennie\appdata\roaming\mozilla\firefox\profiles\2bmyq83g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\jennie\appdata\roaming\mozilla\firefox\profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}\lib\winnt_x86-msvc\1.9.1\yoono.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jennie\appdata\local\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\jennie\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-26 343664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-10-22 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-10-22 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-10-22 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-2-26 70728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-16 24652]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-26 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-26 43288]
S2 gupdate1c9bec65599252d;Google Update Service (gupdate1c9bec65599252d);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-26 65448]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]

=============== Created Last 30 ================

2010-06-16 00:58:44 0 d-----w- c:\temp\DDS
2010-06-16 00:58:21 0 d-----w- c:\temp\Gmer
2010-06-15 01:58:29 0 d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-15 01:30:15 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-06-15 01:30:15 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-15 01:00:52 0 d-----w- c:\temp\TDSS Killer
2010-06-14 23:51:43 0 d-----w- c:\temp\MalwareBytes Antimalware
2010-06-14 23:51:05 0 d-----w- c:\temp\SuperAntiSpyware
2010-06-14 23:50:26 0 d-----w- c:\temp\Ccleaner
2010-06-14 23:49:21 0 d-----w- c:\temp\Spyware Blaster
2010-06-14 00:58:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-13 02:53:43 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-13 02:46:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-13 02:46:43 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-13 02:46:31 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-13 02:45:23 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-13 02:45:23 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-13 02:34:50 524288 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
2010-06-13 02:34:49 65536 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
2010-06-13 02:34:49 524288 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
2010-06-13 01:28:37 0 d-----w- c:\users\jennie\appdata\roaming\Defense Center
2010-06-09 21:12:52 0 d-sh--w- c:\programdata\SysWoW32
2010-06-09 21:12:23 203776 --sh--w- c:\programdata\unrar.exe
2010-06-09 00:16:18 0 d-----w- c:\users\jennie\Incomplete
2010-06-08 10:44:54 0 d-----w- c:\users\jennie\appdata\roaming\Hotdog Hotshot
2010-06-08 08:37:24 0 d-----w- c:\program files\Hotdog Hotshot
2010-05-26 10:08:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 09:32:19 0 d-----w- c:\users\jennie\appdata\roaming\METAbolt
2010-05-26 09:31:27 0 d-----w- c:\program files\METAbolt
2010-05-26 02:07:48 0 d--h--w- c:\programdata\ArcSoft
2010-05-26 02:06:35 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-05-26 01:47:00 0 d-----w- c:\program files\Media Player Utilities 5.15
2010-05-22 01:16:07 0 d-----w- c:\program files\Bing Bar Installer
2010-05-22 01:15:55 0 d-----w- c:\program files\Farm Helper
2010-05-18 08:12:38 0 d-----w- c:\users\jennie\appdata\roaming\Digsby
2010-05-18 08:12:38 0 d-----w- c:\programdata\Digsby

==================== Find3M ====================

2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-06 23:24:40 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-26 17:26:00 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-26 17:26:00 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-26 17:26:00 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-26 17:26:00 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 21:31:05 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:06:11.71 ===============



Google is my friend. Make Google your friend too.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:56 AM

Posted 22 June 2010 - 04:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 22 June 2010 - 02:08 PM

Thank you very much for offering to help.

I am currently at work right now (it's 2:00 p.m. my time), so give me about six more hours to get home, follow your instructions and then post the requested logs.

Google is my friend. Make Google your friend too.


#4 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 22 June 2010 - 08:36 PM

Okay, am at home now, have had dinner and am starting to run the required diagnostics.

Will be downloading the necessary files from the Internet using my reliable Windows XP computer, then transferring them over to my daughter's Windows 7 laptop and copying the resultant log files back to my computer using a flashdrive. Have already installed & run the flash disinfector program on my computer & flashdrive, so hopefully no bad stuff will get transferred to my computer.

Disconnected the laptop from the Internet & disabled McAfee Antivirus, then ran the DDS program. Am posting the contents of the DDS.txt file below, and am attaching the Attach.txt file. Will then run the GMER program and will post its results with the next reply.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jennie at 20:23:47.17 on Tue 06/22/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1918.1065 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Jennie\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar =
uSearch Page =
uStart Page = hxxp://www.myspace.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jennie\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jennie\appdata\roaming\mozilla\firefox\profiles\2bmyq83g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\jennie\appdata\roaming\mozilla\firefox\profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}\lib\winnt_x86-msvc\1.9.1\yoono.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jennie\appdata\local\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\jennie\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-10-22 146448]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-26 343664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-10-22 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-10-22 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-2-26 70728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-16 24652]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-26 91672]
S2 gupdate1c9bec65599252d;Google Update Service (gupdate1c9bec65599252d);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-26 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-26 65448]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]

=============== Created Last 30 ================

2010-06-17 00:20:38 203488427 ----a-w- c:\windows\MEMORY.DMP
2010-06-15 01:58:29 0 d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-15 01:30:15 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-06-15 01:30:15 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-14 23:51:43 0 d-----w- c:\temp\MalwareBytes Antimalware
2010-06-14 23:51:05 0 d-----w- c:\temp\SuperAntiSpyware
2010-06-14 23:50:26 0 d-----w- c:\temp\Ccleaner
2010-06-14 23:49:21 0 d-----w- c:\temp\Spyware Blaster
2010-06-14 00:58:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-13 02:53:43 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-13 02:46:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-13 02:46:43 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-13 02:46:31 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-13 02:45:23 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-13 02:45:23 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-13 02:34:50 524288 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
2010-06-13 02:34:49 65536 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
2010-06-13 02:34:49 524288 --sha-w- c:\users\jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
2010-06-13 01:28:37 0 d-----w- c:\users\jennie\appdata\roaming\Defense Center
2010-06-09 21:12:52 0 d-sh--w- c:\programdata\SysWoW32
2010-06-09 21:12:23 203776 --sh--w- c:\programdata\unrar.exe
2010-06-09 00:16:18 0 d-----w- c:\users\jennie\Incomplete
2010-06-08 10:44:54 0 d-----w- c:\users\jennie\appdata\roaming\Hotdog Hotshot
2010-06-08 08:37:24 0 d-----w- c:\program files\Hotdog Hotshot
2010-05-26 10:08:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 09:32:19 0 d-----w- c:\users\jennie\appdata\roaming\METAbolt
2010-05-26 09:31:27 0 d-----w- c:\program files\METAbolt
2010-05-26 02:07:48 0 d--h--w- c:\programdata\ArcSoft
2010-05-26 02:06:35 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-05-26 01:47:00 0 d-----w- c:\program files\Media Player Utilities 5.15

==================== Find3M ====================

2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-06 23:24:40 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-26 17:26:00 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-26 17:26:00 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-26 17:26:00 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-26 17:26:00 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 21:31:05 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:24:24.12 ===============


Google is my friend. Make Google your friend too.


