Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
19 replies to this topic

#1 3ert250

3ert250

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 21 June 2010 - 12:15 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:28:40, on 21/06/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Internet Explorer Plugin - {34048889-7E1E-4707-A23B-1EEC340DBC16} - gmoj.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Safe Run Start] C:\Windows\System32\saferun.exe
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Safe Run Start] C:\Windows\System32\saferun.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Vkebequbefo] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\VCHerck.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Vkebequbefo] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\VCHerck.dll",Startup (User 'Default user')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15112/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58518EC4-D62C-4EC3-A7F8-2259A5DA9C15}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{80ECF9D9-DC87-471E-8708-AB8D75863BB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{58518EC4-D62C-4EC3-A7F8-2259A5DA9C15}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.7,93.188.166.242
O17 - HKLM\System\CS2\Services\Tcpip\..\{58518EC4-D62C-4EC3-A7F8-2259A5DA9C15}: NameServer = 93.188.163.7,93.188.166.242
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: csbdll - csbdll.dll (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 7928 bytes

Title was: Google Links cause annoying Tab Pop ups - Please Help, think its same prob as Lumine1412, not sure ~ OB

Hi, im new to this site and forums in general. I have a problem with my "Bleeping Computer", when i search for something on google and then go to click one of the links in the results and a new tab or window with a complete different web address pops up containing non relating adverts. I also keep getting a malware by the name of "Win32.FraudLoad" that gets detected by spybot - S&D which then fixes it but when i start my pc again and do another scan with spybot its there again.

I read a post from a user: Lumine1412 which sounds like he/she has the same or similar symptoms as me but i did not follow the same remedy as i guess each case is unique.

Hope someone can help me,
Thanks 3ert250

Merged topics then posts. ~ OB

Edited by Orange Blossom, 24 June 2010 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 27 June 2010 - 07:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 June 2010 - 09:20 AM

Hi schrauber,
Thank you for your response to my problem(When i click a link in googles search results it send me to a completly different link eg an unrelating advertisment).
Here is my DDS and gmer Log you requested plus i have attached the seperate attach log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by USER at 14:23:29.46 on 28/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1318 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Users\USER\AppData\Roaming\d2e.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\system32\sppsvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DXPServer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\USER\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\WG311v3.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: o2.co.uk\*.broadband
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab
TCP: NameServer = 93.188.163.7,93.188.166.242
TCP: {0E72C828-8BD4-48DB-A891-D0AE22525432} = 93.188.163.7,93.188.166.242
TCP: {80ECF9D9-DC87-471E-8708-AB8D75863BB0} = 93.188.163.7,93.188.166.242
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\9ye2bt5p.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385536]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-6 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-6 144704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-20 1153368]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2009-3-4 202016]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-6 40552]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-6 34248]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-6 1343400]

=============== Created Last 30 ================

2010-06-28 13:06:58 47616 ----a-w- c:\windows\system32\ernel32.dll
2010-06-28 10:34:44 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-24 10:01:29 0 d-----w- C:\OEMSettings
2010-06-24 10:01:04 0 d-----w- c:\program files\NETGEAR
2010-06-23 21:57:05 0 d-----w- C:\Device
2010-06-23 21:44:45 77312 ----a-w- c:\windows\MBR.exe
2010-06-23 21:44:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-23 21:44:43 98816 ----a-w- c:\windows\sed.exe
2010-06-23 21:44:43 161792 ----a-w- c:\windows\SWREG.exe
2010-06-20 11:43:46 179 ----a-w- c:\windows\wininit.ini
2010-06-20 10:06:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-20 10:06:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-19 11:40:58 0 d-----w- c:\program files\Trend Micro
2010-06-18 23:45:04 0 d-----w- c:\programdata\Adobe
2010-06-18 23:44:01 0 d-----w- c:\programdata\NOS
2010-06-18 21:35:00 282624 ----a-w- c:\windows\system32\drivers\WG311v3XP.sys
2010-06-18 21:35:00 0 d-----w- C:\WG311v3
2010-06-18 21:15:49 728 ----a-w- c:\windows\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
2010-06-18 21:14:08 0 d-----w- c:\program files\O2_Installer
2010-06-17 14:02:58 1822 ----a-w- c:\windows\system32\batcgr
2010-06-16 19:01:25 47616 ----a-w- c:\users\user\appdata\roaming\d2e.exe
2010-06-15 21:15:01 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-15 21:15:00 9880 ----a-w- c:\windows\system32\nvdisp.nvu
2010-06-15 21:12:27 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-15 21:08:56 12800 ----a-w- c:\windows\system32\drivers\EIO.sys
2010-06-15 15:55:30 0 d-----w- c:\windows\PCHEALTH
2010-06-15 15:54:21 0 d-----w- c:\programdata\Microsoft Help
2010-06-15 09:14:08 0 d-----w- c:\program files\SEGA
2010-06-13 19:16:15 0 d-----w- c:\users\user\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever
2010-06-13 19:16:07 147724909 ----a-w- c:\users\user\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever.zip
2010-06-10 13:48:27 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-06-10 13:48:27 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-06-10 13:48:25 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-06-10 13:48:24 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-06-10 13:48:23 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-10 13:48:23 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-10 13:48:23 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-06-10 13:48:23 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-06-10 13:48:23 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-10 13:48:21 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-06-10 13:48:18 0 d-----w- C:\NVIDIA
2010-06-10 13:29:58 409088 ----a-w- c:\windows\system32\systemcplx86.dll
2010-06-10 13:29:58 13824 ----a-w- c:\windows\system32\slwga.dll
2010-06-10 11:48:15 0 d-----w- c:\program files\EPSON
2010-06-10 11:34:36 0 d-----w- c:\programdata\UDL
2010-06-09 23:22:17 0 d-----w- c:\windows\system32\Adobe
2010-06-09 19:12:18 0 d-----w- c:\programdata\NVIDIA
2010-06-09 19:11:42 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-09 09:12:53 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 09:12:48 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 09:12:46 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 09:12:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 09:12:17 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 17:33:20 0 d-----w- c:\program files\VideoLAN
2010-06-08 14:08:04 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-06-08 14:04:06 0 d-----r- c:\program files\Skype
2010-06-08 14:04:04 0 d-----w- c:\programdata\Skype
2010-06-08 13:07:43 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-06-07 18:31:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-07 12:03:12 2516 ----a-w- c:\windows\system32\P16X.ini
2010-06-07 10:45:27 182443777 ----a-w- c:\windows\MEMORY.DMP
2010-06-06 22:50:25 15134 ----a-w- c:\windows\system32\Config.MPF
2010-06-06 22:49:59 0 d-----w- c:\programdata\SiteAdvisor
2010-06-06 22:48:11 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-06 22:48:11 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-06-06 22:48:11 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-06 22:48:08 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-06 22:47:57 0 d-----w- c:\program files\common files\McAfee
2010-06-06 22:47:56 0 d-----w- c:\program files\McAfee.com
2010-06-06 22:47:55 0 d-----w- c:\program files\McAfee
2010-06-06 22:44:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-06-06 22:37:00 0 d-----w- c:\programdata\McAfee
2010-06-06 22:24:44 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-06 22:24:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-06 22:24:09 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-06 22:23:05 0 d-----w- c:\program files\common files\SupportSoft
2010-06-06 22:03:52 0 d-sh--w- c:\windows\Installer
2010-06-06 22:03:51 0 d-----w- c:\windows\Downloaded Installations
2010-06-06 22:03:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-06-06 20:52:07 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
2010-06-06 20:52:07 288 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
2010-06-06 20:52:07 16348 ----a-w- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
2010-06-06 20:52:07 16348 ----a-w- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
2010-06-06 20:52:07 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-06-06 20:52:07 1080 ----a-w- c:\windows\system32\settings.sfm
2010-06-06 20:51:45 0 d-----w- c:\windows\system32\Wat
2010-06-06 20:48:23 3382339 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000002-80671102}.BAK
2010-06-06 20:48:19 3382339 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000002-80671102}.CDF
2010-06-06 20:47:11 24144 ----a-w- c:\windows\system32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
2010-06-06 20:47:11 24144 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
2010-06-06 20:35:03 0 d-----w- c:\program files\uTorrent
2010-06-06 20:34:17 0 d-----w- c:\users\user\appdata\roaming\uTorrent
2010-06-06 20:28:06 7062 ----a-w- c:\windows\system32\audiopid.vxd
2010-06-06 19:43:39 15840 ------w- c:\windows\system32\drivers\PFMODNT.SYS
2010-06-06 19:43:39 0 d-----w- c:\program files\Creative
2010-06-06 19:22:00 0 d-----w- c:\windows\system32\appmgmt
2010-06-06 17:18:24 0 d-----w- c:\programdata\SupportSoft
2010-06-06 17:17:17 0 d-----w- c:\program files\O2
2010-06-06 16:13:57 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-06 16:11:56 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-06 16:11:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-06-05 05:14:17 0 d-----w- c:\windows\Panther
2010-06-04 20:57:54 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-06-04 20:57:45 0 d-----w- c:\windows\system32\wbem\Performance
2010-06-04 20:53:16 0 d-----w- C:\Recovery