#5 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 22 June 2010 - 09:02 PM

With antivirus still disconnected and wireless internet still turned off, have now successfully run GMER using the randomly named file, and am posting the results below:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-22 20:53:30
Windows 6.1.7600
Running: cpblfvqt.exe; Driver: C:\Users\Jennie\AppData\Local\Temp\kwryrkow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E052D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1D1A8

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x88B4D68A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x88B4D5E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x88B4D5FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x88B4D612]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x88B4D6C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x88B4D64E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x88B4D69E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x88B4D662]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x88B4D63A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x88B4D626]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x88B4D6F7]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x88B4D6DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x88B4D6B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82E64148 5 Bytes JMP 88B4D6B8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E7C599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA0F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FE02000, 0x23097E, 0xE8000020]
.text peauth.sys 96208C9D 28 Bytes [9E, B5, 77, F0, A0, 55, 44, ...]
.text peauth.sys 96208CC1 28 Bytes [9E, B5, 77, F0, A0, 55, 44, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[512] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 001600DB
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00160122
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00160F8D
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 0016004A
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00160FB2
.text C:\Windows\system32\services.exe[512] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00160FC3
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00160FD4
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00160091
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00160014
.text C:\Windows\system32\services.exe[512] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 0016013D
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 0016005B
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 0016006C
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00160FEF
.text C:\Windows\system32\services.exe[512] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 001600EC
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00160025
.text C:\Windows\system32\services.exe[512] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 001600FD
.text C:\Windows\system32\services.exe[512] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 001600B6
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_open 77527E48 5 Bytes JMP 00170FEF
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00170F9C
.text C:\Windows\system32\services.exe[512] msvcrt.dll!system 7755B16F 5 Bytes JMP 00170027
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 0017000C
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00170FAD
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00170FD2
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 000A000A
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 000A0FC3
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 000A0F9E
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 000A0040
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 000A0FEF
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 000A005B
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 000A0025
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\services.exe[512] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00180000
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00060F6C
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00060F25
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00060F36
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00060040
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 0006009F
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 0006008E
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00060FC0
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00060073
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 0006001B
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00060F0A
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00060051
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00060062
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 0006000A
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00060F5B
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00060FE5
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 000600BA
.text C:\Windows\system32\lsass.exe[572] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00060F91
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!_open 77527E48 5 Bytes JMP 00070FEF
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00070F95
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!system 7755B16F 5 Bytes JMP 00070FA6
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00070FD2
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00070FC1
.text C:\Windows\system32\lsass.exe[572] msvcrt.dll!_wopen 77560570 5 Bytes JMP 0007000C
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 0004000A
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 0004003D
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 0004005F
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 0004004E
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 0004001B
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00040FA2
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 00040FE5
.text C:\Windows\system32\lsass.exe[572] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 0004002C
.text C:\Windows\system32\lsass.exe[572] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00050000
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00C20F6F
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00C20F17
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00C20F28
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00C2001B
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00C20098
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00C2006C
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00C20F94
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00C20FB9
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00C20FD4
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00C200D1
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00C20036
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00C20051
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00C20FEF
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00C20F5E
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00C2000A
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00C20F43
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00C2007D
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_open 77527E48 5 Bytes JMP 00C30FEF
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00C30FAB
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!system 7755B16F 5 Bytes JMP 00C30036
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00C3000A
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00C30025
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00C30FC6
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 004D0000
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 004D0047
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 004D0076
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 004D0FCA
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 004D001B
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 004D0091
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 004D0FE5
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 004D002C
.text C:\Windows\system32\svchost.exe[676] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00C10FEF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00320F3C
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 003200A5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00320F06
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 0032002F
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00320F57
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00320065
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00320F8D
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00320FA8
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00320FD4
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00320EF5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00320FB9
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00320040
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00320FEF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00320F21
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00320014
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00320080
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00320F72
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_open 77527E48 5 Bytes JMP 0033000C
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00330F94
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!system 7755B16F 5 Bytes JMP 00330029
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00330FDE
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00330FB9
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00330FEF
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00200FAF
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00200F8A
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 0020002C
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00200F6F
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 0020001B
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00200FCA
.text C:\Windows\system32\svchost.exe[756] WS2_32.dll!socket 76D73F00 5 Bytes JMP 0021000A
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00A20F68
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00A200BD
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00A20F28
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00A20FDB
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00A20091
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00A2006C
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00A20F94
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00A20FA5
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00A2001B
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00A200D8
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00A2003D
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00A20FB6
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00A20000
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00A200A2
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00A2002C
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00A20F43
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00A20F79
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_open 77527E48 5 Bytes JMP 00A30FE3
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00A30FA6
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!system 7755B16F 5 Bytes JMP 00A30031
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00A30FD2
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00A30FC1
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00A30000
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 009C0FEF
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 009C0036
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 009C0051
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 009C0FAF
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 009C000A
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 009C0076
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 009C0025
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 009C0FCA
.text C:\Windows\System32\svchost.exe[884] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00A10FEF
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 009900AF
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00990F3C
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00990F4D
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 0099001E
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 0099009E
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00990F9A
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00990FAB
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00990FBC
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00990FDE
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00990F2B
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00990043
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 0099005E
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00990FEF
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 009900C0
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00990FCD
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 009900D1
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00990083
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_open 77527E48 5 Bytes JMP 009A0000
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 009A0FA1
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!system 7755B16F 5 Bytes JMP 009A0FBC
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 009A002C
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 009A0FD7
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wopen 77560570 5 Bytes JMP 009A0011
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00970000
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00970FAF
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00970F83
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00970F9E
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 00970FE5
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00970F72
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 0097001B
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00970FCA
.text C:\Windows\System32\svchost.exe[928] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00FC008A
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00FC00B6
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00FC0F2B
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00FC0FDE
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00FC006F
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00FC004A
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00FC0F72
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00FC0F8D
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00FC001B
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00FC00D1
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00FC0FB9
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00FC0FA8
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00FC0000
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00FC00A5
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00FC0FEF
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00FC0F3C
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00FC0F61
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_open 77527E48 5 Bytes JMP 00FD0FEF
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00FD0FAD
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!system 7755B16F 5 Bytes JMP 00FD0042
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00FD0027
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00FD0FD2
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00FD000C
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00DA0FE5
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00DA0FB2
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00DA004A
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00DA0039
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 00DA0FD4
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00DA0F8D
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 00DA0FC3
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00DA0014
.text C:\Windows\system32\svchost.exe[964] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00DB0000
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 008C00AC
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 008C0F32
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 008C0F43
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 008C0025
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 008C0F83
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 008C0F94
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 008C006C
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 008C0FAF
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 008C0FD4
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 008C00E2
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 008C0040
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 008C0051
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 008C00BD
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 008C0014
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 008C0F5E
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 008C0087
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_open 77527E48 5 Bytes JMP 008D000C
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 008D0FC5
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!system 7755B16F 5 Bytes JMP 008D005A
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 008D002E
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 008D003F
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wopen 77560570 5 Bytes JMP 008D001D
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 008A0FB9
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 008A0F8D
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 008A0F9E
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 008A0FDE
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 7644B946 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 008A004A
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 008A0014
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 008A0025
.text C:\Windows\system32\svchost.exe[1084] WS2_32.dll!socket 76D73F00 5 Bytes JMP 008B0FE5
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00E10054
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00E10091
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00E10080
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00E10FC3
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00E10F35
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00E10F57
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00E10F72
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00E10F8D
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00E1000A
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00E100A2
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00E1002F
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00E10FA8
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00E10FEF
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00E10F10
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00E10FDE
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00E10065
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00E10F46
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_open 77527E48 5 Bytes JMP 01200000
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 0120005A
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!system 7755B16F 5 Bytes JMP 01200FCF
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 01200038
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 01200049
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wopen 77560570 5 Bytes JMP 0120001D
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00DF0F83
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00DF0025
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 00DF0FD4
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00DF0F68
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 00DF0FC3
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00DF0FA8
.text C:\Windows\system32\svchost.exe[1196] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00E00000
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00DE0080
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00DE0091
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00DE0EFC
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00DE0FD4
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00DE0F57
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00DE0065
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00DE0F83
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00DE0FA8
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00DE00AC
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00DE0040
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00DE0FB9
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00DE000A
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00DE0F3C
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00DE0025
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00DE0F21
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00DE0F72
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!_open 77527E48 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00DF0055
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!system 7755B16F 5 Bytes JMP 00DF0044
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00DF0018
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00DF0029
.text C:\Windows\system32\svchost.exe[1488] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00DF0FDE
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00DC0FEF
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00DC0FCD
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00DC0065
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00DC004A
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 00DC0014
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00DC0FA8
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 00DC0FDE
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00DC0039
.text C:\Windows\system32\svchost.exe[1488] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00930091
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00930F28
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 00930F43
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00930036
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00930F68
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00930F94
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00930FAF
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00930FC0
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 0093001B
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 009300D8
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 00930051
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 0093006C
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00930000
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 009300A2
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 009300B3
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00930F79
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_open 77527E48 5 Bytes JMP 009C0000
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wsystem 7755B04F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 009C0053
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!system 7755B16F 5 Bytes JMP 009C0FBE
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 009C002E
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 009C0FCF
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wopen 77560570 5 Bytes JMP 009C0011
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 008D003D
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 008D0058
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 008D0FB6
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 008D0F91
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 008D001B
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 008D002C
.text C:\Windows\system32\svchost.exe[1592] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00920FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 003F0080
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 003F00E5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 003F00CA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 003F0014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 003F0F57
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 003F0F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 003F0F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 003F005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 003F0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 003F00F6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 003F0039
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 003F004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 003F0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 003F0F46
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateNamedPipeA 76FFD5BF 1 Byte [E9]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 003F0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 003F00AF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 003F0F68
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!_open 77527E48 5 Bytes JMP 019B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 019B006E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!system 7755B16F 5 Bytes JMP 019B0053
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 019B001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 019B0038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] msvcrt.dll!_wopen 77560570 5 Bytes JMP 019B0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00390FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00390FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 0039004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00390FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 0039000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00390065
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 0039001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 00390FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1732] WS2_32.dll!socket 76D73F00 5 Bytes JMP 003E000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 005F0091
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 005F00FD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 005F00E2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 005F0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 005F0080
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 005F0F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 005F006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 005F0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 005F000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 005F0F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 005F0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 005F0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 005F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 005F00AC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 005F0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 005F00D1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 005F0F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!_open 77527E48 5 Bytes JMP 00600FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00600F90
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!system 7755B16F 5 Bytes JMP 00600FAB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00600000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 0060001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00600FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 003D000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 003D0047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 003D0073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 003D0062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 003D0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 003D0FAC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 003D001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 003D002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2012] WS2_32.dll!socket 76D73F00 5 Bytes JMP 003E0FE5
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 00010F5E
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 00010F21
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 000100B6
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 0001001B
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00010F6F
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00010062
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00010051
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00010F94
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00010FCA
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00010F06
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 0001002C
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00010FA5
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 00010F4D
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 00010F3C
.text C:\Windows\Explorer.EXE[2444] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00010073
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 00060FB9
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00060F8D
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 00060FA8
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 0006000A
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00060F7C
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 00060FD4
.text C:\Windows\Explorer.EXE[2444] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 0006002F
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!_open 77527E48 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00070038
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!system 7755B16F 5 Bytes JMP 00070FAD
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 0007001D
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00070FBE
.text C:\Windows\Explorer.EXE[2444] msvcrt.dll!_wopen 77560570 5 Bytes JMP 0007000C
.text C:\Windows\Explorer.EXE[2444] WININET.dll!InternetOpenA 76B97E1C 5 Bytes JMP 03C40000
.text C:\Windows\Explorer.EXE[2444] WININET.dll!InternetOpenW 76B99DA0 5 Bytes JMP 03C40FEF
.text C:\Windows\Explorer.EXE[2444] WININET.dll!InternetOpenUrlA 76B9DC18 5 Bytes JMP 03C40FCA
.text C:\Windows\Explorer.EXE[2444] WININET.dll!InternetOpenUrlW 76BEDC34 5 Bytes JMP 03C4001B
.text C:\Windows\Explorer.EXE[2444] WS2_32.dll!socket 76D73F00 5 Bytes JMP 01790000
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoA 76F71DF0 5 Bytes JMP 0001009B
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateProcessW 76F7202D 5 Bytes JMP 000100DF
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateProcessA 76F72062 5 Bytes JMP 000100CE
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeW 76FA1FD6 5 Bytes JMP 00010FCA
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreatePipe 76FA4A8B 5 Bytes JMP 00010F68
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!VirtualProtect 76FB50AB 5 Bytes JMP 00010076
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExW 76FBB6BF 5 Bytes JMP 00010065
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExA 76FBBC8B 5 Bytes JMP 00010F9E
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateFileW 76FC0B7D 5 Bytes JMP 00010000
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!GetProcAddress 76FC1857 5 Bytes JMP 00010F2F
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryA 76FC2884 5 Bytes JMP 0001002C
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryW 76FC28D2 5 Bytes JMP 00010FAF
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateFileA 76FC291C 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoW 76FC7CD5 5 Bytes JMP 000100AC
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeA 76FFD5BF 5 Bytes JMP 0001001B
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!WinExec 76FFE76D 5 Bytes JMP 000100BD
.text C:\Windows\System32\svchost.exe[3508] kernel32.dll!VirtualProtectEx 76FFF729 5 Bytes JMP 00010F83
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!_open 77527E48 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!_wsystem 7755B04F 5 Bytes JMP 00060FA6
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!system 7755B16F 5 Bytes JMP 0006003B
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!_creat 7755ED29 5 Bytes JMP 00060FC1
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!_wcreat 7756038E 5 Bytes JMP 00060016
.text C:\Windows\System32\svchost.exe[3508] msvcrt.dll!_wopen 77560570 5 Bytes JMP 00060FD2
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyA 7643D2ED 5 Bytes JMP 00120FE5
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyA 7643D3C1 5 Bytes JMP 0012003D
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExA 76441B71 5 Bytes JMP 00120FAC
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyW 76441CC0 5 Bytes JMP 0012004E
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyW 76443129 5 Bytes JMP 0012000A
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExW 7644B946 5 Bytes JMP 00120F91
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExA 7644BC0D 5 Bytes JMP 0012001B
.text C:\Windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExW 7644BEC4 5 Bytes JMP 0012002C
.text C:\Windows\System32\svchost.exe[3508] wininet.dll!InternetOpenA 76B97E1C 5 Bytes JMP 00220FEF
.text C:\Windows\System32\svchost.exe[3508] wininet.dll!InternetOpenW 76B99DA0 5 Bytes JMP 00220000
.text C:\Windows\System32\svchost.exe[3508] wininet.dll!InternetOpenUrlA 76B9DC18 5 Bytes JMP 0022001B
.text C:\Windows\System32\svchost.exe[3508] wininet.dll!InternetOpenUrlW 76BEDC34 5 Bytes JMP 0022002C
.text C:\Windows\System32\svchost.exe[3508] WS2_32.dll!socket 76D73F00 5 Bytes JMP 00270000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1524] @ C:\Windows\system32\secur32.dll [KERNEL32.dll!GetProcAddress] [75405E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\mfevtps.exe[2000] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device cdfs.sys (CD-ROM File System Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Google is my friend. Make Google your friend too.