==================== Find3M ====================

2010-04-29 09:47:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 09:47:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-03 22:55:31 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 21:55:32 795104 ----a-w- c:\windows\system32\dpinst.exe
2010-04-03 21:55:32 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 21:55:32 316008 ----a-w- c:\windows\system32\nvdecodemft.dll
2010-04-03 21:55:32 2907752 ----a-w- c:\windows\system32\nvencodemft.dll
2010-04-03 21:55:32 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 17:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 17:27:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 17:27:00 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-04-03 17:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-21 13:40:50 73728 ----a-w- c:\windows\inf\wg311v3\x64\SetVistaDrv64.exe
2009-07-20 17:20:04 65536 ----a-w- c:\windows\inf\wg311v3\x86\SetVistaDrv.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-12 17:13:32 512000 ----a-w- c:\windows\inf\wg311v3\x64\DIFxAPI.dll
2008-12-12 16:57:46 313856 ----a-w- c:\windows\inf\wg311v3\x86\DIFxAPI.dll
2007-05-24 13:58:00 249856 ----a-w- c:\windows\inf\wg311v3\x86\InsDrv2k.exe
2007-05-03 15:11:46 244736 ----a-w- c:\windows\inf\wg311v3\x64\MRVW13C.sys
2007-05-03 15:11:14 256000 ----a-w- c:\windows\inf\wg311v3\x86\MRVW13B.sys
2005-11-17 14:46:24 845736 ----a-w- c:\windows\inf\wg311v3\x64\DPInst.exe
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:24:34.81 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-28 15:10:22
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\USER\AppData\Local\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A192D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A311A8