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:56 AM

Posted 24 June 2010 - 05:51 AM

Hello, Torvald
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 24 June 2010 - 08:56 PM

Schrauber,

Thanks for helping me.

Just to give you some background on what might be wrong with my daughter's Windows 7 laptop, here is what was found & supposedly cleaned last week:

SuperAntiSpyware found and cleaned the following:
>Adware.Vundo/Variant-X32(Header)
>Trojan.Dropper/ADR-WV
>Adware.Flash Tracking Cookie
>Rootkit.TDSS
>Adware.Tracking Cookie

MalwareBytes Antimalware found & removed the following:
>Trojan.Tracur
>Rogue.Windowsmartsecurity
>Trojan.Agent

However, her laptop was still not able to install Windows Updates, plus the Taskbar kept randomly opening & closing all by itself.

Tonight, per your instructions, I have done the following:
1. Changed file settings to show all files
2. Disabled antivirus, but kept internet connection turned on
3. Downloaded combofix (renamed schrauber.exe) using my good computer, and then transferring it to the laptop using a flashdrive
4. Ran combofix
5. Got a warning that superantispyware had an active real time scanner & to disable it, but this was a false warning as I have the free on-demand scan version only
6. Got a notice that there was a newer version of combofix available, and updated to it
7. Combofix then began its scanning process
8. The laptop restarted Windows 7 by itself, and then combofix continued to run
9. When combofix was finally done, saved the combofix log file, which I will post for you below:

ComboFix 10-06-24.01 - Jennie 06/24/2010 20:11:45.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1918.940 [GMT -5:00]
Running from: c:\users\Jennie\Desktop\schrauber.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u1190046172v0
c:\programdata\SysWoW32\@u1190046172v1
c:\programdata\SysWoW32\@u1190046172v2
c:\programdata\SysWoW32\@u1190046172v3
c:\programdata\SysWoW32\_u1190046172v0
c:\programdata\SysWoW32\_u1190046172v1
c:\programdata\SysWoW32\_u1190046172v2
c:\programdata\SysWoW32\_u1190046172v3
c:\programdata\SysWoW32\mu1190046172v4
c:\programdata\SysWoW32\mu1190046172v4.kwd
c:\programdata\SysWoW32\mu1190046172v5
c:\programdata\SysWoW32\mu1190046172v5.kwd
c:\programdata\SysWoW32\mu1190046172v6
c:\programdata\SysWoW32\mu1190046172v6.kwd
c:\programdata\SysWoW32\mu1190046172v7
c:\programdata\SysWoW32\mu1190046172v7.kwd
c:\programdata\SysWoW32\wu1190046172v0
c:\programdata\SysWoW32\wu1190046172v0.kwd
c:\programdata\SysWoW32\wu1190046172v1
c:\programdata\SysWoW32\wu1190046172v1.kwd
c:\programdata\SysWoW32\wu1190046172v2
c:\programdata\SysWoW32\wu1190046172v2.kwd
c:\programdata\SysWoW32\wu1190046172v3
c:\programdata\SysWoW32\wu1190046172v3.kwd
c:\programdata\unrar.exe
c:\users\Jennie\AppData\Roaming\.#
c:\users\Jennie\AppData\Roaming\02000000c86e1b98950C.manifest
c:\users\Jennie\AppData\Roaming\02000000c86e1b98950O.manifest
c:\users\Jennie\AppData\Roaming\02000000c86e1b98950P.manifest
c:\users\Jennie\AppData\Roaming\02000000c86e1b98950S.manifest
c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{879430ab-640d-453a-af11-fa2cd8ae68a8}
c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{879430ab-640d-453a-af11-fa2cd8ae68a8}\chrome.manifest
c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{879430ab-640d-453a-af11-fa2cd8ae68a8}\chrome\xulcache.jar
c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{879430ab-640d-453a-af11-fa2cd8ae68a8}\defaults\preferences\xulcache.js
c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{879430ab-640d-453a-af11-fa2cd8ae68a8}\install.rdf
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-25 01:19 . 2010-06-25 01:22 -------- d-----w- c:\users\Jennie\AppData\Local\temp
2010-06-22 23:28 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 23:28 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-15 02:21 . 2010-06-16 00:42 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-15 01:58 . 2010-06-15 01:58 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-15 01:47 . 2010-06-15 01:47 -------- d-----w- c:\users\Jennie\AppData\Local\ElevatedDiagnostics
2010-06-15 01:30 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-15 01:30 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-06-14 23:51 . 2010-06-14 23:52 -------- d-----w- c:\temp\MalwareBytes Antimalware
2010-06-14 23:51 . 2010-06-14 23:51 -------- d-----w- c:\temp\SuperAntiSpyware
2010-06-14 23:50 . 2010-06-14 23:50 -------- d-----w- c:\temp\Ccleaner
2010-06-14 23:49 . 2010-06-14 23:49 -------- d-----w- c:\temp\Spyware Blaster
2010-06-14 00:59 . 2010-06-16 00:56 63488 ----a-w- c:\users\Jennie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-14 00:59 . 2010-06-14 00:59 52224 ----a-w- c:\users\Jennie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-14 00:59 . 2010-06-16 00:55 117760 ----a-w- c:\users\Jennie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-14 00:58 . 2010-06-14 00:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-13 02:54 . 2010-06-13 02:54 -------- d-----w- c:\program files\Common Files\Java
2010-06-13 02:53 . 2010-06-13 02:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-13 02:46 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-13 02:46 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-13 02:46 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-13 02:45 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-13 02:45 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-13 01:28 . 2010-06-13 02:33 -------- d-----w- c:\users\Jennie\AppData\Roaming\Defense Center
2010-06-09 00:16 . 2010-06-14 23:47 -------- d-----w- c:\users\Jennie\Incomplete
2010-06-08 10:44 . 2010-06-08 10:44 -------- d-----w- c:\users\Jennie\AppData\Roaming\Hotdog Hotshot
2010-06-08 08:37 . 2010-06-08 08:38 -------- d-----w- c:\program files\Hotdog Hotshot
2010-06-02 07:59 . 2009-10-16 13:34 11776 ----a-w- c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}\lib\WINNT_x86-msvc\1.9.1\yoono.dll
2010-05-26 22:30 . 2010-05-26 22:30 7908496 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\MediaImpression Downloader_2.1.0.49.exe
2010-05-26 10:08 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 09:32 . 2010-06-13 20:11 -------- d-----w- c:\users\Jennie\AppData\Roaming\METAbolt
2010-05-26 09:31 . 2010-06-13 20:11 -------- d-----w- c:\program files\METAbolt
2010-05-26 09:27 . 2010-05-26 09:27 -------- d-----w- c:\users\Jennie\AppData\Local\WinZip
2010-05-26 02:12 . 2010-05-26 02:12 -------- d-sh--we c:\windows\system32\config\systemprofile\AppData\Local\Temporary Internet Files
2010-05-26 02:12 . 2010-05-26 02:12 -------- d-sh--we c:\windows\system32\config\systemprofile\AppData\Local\History
2010-05-26 02:12 . 2010-05-26 02:12 -------- d-sh--we c:\windows\system32\config\systemprofile\AppData\Local\Application Data
2010-05-26 02:12 . 2010-05-26 02:12 -------- d-----w- c:\users\Jennie\AppData\Local\Programs
2010-05-26 02:11 . 2010-05-26 02:11 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-05-26 02:08 . 2010-05-26 02:08 -------- d-----w- c:\users\Jennie\AppData\Local\ArcSoft
2010-05-26 02:07 . 2010-05-26 02:28 -------- d--h--w- c:\programdata\ArcSoft
2010-05-26 02:06 . 2006-11-10 20:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-05-26 02:06 . 2010-06-13 23:39 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-05-26 02:05 . 2010-05-26 02:28 -------- d-----w- c:\users\Jennie\AppData\Roaming\ArcSoft
2010-05-26 02:05 . 2010-05-26 02:05 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-26 01:47 . 2010-05-26 02:09 -------- d-----w- c:\program files\Media Player Utilities 5.15