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x88E55C50]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x88E55C7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x88E55CA2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x88E55C64]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x88E55C3C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x88E55C28]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x88E55CD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x88E55CB8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x88E55C8E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A78148 5 Bytes JMP 88E55C92 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A90599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 966C0C9D 28 Bytes [04, B1, 7F, E0, 80, 15, C4, ...]
.text peauth.sys 966C0CC1 28 Bytes [04, B1, 7F, E0, 80, 15, C4, ...]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[212] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[212] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[496] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 009A0F54
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 009A0F17
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 009A0F28
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 009A001E
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 009A007D
.text C:\Windows\system32\services.exe[496] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 009A0051
.text C:\Windows\system32\services.exe[496] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 009A0F83
.text C:\Windows\system32\services.exe[496] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 009A0040
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 009A0FDE
.text C:\Windows\system32\services.exe[496] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 009A0F06
.text C:\Windows\system32\services.exe[496] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 009A0FA8
.text C:\Windows\system32\services.exe[496] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 009A002F
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\services.exe[496] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 009A00A2
.text C:\Windows\system32\services.exe[496] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 009A0FCD
.text C:\Windows\system32\services.exe[496] kernel32.dll!WinExec 759DE695 5 Bytes JMP 009A0F43
.text C:\Windows\system32\services.exe[496] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 009A0062
.text C:\Windows\system32\services.exe[496] msvcrt.dll!_open 757B7E48 5 Bytes JMP 003C0FEF
.text C:\Windows\system32\services.exe[496] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 003C004B
.text C:\Windows\system32\services.exe[496] msvcrt.dll!system 757EB16F 5 Bytes JMP 003C003A
.text C:\Windows\system32\services.exe[496] msvcrt.dll!_creat 757EED29 5 Bytes JMP 003C0029
.text C:\Windows\system32\services.exe[496] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 003C0FD4
.text C:\Windows\system32\services.exe[496] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 003C000C
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00A4000A
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00A40FB9
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00A40F8A
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00A40036
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00A40FE5
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00A40F6F
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00A4001B
.text C:\Windows\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00A40FCA
.text C:\Windows\system32\services.exe[496] WS2_32.dll!socket 76273F00 5 Bytes JMP 009B000A
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 001E0FA8
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 001E0111
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 001E0F86
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 001E0051
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 001E00C7
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 001E00A2
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 001E0087
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 001E001B
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 001E0F61
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 001E0FE5
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 001E0076
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateFileA 759A28FC 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 001E0000
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 001E00EC
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 001E0036
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!WinExec 759DE695 5 Bytes JMP 001E0F97
.text C:\Windows\system32\lsass.exe[520] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 001E0FC3
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!_open 757B7E48 5 Bytes JMP 001D0000
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 001D0FC6
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!system 757EB16F 5 Bytes JMP 001D0FD7
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!_creat 757EED29 5 Bytes JMP 001D002C
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 001D0047
.text C:\Windows\system32\lsass.exe[520] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 001D0011
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00200FE5
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00200FAF
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00200051
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00200036
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00200FCA
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 0020006C
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00200000
.text C:\Windows\system32\lsass.exe[520] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 0020001B
.text C:\Windows\system32\lsass.exe[520] WS2_32.dll!socket 76273F00 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 003F0080
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 003F0EFC
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 003F0F21
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 003F001B
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 003F0065
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 003F0F68
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 003F0F8D
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 003F004A
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 003F00AC
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 003F0FB9
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 003F0FA8
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 003F000A
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 003F009B
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 003F0FCA
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!WinExec 759DE695 5 Bytes JMP 003F0F3C
.text C:\Windows\system32\svchost.exe[676] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 003F0F57
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_open 757B7E48 5 Bytes JMP 003E0FEF
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 003E0036
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!system 757EB16F 5 Bytes JMP 003E001B
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_creat 757EED29 5 Bytes JMP 003E0000
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 003E0FAB
.text C:\Windows\system32\svchost.exe[676] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 003E0FC6
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00410000
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00410062
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 0041007D
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00410FDB
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00410025
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00410098
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00410036
.text C:\Windows\system32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00410051
.text C:\Windows\system32\svchost.exe[676] WS2_32.dll!socket 76273F00 5 Bytes JMP 00400FEF
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 001E00BA
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 001E00E6
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 001E0F5B
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 001E0036
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 001E00A9
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 001E0FA5
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 001E0073
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 001E0FB6
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 001E010B
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 001E0047
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 001E0058
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 001E0F76
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 001E0025
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!WinExec 759DE695 5 Bytes JMP 001E00CB
.text C:\Windows\system32\svchost.exe[780] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 001E0098
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_open 757B7E48 5 Bytes JMP 001D000C
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 001D0044
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!system 757EB16F 5 Bytes JMP 001D0FC3
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_creat 757EED29 5 Bytes JMP 001D0029
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\svchost.exe[780] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00240FE5
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00240F9E
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00240036
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00240025
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00240FD4
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00240051
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00240FB9
.text C:\Windows\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[780] WS2_32.dll!socket 76273F00 5 Bytes JMP 00230FEF
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00E400AF
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00E40111
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 00E400F6
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00E40040
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 00E40F7C
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00E4008A
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00E40FB2
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00E4006F
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00E40014
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00E40F61
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00E40FD4
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00E40FC3
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00E40FEF
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00E400C0
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00E40025
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00E400E5
.text C:\Windows\System32\svchost.exe[828] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00E40F8D
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!_open 757B7E48 5 Bytes JMP 00E30FEF
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 00E30F97
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!system 757EB16F 5 Bytes JMP 00E30022
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!_creat 757EED29 5 Bytes JMP 00E30011
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 00E30FBC
.text C:\Windows\System32\svchost.exe[828] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 00E30000
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00F3000A
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00F30FD1
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00F30062
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00F30FC0
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00F3001B
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00F30FA5
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00F30036
.text C:\Windows\System32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00F30047
.text C:\Windows\System32\svchost.exe[828] WS2_32.dll!socket 76273F00 5 Bytes JMP 00E90FEF
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00DC0F21
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00DC009B
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 00DC008A
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00DC0FC3
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 00DC0F3C
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00DC0040
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00DC0F72
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00DC002F
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00DC0000
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00DC00AC
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00DC0FA8
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00DC0F8D
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00DC0FEF
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00DC0065
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00DC0FD4
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00DC0F06
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00DC0F4D
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_open 757B7E48 5 Bytes JMP 00DB0FEF
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 00DB0F90
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!system 757EB16F 5 Bytes JMP 00DB001B
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_creat 757EED29 5 Bytes JMP 00DB0FAB
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 00DB0000
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 00DB0FC6
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00FE0000
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00FE0FC0
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00FE0F9E
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00FE0FAF
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00FE001B
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00FE005B
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00FE0FE5
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00FE0036
.text C:\Windows\System32\svchost.exe[912] WS2_32.dll!socket 76273F00 5 Bytes JMP 00E1000A
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 010E0F54
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 010E00E2
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 010E00BD
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 010E0022
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 010E0F65
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 010E0F9B
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 010E0073
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 010E0058
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 010E0011
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 010E00F3
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 010E003D
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 759A28B2 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 010E0FB6
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 759A28FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 010E0000
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 010E0F43
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 010E0FDB
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!WinExec 759DE695 5 Bytes JMP 010E00AC
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 010E0F80
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_open 757B7E48 5 Bytes JMP 01050FE3
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 01050FBE
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!system 757EB16F 5 Bytes JMP 0105003F
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_creat 757EED29 5 Bytes JMP 0105001D
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 0105002E
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 0105000C
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 011E0FEF
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 011E0FB2
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 011E0054
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 011E0043
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 011E0FDE
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 011E0FA1
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 011E0FC3
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 011E001E
.text C:\Windows\system32\svchost.exe[960] WS2_32.dll!socket 76273F00 5 Bytes JMP 01130FEF
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00010F7C
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00010F24
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 00010F35
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00010FA8
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 0001009B
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00010080
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 0001006F
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 0001004A
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00010FCA
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00010F13
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00010014
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 0001002F
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00010FEF
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00010F61
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00010FB9
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00010F50
.text C:\Windows\system32\wuauclt.exe[1072] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00010F8D
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!_open 757B7E48 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 000E003D
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!system 757EB16F 5 Bytes JMP 000E0FB2
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!_creat 757EED29 5 Bytes JMP 000E0018
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 000E0FC3
.text C:\Windows\system32\wuauclt.exe[1072] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 000E0FDE
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 000F0FE5
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 000F0036
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 000F006C
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 000F0051
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 000F0FD4
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 000F007D
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 000F000A
.text C:\Windows\system32\wuauclt.exe[1072] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 000F001B