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 01:06 . 2010-03-16 11:30 -------- d-----w- c:\users\Jennie\AppData\Roaming\Skype
2010-06-16 00:54 . 2010-03-12 01:31 -------- d-----w- c:\program files\SpywareBlaster
2010-06-14 23:55 . 2010-02-27 03:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 23:53 . 2009-10-23 23:33 -------- d-----w- c:\users\Jennie\AppData\Roaming\FrostWire
2010-06-14 01:57 . 2010-02-27 01:34 -------- d-----w- c:\program files\CCleaner
2010-06-14 00:58 . 2010-02-27 02:55 -------- d-----w- c:\users\Jennie\AppData\Roaming\SUPERAntiSpyware.com
2010-06-14 00:58 . 2010-02-27 02:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 23:40 . 2008-12-28 10:02 -------- d-----w- c:\program files\RealArcade
2010-06-13 20:08 . 2010-05-22 01:16 -------- d-----w- c:\program files\Bing Bar Installer
2010-06-13 20:07 . 2009-07-24 18:13 -------- d-----w- c:\program files\Microsoft
2010-06-13 05:29 . 2010-03-16 11:32 -------- d-----w- c:\users\Jennie\AppData\Roaming\skypePM
2010-06-13 02:33 . 2009-10-23 23:31 -------- d-----w- c:\program files\FrostWire
2010-06-13 02:32 . 2010-02-27 03:31 -------- d-----w- c:\programdata\Malwarebytes
2010-06-13 02:32 . 2008-11-17 04:38 -------- d-----w- c:\program files\Viewpoint
2010-06-11 08:29 . 2010-06-11 08:29 0 ----a-w- c:\users\Jennie\AppData\Roaming\6F46.tmp
2010-06-05 22:00 . 2008-11-16 23:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 07:35 . 2010-05-22 01:15 -------- d-----w- c:\program files\Farm Helper
2010-05-23 06:47 . 2009-06-04 00:03 -------- d-----w- c:\programdata\PlayfulAge
2010-05-22 01:23 . 2008-11-17 04:38 -------- d-----w- c:\programdata\Yahoo! Companion
2010-05-21 19:14 . 2009-10-03 00:46 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 08:22 . 2010-05-18 08:12 -------- d-----w- c:\users\Jennie\AppData\Roaming\Digsby
2010-05-18 08:22 . 2010-05-18 08:12 -------- d-----w- c:\programdata\Digsby
2010-05-16 10:03 . 2009-09-24 06:32 -------- d-----w- c:\users\Jennie\AppData\Roaming\GamesCafe
2010-05-16 07:40 . 2010-05-16 07:39 -------- d-----w- c:\program files\Sally's Studio Collector's Edition
2010-05-12 12:01 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 12:00 . 2008-11-16 22:54 -------- d-----w- c:\programdata\Microsoft Help
2010-05-11 10:37 . 2010-05-11 10:37 -------- d-----w- c:\program files\Life Quest
2010-05-11 10:03 . 2010-05-11 10:02 -------- d-----w- c:\programdata\WinZip
2010-05-11 08:45 . 2010-05-11 08:45 -------- d-----w- c:\users\Jennie\AppData\Roaming\Big Fish Games
2010-05-03 09:25 . 2009-07-14 08:49 -------- d-----w- c:\program files\GreenLife Emerald Viewer
2010-05-01 09:02 . 2010-05-01 09:02 50354 ----a-w- c:\users\Jennie\AppData\Roaming\Facebook\uninstall.exe
2010-05-01 09:02 . 2010-05-01 09:02 -------- d-----w- c:\users\Jennie\AppData\Roaming\Facebook
2010-04-29 20:39 . 2010-02-27 03:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-02-27 03:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-06 23:24 . 2009-06-06 23:24 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-10-23 02:07 . 2010-02-27 01:09 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-23 124240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2010-1-26 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Windows Mobile Device Center"=%windir%\WindowsMobile\wmdc.exe

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 gupdate1c9bec65599252d;Google Update Service (gupdate1c9bec65599252d);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 133104]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 65448]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2009-10-23 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 70728]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 19:04]

2010-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 19:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}\lib\WINNT_x86-msvc\1.9.1\yoono.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Jennie\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\Jennie\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-06-24 20:27:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-25 01:27

Pre-Run: 135,530,442,752 bytes free
Post-Run: 135,438,790,656 bytes free

- - End Of File - - A112E36887903007F573723AA056A36F

Edited by Torvald, 24 June 2010 - 08:57 PM.

Google is my friend. Make Google your friend too.


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:56 AM

Posted 26 June 2010 - 02:35 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 26 June 2010 - 05:32 PM

Tom.

Thank you for reviewing my combofix log.

One piece of good news is that when I shut down my daughter's computer after running combofix, several Windows updates which had previously been downloaded but would not install, now automatically installed during the shutdown.

Have run MBAM as requested, and here is the resultant log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4245

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/26/2010 5:16:34 PM
mbam-log-2010-06-26 (17-16-34).txt

Scan type: Quick scan
Objects scanned: 127613
Time elapsed: 10 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Google is my friend. Make Google your friend too.


#10 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 26 June 2010 - 07:39 PM

Tom,

Have now run the Eset online scanner, and it found one problem. However, I did not delete it, per your instructions. Will post the esetscan textfile below and will then proceed to the OTL scan.

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\@u1190046172v1.vir Win32/TrojanDownloader.Agent.PDY trojan deleted - quarantined

Google is my friend. Make Google your friend too.


#11 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 26 June 2010 - 08:03 PM

Tom,

Have now run OTL, and am posting the contents of the OTL.text and Extras.txt files below:

OTL logfile created on: 6/26/2010 7:43:18 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Jennie\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 122.47 Gb Free Space | 82.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 4.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 949.09 Mb Total Space | 304.42 Mb Free Space | 32.08% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENNIE-LAPTOP
Current User Name: Jennie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/26 19:40:19 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
PRC - [2010/06/07 12:13:53 | 002,403,568 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/22 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2009/10/22 21:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/10/22 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2009/10/22 21:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/10/22 21:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/10/22 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2009/08/25 17:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 17:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 17:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/25 17:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 20:14:42 | 000,009,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TCPSVCS.EXE
PRC - [2009/07/13 20:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/04/27 09:34:18 | 001,123,872 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (SafeList) ==========

MOD - [2010/06/26 19:40:19 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/26 19:44:35 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/10/22 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2009/10/22 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2009/10/22 21:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/10/22 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/08/25 17:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:42 | 000,009,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\TCPSVCS.EXE -- (simptcp)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/10/22 21:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/10/22 21:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/10/22 21:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/10/22 21:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/10/22 21:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/10/22 21:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)
DRV - [2009/07/13 17:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)
DRV - [2009/07/13 17:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/07/08 00:45:32 | 002,506,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2008/12/01 22:14:34 | 004,179,968 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2005/12/01 17:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 17:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 17:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/16 21:28:32 | 000,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/08/17 08:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 08:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 08:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 08:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A4 B8 E8 01 64 93 AE 47 87 EA 61 D5 7B 18 30 47 [binary data]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/"
FF - prefs.js..extensions.enabledItems: anycolor.pavlos256@gmail.com:0.3.1
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {d9284e50-81fc-11da-a72b-0800200c9a66}:7.2.2


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 23:28:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/12 21:53:43 | 000,000,000 | ---D | M]