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 009800E2
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00980107
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 00980F72
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 0098002F
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 009800D1
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 009800AC
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 0098009B
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00980080
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00980FE5
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00980118
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 0098004A
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 0098005B
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileA 759A28FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00980000
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00980F9E
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00980FD4
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00980F8D
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00980FB9
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_open 757B7E48 5 Bytes JMP 00870FE3
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 00870F95
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!system 757EB16F 5 Bytes JMP 00870FB0
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_creat 757EED29 5 Bytes JMP 00870FD2
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 00870FC1
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 0087000C
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 009A0036
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 009A006C
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 009A0051
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 009A0FAF
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 009A001B
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 009A0FCA
.text C:\Windows\system32\svchost.exe[1108] WS2_32.dll!socket 76273F00 5 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 008600BA
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00860F47
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 008600DC
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 0086001B
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 008600A9
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00860084
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00860073
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00860058
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00860000
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00860F36
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00860036
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00860047
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00860FE5
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 008600CB
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00860FD4
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00860F6C
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00860F9B
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_open 757B7E48 5 Bytes JMP 00850000
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 0085007F
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!system 757EB16F 5 Bytes JMP 0085006E
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_creat 757EED29 5 Bytes JMP 0085002E
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 00850053
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 00850011
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00A00FB9
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00A00F9E
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00A00040
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00A00051
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00A00FD4
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00A0001B
.text C:\Windows\system32\svchost.exe[1232] WS2_32.dll!socket 76273F00 5 Bytes JMP 008F0FEF
.text C:\Windows\System32\spoolsv.exe[1404] ntdll.dll!NtResumeThread 772A58F0 5 Bytes JMP 0165000A
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 008C0F54
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 008C00CE
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 008C00B3
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 008C0036
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 008C007D
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 008C0051
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 008C0F79
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 008C0F8A
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 008C001B
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 008C0F1E
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 008C0FC0
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 008C0FAF
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateFileA 759A28FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 008C0F39
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 008C0FE5
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!WinExec 759DE695 5 Bytes JMP 008C0098
.text C:\Windows\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 008C0062
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!_open 757B7E48 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 008B0FB4
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!system 757EB16F 5 Bytes JMP 008B003F
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!_creat 757EED29 5 Bytes JMP 008B0FE3
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 008B002E
.text C:\Windows\system32\svchost.exe[1440] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 008B0011
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 008E000A
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 008E0FCA
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 008E0F9E
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 008E0FB9
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 008E001B
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 008E0F83
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 008E0FE5
.text C:\Windows\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 008E0040
.text C:\Windows\system32\svchost.exe[1440] WS2_32.dll!socket 76273F00 5 Bytes JMP 008D0000
.text C:\Windows\Explorer.EXE[1712] ntdll.dll!NtResumeThread 772A58F0 5 Bytes JMP 03B9000A
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 03690098
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 036900BD
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 03690F28
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 03690040
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 03690F79
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 03690F8A
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 03690062
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 03690051
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 03690025
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 036900CE
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 03690FCA
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 03690FB9
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 0369000A
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 03690F54
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 03690FEF
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!WinExec 759DE695 5 Bytes JMP 03690F39
.text C:\Windows\Explorer.EXE[1712] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 0369007D
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 0372000A
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 03720047
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 0372006C
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 03720FCA
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 03720FE5
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 03720FB9
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 0372001B
.text C:\Windows\Explorer.EXE[1712] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 03720036
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!_open 757B7E48 5 Bytes JMP 035B0FE3
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 035B001B
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!system 757EB16F 5 Bytes JMP 035B000A
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!_creat 757EED29 5 Bytes JMP 035B0FB5
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 035B0FA4
.text C:\Windows\Explorer.EXE[1712] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 035B0FC6
.text C:\Windows\Explorer.EXE[1712] WININET.dll!InternetOpenA 770B7E1C 5 Bytes JMP 03710000
.text C:\Windows\Explorer.EXE[1712] WININET.dll!InternetOpenW 770B9DA0 5 Bytes JMP 03710011
.text C:\Windows\Explorer.EXE[1712] WININET.dll!InternetOpenUrlA 770BDC18 5 Bytes JMP 03710FDB
.text C:\Windows\Explorer.EXE[1712] WININET.dll!InternetOpenUrlW 7710DC34 5 Bytes JMP 03710FB6
.text C:\Windows\Explorer.EXE[1712] WS2_32.dll!socket 76273F00 5 Bytes JMP 03700FE5
.text C:\Program Files\NETGEAR\WG311v3\WG311v3.exe[2348] ntdll.dll!NtResumeThread 772A58F0 5 Bytes JMP 007C000A
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00370F57
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 003700C7
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 003700B6
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00370FCA
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 00370F72
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00370F9E
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00370076
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 0037005B
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 0037001B
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00370F0D
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00370036
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00370FB9
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 0037000A
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00370F46
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00370FE5
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!WinExec 759DE695 5 Bytes JMP 003700A5
.text C:\Windows\system32\svchost.exe[2600] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00370F83
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_open 757B7E48 3 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_open + 4 757B7E4C 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 002C0F9E
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!system 757EB16F 5 Bytes JMP 002C0FB9
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_creat 757EED29 5 Bytes JMP 002C0029
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 002C0FD4
.text C:\Windows\system32\svchost.exe[2600] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 002C0018
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 003C0FEF
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 003C0FC3
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 003C0F8D
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 003C0FA8
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 003C000A
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegCreateKeyExW 773BB946 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 003C004A
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 003C0FD4
.text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 003C002F
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00010079
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 00010094
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 00010F09
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 00010068
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00010F6B
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00010F7C
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00010F8D
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00010EE4
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00010FAF
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00010F9E
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00010FE5
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00010F3F
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00010F1A
.text C:\Windows\system32\svchost.exe[3408] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00010F5A
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!_open 757B7E48 5 Bytes JMP 000D0FE3
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 000D004C
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!system 757EB16F 5 Bytes JMP 000D0031
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!_creat 757EED29 5 Bytes JMP 000D0016
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 000D0FC1
.text C:\Windows\system32\svchost.exe[3408] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 000D0FD2
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00350FEF
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00350025
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00350F83
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00350FD4
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00350036
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00350FB9
.text C:\Windows\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00350FA8
.text C:\Windows\system32\svchost.exe[3408] WS2_32.dll!socket 76273F00 5 Bytes JMP 00360FEF
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 00100083
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 001000B9
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 0010009E
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 00100FCD
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 00100F5A
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 00100068
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 00100F86
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 00100F97
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 00100FDE
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 00100F09
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 00100FA8
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 00100039
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 00100F3F
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 00100014
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!WinExec 759DE695 5 Bytes JMP 00100F2E
.text C:\Windows\system32\svchost.exe[3880] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 00100F75
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!_open 757B7E48 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 000B0033
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!system 757EB16F 5 Bytes JMP 000B0022
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!_creat 757EED29 5 Bytes JMP 000B0011
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 000B0FBC
.text C:\Windows\system32\svchost.exe[3880] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 000B0000
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00120000
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00120FC0
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00120051
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00120FAF
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00120FE5
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00120062
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00120025
.text C:\Windows\system32\svchost.exe[3880] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00120036
.text C:\Windows\system32\svchost.exe[3880] WS2_32.dll!socket 76273F00 5 Bytes JMP 00110FEF
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!GetStartupInfoA 75951DF0 5 Bytes JMP 002A0091
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessW 7595202D 5 Bytes JMP 002A0F06
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessA 75952062 5 Bytes JMP 002A0F21
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateNamedPipeW 75981FD6 5 Bytes JMP 002A0FCA
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreatePipe 75984A8B 5 Bytes JMP 002A0076
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!VirtualProtect 759950AB 5 Bytes JMP 002A0065
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!LoadLibraryExW 7599B6BF 5 Bytes JMP 002A0F8D
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!LoadLibraryExA 7599BC8B 5 Bytes JMP 002A004A
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateFileW 759A0B5D 5 Bytes JMP 002A0011
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!GetProcAddress 759A1837 5 Bytes JMP 002A00B6
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!LoadLibraryA 759A2864 5 Bytes JMP 002A0FB9
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!LoadLibraryW 759A28B2 5 Bytes JMP 002A0FA8
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateFileA 759A28FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateFileA 759A28FC 5 Bytes JMP 002A0000
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!GetStartupInfoW 759A7CB5 5 Bytes JMP 002A0F4D
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!CreateNamedPipeA 759DD4DF 5 Bytes JMP 002A0FDB
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!WinExec 759DE695 5 Bytes JMP 002A0F32
.text C:\Windows\system32\svchost.exe[3912] kernel32.dll!VirtualProtectEx 759DF651 5 Bytes JMP 002A0F72
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!_open 757B7E48 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!_wsystem 757EB04F 5 Bytes JMP 001D0042
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!system 757EB16F 5 Bytes JMP 001D0031
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!_creat 757EED29 5 Bytes JMP 001D0FC1
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!_wcreat 757F038E 5 Bytes JMP 001D0016
.text C:\Windows\system32\svchost.exe[3912] msvcrt.dll!_wopen 757F0570 5 Bytes JMP 001D0FD2
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 002C0FB9
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 002C005B
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 002C0040
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 002C0FDE
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 002C0F9E
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 002C0014
.text C:\Windows\system32\svchost.exe[3912] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 002C002F
.text C:\Windows\system32\svchost.exe[3912] WS2_32.dll!socket 76273F00 5 Bytes JMP 002B0000
.text C:\Users\USER\Desktop\gmer\gmer.exe[3924] ntdll.dll!NtResumeThread 772A58F0 5 Bytes JMP 003E000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[2020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75305D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2020] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75305D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75305D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 30 June 2010 - 12:51 PM

Hello, 3ert250
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 01 July 2010 - 04:39 AM

Hi Tom,
Thanks for your continued support with my problem, here is the combofix log:


ComboFix 10-06-30.03 - USER 01/07/2010 10:27:36.8.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1364 [GMT 1:00]
Running from: c:\users\USER\Desktop\schrauber.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\55i55.dll
c:\windows\system32\spool\prtprocs\w32x86\9w1uOC1s9.dll
c:\windows\system32\spool\prtprocs\w32x86\WSKU5.dll
c:\windows\system32\spool\prtprocs\w32x86\yWS7e3aA9.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\users\USER\AppData\Local\temp
2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-01 09:26 . 2010-07-01 09:26 -------- d-----w- C:\32788R22FWJFW
2010-06-24 10:01 . 2010-06-24 10:01 -------- d-----w- C:\OEMSettings
2010-06-24 10:01 . 2010-06-24 10:01 -------- d-----w- c:\program files\NETGEAR
2010-06-23 21:57 . 2010-06-23 21:57 -------- d-----w- C:\Device
2010-06-21 15:27 . 2010-06-21 15:27 388096 ----a-r- c:\users\USER\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-20 10:06 . 2010-06-20 11:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-20 10:06 . 2010-06-20 11:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-19 11:40 . 2010-06-19 11:40 -------- d-----w- c:\program files\Trend Micro
2010-06-18 23:46 . 2010-06-18 23:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-18 23:44 . 2010-06-19 00:04 -------- d-----w- c:\users\USER\AppData\Local\Adobe
2010-06-18 23:44 . 2010-06-18 23:44 71680 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-06-18 23:44 . 2010-06-19 09:24 -------- d-----w- c:\programdata\NOS
2010-06-18 21:35 . 2010-06-18 21:35 -------- d-----w- C:\WG311v3
2010-06-18 21:35 . 2005-12-29 17:07 282624 ----a-w- c:\windows\system32\drivers\WG311v3XP.sys
2010-06-18 21:14 . 2010-06-18 21:14 -------- d-----w- c:\program files\O2_Installer
2010-06-18 20:57 . 2010-06-18 20:57 -------- d-----w- c:\users\USER\AppData\Roaming\EPSON
2010-06-16 21:36 . 2010-06-20 14:11 120 ----a-w- c:\users\USER\AppData\Local\Flonalibikixe.dat
2010-06-16 21:36 . 2010-06-20 09:08 0 ----a-w- c:\users\USER\AppData\Local\Qgipape.bin
2010-06-15 15:55 . 2010-06-15 15:55 -------- d-----w- c:\program files\Microsoft Works
2010-06-15 15:55 . 2010-06-15 15:55 -------- d-----w- c:\windows\PCHEALTH
2010-06-15 15:55 . 2010-06-15 15:55 -------- d-----w- c:\program files\Microsoft.NET
2010-06-15 15:54 . 2010-06-15 15:54 -------- d-----w- c:\users\USER\AppData\Local\Microsoft Help
2010-06-15 15:54 . 2010-06-15 15:56 -------- d-----w- c:\programdata\Microsoft Help
2010-06-15 15:54 . 2010-06-15 15:54 -------- d-----r- C:\MSOCache
2010-06-15 09:14 . 2010-06-15 09:14 -------- d-----w- c:\program files\SEGA
2010-06-13 19:16 . 2010-06-13 19:16 -------- d-----w- c:\users\USER\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever
2010-06-13 19:16 . 2009-04-09 22:53 147724909 ----a-w- c:\users\USER\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever.zip
2010-06-10 13:48 . 2010-04-03 22:55 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-06-10 13:48 . 2010-04-03 22:55 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-06-10 13:48 . 2010-04-03 22:55 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-06-10 13:48 . 2010-04-03 22:55 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-10 13:48 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-10 13:48 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-06-10 13:48 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-06-10 13:48 . 2010-04-03 22:55 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-10 13:48 . 2010-04-03 22:55 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-06-10 13:48 . 2010-06-10 13:48 -------- d-----w- C:\NVIDIA
2010-06-10 13:29 . 2010-06-10 13:29 409088 ----a-w- c:\windows\system32\systemcplx86.dll
2010-06-10 13:29 . 2010-06-10 13:29 13824 ----a-w- c:\windows\system32\slwga.dll
2010-06-10 11:48 . 2010-06-10 11:48 -------- d-----w- c:\program files\EPSON
2010-06-10 11:34 . 2010-06-10 11:34 -------- d-----w- c:\programdata\UDL
2010-06-09 23:22 . 2010-06-09 23:22 -------- d-----w- c:\windows\system32\Adobe
2010-06-09 19:12 . 2010-07-01 09:09 -------- d-----w- c:\programdata\NVIDIA
2010-06-09 19:11 . 2010-06-10 13:50 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-09 09:12 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 09:12 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 09:12 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 09:12 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 09:12 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 17:55 . 2010-06-24 22:18 -------- d-----w- c:\users\USER\AppData\Roaming\vlc
2010-06-08 17:33 . 2010-06-08 17:33 -------- d-----w- c:\program files\VideoLAN
2010-06-08 14:07 . 2010-06-08 14:07 -------- d-----w- c:\users\USER\AppData\Roaming\skypePM
2010-06-08 14:05 . 2010-06-08 14:20 -------- d-----w- c:\users\USER\AppData\Roaming\Skype
2010-06-08 14:04 . 2010-06-08 14:04 -------- d-----w- c:\program files\Common Files\Skype
2010-06-08 14:04 . 2010-06-21 22:25 -------- d-----r- c:\program files\Skype
2010-06-08 14:04 . 2010-06-08 14:04 -------- d-----w- c:\programdata\Skype
2010-06-08 13:48 . 2010-06-08 13:48 -------- d-----w- c:\users\USER\AppData\Local\Thunderbird
2010-06-08 13:48 . 2010-06-08 13:48 -------- d-----w- c:\users\USER\AppData\Roaming\Thunderbird
2010-06-08 13:47 . 2010-06-29 21:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-08 13:38 . 2010-06-08 13:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2010-06-08 13:38 . 2010-06-08 13:46 -------- d-----w- c:\program files\Google
2010-06-08 13:38 . 2010-06-08 13:47 -------- d-----w- c:\users\USER\AppData\Local\Google
2010-06-08 13:23 . 2010-06-08 13:23 -------- d-----w- c:\users\USER\AppData\Local\Mozilla
2010-06-08 13:07 . 2010-06-08 13:07 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-06-06 22:50 . 2010-06-24 11:34 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SACore
2010-06-06 22:50 . 2010-06-15 16:23 63552 ----a-w- c:\users\USER\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-06 22:49 . 2010-06-06 22:49 -------- d-----w- c:\programdata\SiteAdvisor
2010-06-06 22:48 . 2010-02-17 15:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-06 22:48 . 2010-02-17 15:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-06-06 22:48 . 2010-02-17 15:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-06 22:48 . 2009-07-16 11:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-06 22:47 . 2010-06-06 22:48 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-06 22:47 . 2010-06-06 22:47 -------- d-----w- c:\program files\McAfee.com
2010-06-06 22:47 . 2010-07-01 09:14 -------- d-----w- c:\program files\McAfee
2010-06-06 22:44 . 2010-02-17 15:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-06-06 22:37 . 2010-06-07 10:29 -------- d-----w- c:\programdata\McAfee
2010-06-06 22:24 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-06 22:24 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-06 22:24 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-06 22:23 . 2010-06-06 22:23 -------- d-----w- c:\users\USER\AppData\Local\SupportSoft
2010-06-06 22:23 . 2010-06-06 22:23 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-06-06 22:08 . 2010-06-20 10:36 -------- d-----w- c:\users\USER\AppData\Local\ElevatedDiagnostics