[2009/10/25 21:52:15 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Extensions
[2010/06/24 20:33:15 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions
[2010/06/02 03:00:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010/04/28 05:35:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/20 08:13:16 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/02 03:00:00 | 000,000,000 | ---D | M] (Yoono) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}
[2009/10/25 21:52:17 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\anycolor.pavlos256@gmail.com
[2010/05/22 03:10:26 | 000,001,840 | ---- | M] () -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\searchplugins\bing.xml
[2010/06/12 21:53:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 06:30:38 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2009/10/25 21:41:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}
[2010/06/12 21:53:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/10/22 21:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/06/12 21:52:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/24 20:21:23 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\digsby.lnk = C:\Program Files\Digsby\digsby.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/05/24 05:36:40 | 000,000,157 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2010/03/27 12:20:06 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{d8367b55-b3fc-11dd-a835-001c23ae454a}\Shell - "" = AutoRun
O33 - MountPoints2\{d8367b55-b3fc-11dd-a835-001c23ae454a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2006/05/24 05:36:40 | 000,950,272 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 21:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/26 19:40:08 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
[2010/06/26 17:35:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/24 20:21:30 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/06/24 20:19:08 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\temp
[2010/06/24 20:10:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/24 20:10:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/24 20:10:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/06/24 20:09:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/06/24 20:09:24 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/24 20:05:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/24 20:00:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/15 20:18:18 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/06/14 21:21:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/06/14 20:58:29 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Drivers HeadQuarters
[2010/06/14 20:47:59 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\ElevatedDiagnostics
[2010/06/13 19:58:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/06/12 21:54:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/12 20:28:37 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Defense Center
[2010/06/09 16:13:00 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\WinRAR
[2010/06/08 19:16:18 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Incomplete
[2010/06/08 19:16:18 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Documents\FrostWire
[2010/06/08 05:44:54 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Hotdog Hotshot
[2010/06/08 03:37:24 | 000,000,000 | ---D | C] -- C:\Program Files\Hotdog Hotshot
[2010/05/26 04:32:19 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\METAbolt
[2010/05/26 04:31:27 | 000,000,000 | ---D | C] -- C:\Program Files\METAbolt
[2010/05/26 04:27:02 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\WinZip
[2010/05/25 21:12:00 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\Programs
[2010/05/25 21:08:26 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\ArcSoft
[2010/05/25 21:07:48 | 000,000,000 | -H-D | C] -- C:\ProgramData\ArcSoft
[2010/05/25 21:06:35 | 000,018,688 | ---- | C] (Arcsoft, Inc.) -- C:\Windows\System32\drivers\afc.sys
[2010/05/25 21:06:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2010/05/25 21:05:41 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\ArcSoft
[2010/05/25 21:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/05/25 20:47:00 | 000,000,000 | ---D | C] -- C:\Program Files\Media Player Utilities 5.15
[2010/05/21 20:16:07 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
[2010/05/21 20:15:55 | 000,000,000 | ---D | C] -- C:\Program Files\Farm Helper
[2010/05/18 03:16:24 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Documents\Digsby Logs
[2010/05/18 03:12:38 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Digsby
[2010/05/18 03:12:38 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\Digsby
[2010/05/18 03:12:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Digsby
[2010/05/16 02:39:57 | 000,000,000 | ---D | C] -- C:\Program Files\Sally's Studio Collector's Edition
[2010/05/11 05:37:11 | 000,000,000 | ---D | C] -- C:\Program Files\Life Quest
[2010/05/11 05:02:39 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2010/05/11 03:45:56 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Big Fish Games
[2010/05/02 07:53:16 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\Emerald
[2010/05/01 04:02:27 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Facebook
[2010/05/01 03:52:30 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Desktop\Zombies
[2010/04/22 07:22:54 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\BigFishGames
[2010/04/21 09:15:50 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\SLiteChat
[2010/04/21 09:15:25 | 000,000,000 | ---D | C] -- C:\Program Files\Dooglio.NET
[2010/04/20 08:13:26 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\Yahoo!
[2010/04/03 23:27:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/03 23:27:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\Jennie\AppData\Roaming\*.tmp files -> C:\Users\Jennie\AppData\Roaming\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/26 19:47:06 | 006,815,744 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat
[2010/06/26 19:40:19 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
[2010/06/26 19:16:06 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/26 17:06:41 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/26 17:06:41 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/26 16:59:24 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/26 16:59:09 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/26 16:59:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/26 16:59:00 | 1508,413,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/26 16:52:14 | 001,651,488 | -H-- | M] () -- C:\Users\Jennie\AppData\Local\IconCache.db
[2010/06/26 14:31:33 | 000,741,710 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/26 14:31:33 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/26 14:31:33 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/24 20:21:45 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/06/24 20:21:23 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/24 20:09:16 | 003,719,852 | R--- | M] () -- C:\Users\Jennie\Desktop\schrauber.exe
[2010/06/24 19:33:18 | 246,885,675 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/13 21:13:44 | 000,000,817 | ---- | M] () -- C:\ProgramData\481620870
[2010/06/13 21:03:42 | 000,000,040 | ---- | M] () -- C:\Users\Jennie\AppData\Roaming\4c34f481
[2010/06/13 20:06:02 | 000,000,409 | -HS- | M] () -- C:\ProgramData\1290052566
[2010/06/13 07:35:15 | 000,299,416 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/13 07:32:53 | 000,524,288 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
[2010/06/13 07:32:53 | 000,524,288 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
[2010/06/13 07:32:53 | 000,065,536 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
[2010/06/09 16:12:52 | 000,000,113 | ---- | M] () -- C:\ProgramData\sl755315012
[2010/06/08 18:55:15 | 000,001,199 | ---- | M] () -- C:\Users\Jennie\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.20.6.lnk
[2010/05/18 03:30:24 | 000,000,973 | ---- | M] () -- C:\Users\Jennie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\digsby.lnk
[2010/05/04 03:11:05 | 000,000,251 | ---- | M] () -- C:\Users\Jennie\kittyaddy.rtf
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/27 15:36:55 | 000,000,226 | ---- | M] () -- C:\Users\Jennie\Documents\summerclasses.rtf
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/20 08:12:33 | 000,001,129 | ---- | M] () -- C:\Users\Jennie\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/03/31 14:31:20 | 000,036,237 | ---- | M] () -- C:\Users\Jennie\Documents\zipper-tongue.jpg
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\Jennie\AppData\Roaming\*.tmp files -> C:\Users\Jennie\AppData\Roaming\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/24 20:10:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/24 20:10:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/24 20:10:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/24 20:10:17 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/24 20:10:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/24 19:58:26 | 003,719,852 | R--- | C] () -- C:\Users\Jennie\Desktop\schrauber.exe
[2010/06/16 19:20:38 | 246,885,675 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/06/12 21:34:50 | 000,524,288 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
[2010/06/12 21:34:49 | 000,524,288 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
[2010/06/12 21:34:49 | 000,065,536 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
[2010/06/10 17:19:17 | 000,000,040 | ---- | C] () -- C:\Users\Jennie\AppData\Roaming\4c34f481
[2010/06/09 16:13:48 | 000,000,817 | ---- | C] () -- C:\ProgramData\481620870
[2010/06/09 16:13:48 | 000,000,409 | -HS- | C] () -- C:\ProgramData\1290052566
[2010/06/09 16:12:52 | 000,000,113 | ---- | C] () -- C:\ProgramData\sl755315012
[2010/06/08 18:55:15 | 000,001,199 | ---- | C] () -- C:\Users\Jennie\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.20.6.lnk
[2010/05/18 03:30:24 | 000,000,973 | ---- | C] () -- C:\Users\Jennie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\digsby.lnk
[2010/05/04 03:11:03 | 000,000,251 | ---- | C] () -- C:\Users\Jennie\kittyaddy.rtf
[2010/04/28 23:04:43 | 000,036,237 | ---- | C] () -- C:\Users\Jennie\Documents\zipper-tongue.jpg
[2010/04/27 15:36:43 | 000,000,226 | ---- | C] () -- C:\Users\Jennie\Documents\summerclasses.rtf
[2010/02/26 21:53:30 | 000,000,127 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/20 23:20:13 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/12/01 20:46:12 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/08/04 00:44:20 | 000,000,758 | ---- | C] () -- C:\Windows\System32\WLAN.INI
[2006/03/06 10:41:02 | 000,073,728 | ---- | C] () -- C:\Windows\System32\AMV_DecDLL.dll
[2004/09/16 13:26:40 | 000,012,634 | ---- | C] () -- C:\Windows\System32\drivers\ADFUUD.SYS