2010-06-06 22:04 . 2010-06-24 10:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-06 22:03 . 2010-06-24 10:01 -------- d-sh--w- c:\windows\Installer
2010-06-06 22:03 . 2010-06-06 22:03 -------- d-----w- c:\windows\Downloaded Installations
2010-06-06 20:52 . 2010-06-29 23:01 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
2010-06-06 20:52 . 2010-06-29 23:01 288 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
2010-06-06 20:51 . 2010-06-06 20:51 -------- d-----w- c:\windows\system32\Wat
2010-06-06 20:49 . 2010-06-06 20:49 -------- d-----w- c:\users\USER\AppData\Local\Diagnostics
2010-06-06 20:35 . 2010-06-06 20:35 -------- d-----w- c:\program files\uTorrent
2010-06-06 20:34 . 2010-07-01 09:30 -------- d-----w- c:\users\USER\AppData\Roaming\uTorrent
2010-06-06 19:43 . 2010-06-06 20:28 -------- d-----w- c:\program files\Creative
2010-06-06 19:43 . 2003-03-05 11:19 15840 ------w- c:\windows\system32\drivers\PFMODNT.SYS
2010-06-06 19:42 . 2010-06-15 21:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-06 17:40 . 2010-06-06 17:40 -------- d-----w- c:\windows\system32\Macromed
2010-06-06 17:18 . 2010-06-06 17:18 -------- d-----w- c:\programdata\SupportSoft
2010-06-06 17:17 . 2010-06-18 21:15 -------- d-----w- c:\program files\O2
2010-06-06 16:13 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-06 16:11 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-05 05:14 . 2010-06-20 10:25 -------- d-----w- c:\windows\Panther
2010-06-04 20:57 . 2010-07-01 09:15 -------- d-----w- c:\windows\system32\wbem\Performance
2010-06-04 20:53 . 2010-06-04 20:53 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 19:02 . 2010-06-16 19:02 120 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Flonalibikixe.dat
2010-06-16 19:02 . 2010-06-16 19:02 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Qgipape.bin
2010-06-16 19:01 . 2010-06-16 19:01 47616 ----a-w- c:\users\USER\AppData\Roaming\d2e.exe
2010-06-16 19:01 . 2010-06-16 19:01 47616 ----a-w- c:\users\USER\AppData\Roaming\d2e.exe
2010-06-15 21:08 . 2010-06-15 21:08 12800 ----a-w- c:\windows\system32\drivers\EIO.sys
2010-06-08 14:08 . 2010-06-08 14:08 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-06-07 18:31 . 2010-06-07 18:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-06 22:03 . 2010-06-06 22:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-06-06 16:55 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-06-06 16:11 . 2010-06-06 16:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-29 09:47 . 2010-04-29 09:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 09:47 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-23 07:13 . 2010-06-06 22:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 20:24 . 2010-04-16 20:24 22416 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-04-14 11:50 . 2010-04-14 11:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-03 22:55 . 2009-04-30 14:02 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 21:55 . 2010-06-15 21:15 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 21:55 . 2010-04-03 21:55 795104 ----a-w- c:\windows\system32\dpinst.exe
2010-04-03 21:55 . 2010-04-03 21:55 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 21:55 . 2010-04-03 21:55 316008 ----a-w- c:\windows\system32\nvdecodemft.dll
2010-04-03 21:55 . 2010-04-03 21:55 2907752 ----a-w- c:\windows\system32\nvencodemft.dll
2010-04-03 21:55 . 2010-04-03 21:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 17:27 . 2010-04-03 17:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 17:27 . 2010-04-03 17:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 17:27 . 2010-04-03 17:27 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-04-03 17:27 . 2010-04-03 17:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:27 . 2010-04-03 17:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:27 . 2010-04-03 17:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 15:54 . 2010-06-15 21:12 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-06-27_08.42.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-13 23:24 . 2010-06-28 21:25 32256 c:\windows\winsxs\x86_microsoft-windows-systemindexer_31bf3856ad364e35_6.1.7600.16385_none_d5726d6f847c1ef3\discache.sys
- 2009-07-13 23:24 . 2009-07-13 23:24 32256 c:\windows\winsxs\x86_microsoft-windows-systemindexer_31bf3856ad364e35_6.1.7600.16385_none_d5726d6f847c1ef3\discache.sys
+ 2010-06-04 21:09 . 2010-07-01 09:11 32494 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-07-01 09:11 39976 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-06-04 20:19 . 2010-06-27 08:38 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-04 20:19 . 2010-07-01 09:17 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-26 11:45 . 2010-06-27 08:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-26 11:45 . 2010-07-01 09:17 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-06 20:21 . 2010-06-26 11:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-06 20:21 . 2010-07-01 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-06 20:21 . 2010-07-01 09:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-06 20:21 . 2010-06-26 11:47 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-06 20:21 . 2010-07-01 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-06 20:21 . 2010-06-26 11:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-04 20:58 . 2010-07-01 09:11 8094 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2611152558-3212841764-2130469302-1000_UserData.bin
- 2010-06-26 14:19 . 2010-06-26 14:19 5954 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\B7837DB21F891F6EC5F656DAD1964966B97FFE81\B7837DB21F891F6EC5F656DAD1964966B97FFE81\Data.dat
+ 2010-07-01 09:12 . 2010-07-01 09:12 5954 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\B7837DB21F891F6EC5F656DAD1964966B97FFE81\B7837DB21F891F6EC5F656DAD1964966B97FFE81\Data.dat
+ 2010-07-01 09:12 . 2010-07-01 09:12 5784 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DDE\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
- 2010-06-27 08:31 . 2010-06-27 08:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-07-01 09:09 . 2010-07-01 09:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-27 08:31 . 2010-06-27 08:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-07-01 09:09 . 2010-07-01 09:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2010-06-27 08:38 619206 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-07-01 09:15 619206 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-06-27 08:38 107388 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-07-01 09:15 107388 c:\windows\System32\perfc009.dat
+ 2010-06-04 21:00 . 2010-07-01 09:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-06-04 21:00 . 2010-06-27 08:36 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:41 . 2010-06-27 08:38 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-07-01 09:17 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:03 . 2010-06-26 14:31 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-07-01 09:22 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-06 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"CTHelper"="CTHELPER.EXE" [2003-06-09 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [2009-10-12 1785856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-06 1343400]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2009-03-04 202016]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-16 22416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]