========== LOP Check ==========

[2010/02/28 20:19:24 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Babylonia
[2010/05/11 03:45:56 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Big Fish Games
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\BlamGames
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\blg
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Boolat Games
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Camel101
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\CatmoonGames
[2010/06/12 21:33:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Defense Center
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\eGames
[2009/10/25 21:51:46 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\EleFun Games
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\ERS G-Studio
[2010/05/01 04:02:29 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Facebook
[2010/02/24 23:37:05 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Farm Mania
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\fillup
[2010/06/14 18:53:53 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\FrostWire
[2010/02/21 22:00:03 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\funkitron
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Fuzzy Games
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GameFools JanesZOO
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GameInvest
[2010/05/16 05:03:41 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GamesCafe
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GetRightToGo
[2009/10/25 21:51:47 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GOL_byHasbro
[2009/10/25 21:51:48 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\GraveyardShift
[2010/06/08 05:44:54 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Hotdog Hotshot
[2009/10/25 21:51:48 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\HuruBeachParty
[2009/10/25 21:51:48 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\iWin
[2009/10/25 21:51:48 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\iWinArcade
[2009/10/25 21:51:48 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Jane s Hotel Family Hero
[2010/02/15 22:32:24 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Ladia Group
[2009/10/25 21:52:08 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mean Hamster
[2009/10/25 21:52:08 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\MegaplexMadnessSummerBlockbuster
[2009/10/25 21:52:08 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Meridian93
[2009/11/08 02:24:40 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Merscom
[2010/06/13 15:11:27 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\METAbolt
[2009/10/25 21:52:18 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\My Games
[2009/10/25 21:52:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\MysteryStudio
[2009/08/31 13:37:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\PeerNetworking
[2009/10/25 21:52:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\PlayFirst
[2009/10/25 21:52:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Pogo Games
[2009/10/25 21:52:20 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Quirky Games
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\SecondLife
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Skip-Bo
[2010/04/21 09:15:50 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\SLiteChat
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\SprillRichiEng
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\SulusGames
[2009/11/03 04:31:00 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\TitanicMystery
[2009/10/29 02:18:24 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Valusoft
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\ViquaSoft
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\World-LooM
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\YoudaGames
[2009/10/25 21:52:22 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Zylom
[2010/04/20 07:35:01 | 000,032,564 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2007/01/06 00:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_29af12c5857181b0\nvstor.sys
[2007/01/06 00:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\DriverStore\FileRepository\nvstor.inf_x86_neutral_2d190bda0635df72\nvstor.sys
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 20:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/07/13 20:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2009/07/13 20:15:36 | 000,226,816 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\LocationApi.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[1 C:\Windows\system32\drivers\*.tmp files -> C:\Windows\system32\drivers\*.tmp -> ]

< %systemroot%\System32\config\*.sav >

< %systemdrive%\*.sys /90 /md5 >
[2010/06/26 16:59:00 | 1508,413,440 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/06/26 16:59:03 | 2011,217,920 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:74091520
@Alternate Data Stream - 294 bytes -> C:\ProgramData\TEMP:7524F6CC
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:908A1B53
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:6FD36C4B
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:F35AE645
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:87452B14
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:9D6EAEC3
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:E5B6B9C5
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:16F2A6FF
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:A59DD4AD
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4C528C86
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:10CFA7D4
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:04BB186B
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:C72A744C
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:12D9D48F

< End of report >



OTL Extras logfile created on: 6/26/2010 7:43:18 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Jennie\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 122.47 Gb Free Space | 82.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 4.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 949.09 Mb Total Space | 304.42 Mb Free Space | 32.08% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENNIE-LAPTOP
Current User Name: Jennie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}" = Windows 7 Upgrade Advisor
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}" = Media Player Utilities 5.15
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 ATL (x86) WinSXS MSM
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM
"{9B88DD94-1AAE-41C4-BD95-2D8737D5E9E2}" = Watson
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA951B10-7089-4D60-B288-516E641F48E6}" = McAfee Agent
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}" = WinZip 14.5
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BFGC" = Big Fish Games: Game Manager
"BFG-Hotdog Hotshot" = Hotdog Hotshot
"BFG-Sally's Studio Collector's Edition" = Sally's Studio Collector's Edition
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Defraggler" = Defraggler
"ESET Online Scanner" = ESET Online Scanner v3
"FrostWire" = FrostWire 4.20.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"SLiteChat" = SLiteChat SLiteChat for Windows
"SpywareBlaster_is1" = SpywareBlaster 4.3
"STANDARDR" = Microsoft Office Standard 2007
"ViewpointMediaPlayer" = Viewpoint Media Player
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.6.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Google is my friend. Make Google your friend too.


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:56 AM

Posted 27 June 2010 - 07:22 AM

Hi,


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.





Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    [2010/06/10 17:19:17 | 000,000,040 | ---- | C] () -- C:\Users\Jennie\AppData\Roaming\4c34f481
    [2010/06/09 16:13:48 | 000,000,817 | ---- | C] () -- C:\ProgramData\481620870
    [2010/06/09 16:13:48 | 000,000,409 | -HS- | C] () -- C:\ProgramData\1290052566
    [2010/06/09 16:12:52 | 000,000,113 | ---- | C] () -- C:\ProgramData\sl755315012
    @Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:74091520
    @Alternate Data Stream - 294 bytes -> C:\ProgramData\TEMP:7524F6CC
    @Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:908A1B53
    @Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:6FD36C4B
    @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:F35AE645
    @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:87452B14
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:9D6EAEC3
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:E5B6B9C5
    @Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:16F2A6FF
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:A59DD4AD
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4C528C86
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:10CFA7D4
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:04BB186B
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:5C321E34
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:C72A744C
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:12D9D48F
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.


How is it running? smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 27 June 2010 - 06:52 PM

Tom,

Have deleted viewpoint Media Player as requested, then ran OTL with "Run Fix" selected. Here is the logfile from that:

========== OTL ==========
C:\Users\Jennie\AppData\Roaming\4c34f481 moved successfully.
C:\ProgramData\481620870 moved successfully.
C:\ProgramData\1290052566 moved successfully.
C:\ProgramData\sl755315012 moved successfully.
ADS C:\ProgramData\TEMP:74091520 deleted successfully.
ADS C:\ProgramData\TEMP:7524F6CC deleted successfully.
ADS C:\ProgramData\TEMP:908A1B53 deleted successfully.
ADS C:\ProgramData\TEMP:6FD36C4B deleted successfully.
ADS C:\ProgramData\TEMP:F35AE645 deleted successfully.
ADS C:\ProgramData\TEMP:87452B14 deleted successfully.
ADS C:\ProgramData\TEMP:9D6EAEC3 deleted successfully.
ADS C:\ProgramData\TEMP:E5B6B9C5 deleted successfully.
ADS C:\ProgramData\TEMP:16F2A6FF deleted successfully.
ADS C:\ProgramData\TEMP:A59DD4AD deleted successfully.
ADS C:\ProgramData\TEMP:4C528C86 deleted successfully.
ADS C:\ProgramData\TEMP:10CFA7D4 deleted successfully.
ADS C:\ProgramData\TEMP:04BB186B deleted successfully.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
ADS C:\ProgramData\TEMP:C72A744C deleted successfully.
ADS C:\ProgramData\TEMP:12D9D48F deleted successfully.