.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\017d5d2e.job
- c:\users\USER\AppData\Roaming\d2e.exe [2010-06-16 19:01]

2010-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 13:38]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 13:38]

2010-06-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]
.
.
------- Supplementary Scan -------
.
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\9ye2bt5p.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,e1,36,d5,04,22,a8,4d,92,16,76,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,e1,36,d5,04,22,a8,4d,92,16,76,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-07-01 10:33:10
ComboFix-quarantined-files.txt 2010-07-01 09:33
ComboFix2.txt 2010-06-27 08:45
ComboFix3.txt 2010-06-26 12:16
ComboFix4.txt 2010-06-24 20:33
ComboFix5.txt 2010-06-28 10:23

Pre-Run: 218,891,485,184 bytes free
Post-Run: 218,863,673,344 bytes free

- - End Of File - - 99C180E7012DD49CF71D05BD9F66DDE5


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 03 July 2010 - 05:30 AM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 05 July 2010 - 05:55 AM

Hi Tom,
Thanks for your ongoing support, here are the requested logs ect:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4125

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

05/07/2010 09:55:08
mbam-log-2010-07-05 (09-55-08).txt

Scan type: Quick scan
Objects scanned: 125018
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.7,93.188.166.242 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0e72c828-8bd4-48db-a891-d0ae22525432}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.7,93.188.166.242 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80ecf9d9-dc87-471e-8708-ab8d75863bb0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.7,93.188.166.242 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80ecf9d9-dc87-471e-8708-ab8d75863bb0}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.7,93.188.166.242 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ESET Scan results:

C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoad12.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\ernel32.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\17qG17.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\17uO17.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\1sKUO7.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\317931mY.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\31w9317w.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\3wSK31g9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\55i55.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\55qG5.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\5iQ55.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\7931793.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\79s17s3.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\7iQG7iQ.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\93iQ93cE9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\9gMY931m9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\9oCE9a1k9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\9w1uOC1s9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\9yWS93s7e.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\a9317u3.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\AA9kU7.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\E931e9a.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\eI1q9wSK9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\g5555.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\I55q5.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\I5q55.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\k5yW5.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\KU31iQ3.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\KU9317.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\mYW31y.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\O31mY31oC.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\O3o793i79.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\O5o5o.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\oC179y1c9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\OC3s7eI.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\q55c5.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\q55cE.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\qG93a7.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\qGMY1c.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\QGMY9cE7a.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\S9e17k3.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\SKU55.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\U5m55.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\U93179e.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\uO793iQG.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\w317gMY7c.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\WSKU5.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\Y17o31mY.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\yW31yW3.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\yWS7e3aA9.dll.vir Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Users\USER\AppData\Roaming\d2e.exe Win32/Olmarik.YR trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\USER\Downloads\Thunderbird 2.0.0.24 (en-GB) - 2010-05-24.pcv multiple threats deleted - quarantined
C:\Windows\System32\ernel32.dll Win32/Olmarik.YR trojan cleaned by deleting (after the next restart) - quarantined
C:\Windows\System32\spool\prtprocs\w32x86\31wSK1yW.dll Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Windows\System32\spool\prtprocs\w32x86\31yW3uO9.dll Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Windows\System32\spool\prtprocs\w32x86\k1y93oC9.dll Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Windows\System32\spool\prtprocs\w32x86\KU17931e9.dll Win32/Olmarik.YR trojan cleaned by deleting - quarantined
C:\Windows\System32\spool\prtprocs\w32x86\U5555.dll Win32/Olmarik.YR trojan cleaned by deleting (after the next restart) - quarantined
E:\My Music\Limewire2010\athlete- superhuman touch.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
E:\Dads stuff\Thunderbird 2.0.0.17 (en-GB) - 2008-11-05.pcv multiple threats deleted - quarantined



OTL RESULTS:

OLT.txt:

OTL logfile created on: 05/07/2010 11:42:48 - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Users\USER\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 201.55 Gb Free Space | 86.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.83 Gb Total Space | 37.63 Gb Free Space | 16.16% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-PC
Current User Name: USER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - File not found -- C:\Users\USER\AppData\Roaming\d2e.exe
PRC - [2010/07/05 11:41:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe
PRC - [2010/06/28 14:17:16 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/02/17 16:52:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2010/02/17 15:53:26 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2010/02/11 12:36:12 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/12 16:44:32 | 001,785,856 | ---- | M] () -- C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
PRC - [2009/10/02 13:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/04 15:52:58 | 000,202,016 | R--- | M] (SupportSoft, Inc.) -- C:\Program Files\O2\bin\sprtsvc.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2003/06/09 03:07:00 | 000,028,672 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTHELPER.EXE