OTL by OldTimer - Version 3.2.7.0 log created on 06272010_181521


Then ran OTL a second time for followup scan, and posting that logfile below:

OTL logfile created on: 6/27/2010 6:23:55 PM - Run 2
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Jennie\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 121.83 Gb Free Space | 81.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENNIE-LAPTOP
Current User Name: Jennie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Jennie\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\Windows\System32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\TCPSVCS.EXE (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Jennie\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (ACDaemon) -- File not found
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Windows\System32\mfevtps.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (simptcp) -- C:\Windows\System32\TCPSVCS.EXE (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)


========== Driver Services (SafeList) ==========

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (mfehidk) -- C:\Windows\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\Windows\System32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\Windows\System32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\Windows\System32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (SrvHsfV92) -- C:\Windows\System32\drivers\VSTDPV3.SYS (Conexant Systems, Inc.)
DRV - (SrvHsfWinac) -- C:\Windows\System32\drivers\VSTCNXT3.SYS (Conexant Systems, Inc.)
DRV - (SrvHsfHDA) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM) -- C:\Windows\System32\drivers\sscdserd.sys (MCCI)
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A4 B8 E8 01 64 93 AE 47 87 EA 61 D5 7B 18 30 47 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/"
FF - prefs.js..extensions.enabledItems: anycolor.pavlos256@gmail.com:0.3.1
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.2.1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {d9284e50-81fc-11da-a72b-0800200c9a66}:7.2.2
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.9


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/25 21:43:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 23:28:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/12 21:53:43 | 000,000,000 | ---D | M]

[2009/10/25 21:52:15 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Extensions
[2009/07/13 23:50:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/06/24 20:33:15 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions
[2010/06/02 03:00:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010/04/28 05:35:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/20 08:13:16 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/02 03:00:00 | 000,000,000 | ---D | M] (Yoono) -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}
[2009/10/25 21:52:17 | 000,000,000 | ---D | M] -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\extensions\anycolor.pavlos256@gmail.com
[2010/05/22 03:10:26 | 000,001,840 | ---- | M] () -- C:\Users\Jennie\AppData\Roaming\Mozilla\Firefox\Profiles\2bmyq83g.default\searchplugins\bing.xml
[2010/06/12 21:53:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/31 08:49:36 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/03/16 06:30:38 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2009/10/25 21:41:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}
[2009/10/25 21:41:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/10/25 21:41:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/12/03 01:03:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2010/06/12 21:53:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/03/31 08:49:31 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/03/31 08:49:31 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/22 21:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/06/12 21:52:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/03/31 08:49:33 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/04/03 18:43:36 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/04/03 23:28:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/04/03 23:28:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/04/03 23:28:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/04/03 23:28:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/04/03 23:28:02 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/04/03 23:28:02 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/04/03 23:28:02 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/02/15 19:52:19 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/02/15 19:52:19 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/02/15 19:52:19 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/02/15 19:52:20 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/02/15 19:52:20 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/02/15 19:52:20 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/02/15 19:52:20 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/06/24 20:21:23 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\digsby.lnk = C:\Program Files\Digsby\digsby.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Jennie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{d8367b55-b3fc-11dd-a835-001c23ae454a}\Shell - "" = AutoRun
O33 - MountPoints2\{d8367b55-b3fc-11dd-a835-001c23ae454a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/27 18:15:21 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/27 17:28:07 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/06/26 19:40:08 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
[2010/06/26 17:35:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/26 16:31:55 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/06/26 16:31:55 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/06/26 16:31:55 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/06/24 20:21:30 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/06/24 20:19:08 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\temp
[2010/06/24 20:10:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/24 20:10:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/24 20:10:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/06/24 20:09:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/06/24 20:09:24 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/24 20:05:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/24 20:00:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/22 18:28:07 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2010/06/22 18:28:05 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll
[2010/06/22 18:28:05 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2010/06/22 18:28:05 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2010/06/15 20:18:18 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/06/14 21:21:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/06/14 20:58:29 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Drivers HeadQuarters
[2010/06/14 20:47:59 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Local\ElevatedDiagnostics
[2010/06/13 19:58:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/06/12 21:54:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/12 21:53:43 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/06/12 21:53:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/06/12 21:53:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/06/12 21:53:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/06/12 21:46:49 | 002,326,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/06/12 21:46:43 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010/06/12 21:46:32 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/06/12 21:46:31 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/06/12 21:46:31 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/06/12 21:46:30 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/06/12 21:45:23 | 000,293,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/06/12 21:45:23 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/06/12 20:28:37 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Defense Center
[2010/06/09 16:13:00 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\WinRAR
[2010/06/08 19:16:18 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Incomplete
[2010/06/08 19:16:18 | 000,000,000 | ---D | C] -- C:\Users\Jennie\Documents\FrostWire
[2010/06/08 05:44:54 | 000,000,000 | ---D | C] -- C:\Users\Jennie\AppData\Roaming\Hotdog Hotshot
[2010/06/08 03:37:24 | 000,000,000 | ---D | C] -- C:\Program Files\Hotdog Hotshot
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\Jennie\AppData\Roaming\*.tmp files -> C:\Users\Jennie\AppData\Roaming\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/27 18:28:36 | 006,815,744 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat
[2010/06/27 18:16:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/27 17:21:41 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/27 17:21:41 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/27 17:14:31 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/27 17:14:17 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/27 17:14:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/27 17:14:07 | 1508,413,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/26 20:04:36 | 001,654,120 | -H-- | M] () -- C:\Users\Jennie\AppData\Local\IconCache.db
[2010/06/26 19:40:19 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Jennie\Desktop\OTL.exe
[2010/06/26 14:31:33 | 000,741,710 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/26 14:31:33 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/26 14:31:33 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/24 20:21:45 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/06/24 20:21:23 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/24 20:09:16 | 003,719,852 | R--- | M] () -- C:\Users\Jennie\Desktop\schrauber.exe
[2010/06/13 07:35:15 | 000,299,416 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/13 07:32:53 | 000,524,288 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
[2010/06/13 07:32:53 | 000,524,288 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
[2010/06/13 07:32:53 | 000,065,536 | -HS- | M] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
[2010/06/12 21:52:53 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/06/12 21:52:53 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/06/12 21:52:53 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/06/12 21:52:52 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/06/08 18:55:15 | 000,001,199 | ---- | M] () -- C:\Users\Jennie\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.20.6.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\Jennie\AppData\Roaming\*.tmp files -> C:\Users\Jennie\AppData\Roaming\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/24 20:10:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/24 20:10:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/24 20:10:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/24 20:10:17 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/24 20:10:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/24 19:58:26 | 003,719,852 | R--- | C] () -- C:\Users\Jennie\Desktop\schrauber.exe
[2010/06/12 21:34:50 | 000,524,288 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000002.regtrans-ms
[2010/06/12 21:34:49 | 000,524,288 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TMContainer00000000000000000001.regtrans-ms
[2010/06/12 21:34:49 | 000,065,536 | -HS- | C] () -- C:\Users\Jennie\ntuser.dat{512fa071-7693-11df-a12d-001c23ae454a}.TM.blf
[2010/06/08 18:55:15 | 000,001,199 | ---- | C] () -- C:\Users\Jennie\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.20.6.lnk
[2010/02/26 21:53:30 | 000,000,127 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/20 23:20:13 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/12/01 20:46:12 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/08/04 00:44:20 | 000,000,758 | ---- | C] () -- C:\Windows\System32\WLAN.INI
[2006/03/06 10:41:02 | 000,073,728 | ---- | C] () -- C:\Windows\System32\AMV_DecDLL.dll
[2004/09/16 13:26:40 | 000,012,634 | ---- | C] () -- C:\Windows\System32\drivers\ADFUUD.SYS
< End of report >



P.S. The laptop seems to be running better now.

Google is my friend. Make Google your friend too.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:56 AM

Posted 29 June 2010 - 10:54 PM

Hi,


Delete ComboFix and Clean Up
Click Start > Run > type combofix /Uninstall > OK (Note the space between combofix and /Uninstall)
Please advise if this step is missed for any reason as it performs some important actions.





Please run OTL one more time and hit Cleanup. This will remove OTL and all helper tools.






Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean smile.gif

Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Make Internet Explorer 7 more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:03:56 AM

Posted 01 July 2010 - 08:26 PM

Tom,

Thank you very much for your friendly and effective assistance with disinfecting my daughter's laptop computer. We really appreciate all the help you provided us.

> Torvald <

Google is my friend. Make Google your friend too.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users