========== Modules (SafeList) ==========

MOD - [2010/07/05 11:41:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
MOD - [2009/01/23 10:46:18 | 000,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2003/06/09 03:07:08 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/06/06 21:51:44 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/02/24 13:16:08 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/02/17 16:52:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2010/02/17 15:53:26 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/03/04 15:52:58 | 000,202,016 | R--- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\O2\bin\sprtsvc.exe -- (sprtsvc_O2) SupportSoft Sprocket Service (O2)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/07/27 06:39:32 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\USER\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010/06/15 22:08:56 | 000,012,800 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\EIO.sys -- (EIO)
DRV - [2010/04/16 21:24:34 | 000,022,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV - [2010/04/14 12:50:14 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/03 23:55:31 | 011,573,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/02/17 16:52:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/02/17 16:52:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2010/02/17 16:52:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/17 16:52:10 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/12/11 08:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 00:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/03/01 23:05:32 | 000,139,776 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2007/05/03 16:11:14 | 000,256,000 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MRVW13B.sys -- (MRV6X32P)
DRV - [2005/12/29 18:07:50 | 000,282,624 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WG311v3XP.sys -- (W8335XP) NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335)
DRV - [2003/06/09 02:45:04 | 000,116,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\EMUPIA2K.SYS -- (emupia)
DRV - [2003/06/09 02:44:52 | 000,136,448 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2003/06/09 02:44:36 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTPRXY2K.SYS -- (ctprxy2k)
DRV - [2003/06/09 02:44:32 | 000,113,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2003/06/09 02:44:22 | 000,494,384 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTAUD2K.SYS -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/06/09 02:42:58 | 000,186,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTAC32K.SYS -- (ctac32k)
DRV - [2003/06/09 02:42:44 | 000,135,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hap16v2k.sys -- (hap16v2k)
DRV - [2003/06/09 02:42:28 | 000,819,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HA10KX2K.SYS -- (ha10kx2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 85 5F D4 D4 C7 05 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/07/05 09:57:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/28 14:17:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/28 14:17:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/06/08 14:47:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/06/08 14:48:48 | 000,000,000 | ---D | M] -- C:\Users\USER\AppData\Roaming\Mozilla\Extensions
[2010/06/08 14:48:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\USER\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/06/19 10:25:10 | 000,000,000 | ---D | M] -- C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\9ye2bt5p.default\extensions
[2010/06/21 23:25:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/01 17:56:49 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/01 17:56:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/01 17:56:50 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/01 17:56:50 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/07/01 10:31:15 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O4 - HKLM..\Run: [CTHelper] C:\Windows\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] http in Trusted sites)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] https in Trusted sites)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15112/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (MrvGINA.dll) - File not found
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/06/10 17:19:32 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/05 11:41:21 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe
[2010/07/05 10:09:20 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/07/05 09:34:29 | 005,434,248 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\USER\Desktop\mbam-rules.exe
[2010/07/05 09:02:00 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Malwarebytes
[2010/07/05 09:01:52 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/07/05 09:01:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/07/05 09:01:49 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/07/05 09:01:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/04 00:12:52 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\USER\Desktop\mbam-setup-1.46.exe
[2010/07/01 10:33:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/07/01 10:33:12 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\temp
[2010/07/01 10:26:50 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/07/01 10:26:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/07/01 10:26:22 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/29 00:20:55 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\Summer Tracks
[2010/06/24 11:01:29 | 000,000,000 | ---D | C] -- C:\OEMSettings
[2010/06/24 11:01:04 | 000,000,000 | ---D | C] -- C:\Program Files\NETGEAR
[2010/06/23 22:57:05 | 000,000,000 | ---D | C] -- C:\Device
[2010/06/23 22:44:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/06/23 22:44:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/23 22:44:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/23 22:44:33 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/23 22:43:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/20 11:06:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/06/20 11:06:59 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/19 12:40:58 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/19 00:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/06/19 00:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2010/06/19 00:45:03 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/06/19 00:44:21 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Adobe
[2010/06/19 00:44:01 | 000,000,000 | ---D | C] -- C:\ProgramData\NOS
[2010/06/18 22:35:00 | 000,282,624 | ---- | C] (Marvell Semiconductor, Inc) -- C:\Windows\System32\drivers\WG311v3XP.sys
[2010/06/18 22:35:00 | 000,000,000 | ---D | C] -- C:\WG311v3
[2010/06/18 22:14:08 | 000,000,000 | ---D | C] -- C:\Program Files\O2_Installer
[2010/06/18 21:57:48 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\EPSON
[2010/06/15 22:08:56 | 000,012,800 | ---- | C] (ASUSTeK Computer Inc.) -- C:\Windows\System32\drivers\EIO.sys
[2010/06/15 16:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2010/06/15 16:55:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/06/15 16:55:30 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010/06/15 16:55:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/15 16:54:29 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Microsoft Help
[2010/06/15 16:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/06/15 16:54:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2010/06/15 16:54:04 | 000,000,000 | R--D | C] -- C:\MSOCache
[2010/06/15 10:14:08 | 000,000,000 | ---D | C] -- C:\Program Files\SEGA
[2010/06/13 20:16:15 | 000,000,000 | ---D | C] -- C:\Users\USER\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever
[2010/06/10 14:48:18 | 000,000,000 | ---D | C] -- C:\NVIDIA
[2010/06/10 12:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\EPSON
[2010/06/10 12:34:36 | 000,000,000 | ---D | C] -- C:\ProgramData\UDL
[2010/06/10 00:22:17 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2010/06/09 20:12:18 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/06/09 20:11:42 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/06/08 18:55:07 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\vlc
[2010/06/08 18:33:20 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/06/08 15:07:57 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\skypePM
[2010/06/08 15:05:52 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Skype
[2010/06/08 15:04:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/06/08 15:04:06 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/06/08 15:04:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2010/06/08 14:48:40 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Thunderbird
[2010/06/08 14:48:40 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Thunderbird
[2010/06/08 14:47:35 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2010/06/08 14:38:18 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/06/08 14:38:15 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Google
[2010/06/08 14:23:35 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Mozilla
[2010/06/08 14:23:35 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Mozilla
[2010/06/08 14:23:26 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/07 11:45:35 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/06/06 23:49:59 | 000,000,000 | ---D | C] -- C:\ProgramData\SiteAdvisor
[2010/06/06 23:48:11 | 000,079,816 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2010/06/06 23:48:11 | 000,040,552 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys
[2010/06/06 23:48:11 | 000,035,272 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2010/06/06 23:48:08 | 000,130,424 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys
[2010/06/06 23:47:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/06/06 23:47:56 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/06/06 23:47:55 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/06/06 23:44:43 | 000,034,248 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys
[2010/06/06 23:37:00 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2010/06/06 23:23:09 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\SupportSoft
[2010/06/06 23:23:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SupportSoft
[2010/06/06 23:08:16 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\ElevatedDiagnostics
[2010/06/06 23:04:36 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/06/06 23:03:52 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/06/06 23:03:51 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2010/06/06 21:51:45 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/06/06 21:49:48 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Diagnostics
[2010/06/06 21:35:03 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2010/06/06 21:34:17 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\uTorrent
[2010/06/06 21:31:15 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/06/06 20:56:21 | 000,020,480 | ---- | C] (Creative Technology Limited) -- C:\Windows\INRES.DLL
[2010/06/06 20:56:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\Data
[2010/06/06 20:56:13 | 000,180,224 | ---- | C] (Creative Technology Limited) -- C:\Windows\READREG.EXE
[2010/06/06 20:56:12 | 000,077,824 | ---- | C] (Creative Labs) -- C:\Windows\System32\EAXAC3.DLL
[2010/06/06 20:56:06 | 000,065,536 | ---- | C] ( ) -- C:\Windows\System32\A3D.DLL
[2010/06/06 20:43:39 | 000,000,000 | ---D | C] -- C:\Program Files\Creative
[2010/06/06 20:42:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/06/06 20:22:00 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2010/06/06 18:40:10 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Macromedia
[2010/06/06 18:40:09 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Adobe
[2010/06/06 18:40:04 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2010/06/06 18:18:24 | 000,000,000 | ---D | C] -- C:\ProgramData\SupportSoft
[2010/06/06 18:17:17 | 000,000,000 | ---D | C] -- C:\Program Files\O2
[2010/06/05 06:14:17 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/06/04 21:57:04 | 000,000,000 | R--D | C] -- C:\Users\USER\Searches
[2010/06/04 21:57:04 | 000,000,000 | -H-D | C] -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2010/06/04 21:56:54 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Identities
[2010/06/04 21:56:53 | 000,000,000 | R--D | C] -- C:\Users\USER\Contacts
[2010/06/04 21:56:41 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\VirtualStore
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\AppData\Local\Temporary Internet Files
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Templates
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Start Menu
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\SendTo
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Recent
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\PrintHood
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\NetHood
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Documents\My Videos
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Documents\My Pictures
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Documents\My Music
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\My Documents
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Local Settings
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\AppData\Local\History
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Cookies
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\Application Data
[2010/06/04 21:56:39 | 000,000,000 | -HSD | C] -- C:\Users\USER\AppData\Local\Application Data
[2010/06/04 21:56:38 | 000,000,000 | --SD | C] -- C:\Users\USER\AppData\Roaming\Microsoft
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Videos
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Saved Games
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Pictures
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Music
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Links
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Favorites
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Downloads
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\My Documents
[2010/06/04 21:56:38 | 000,000,000 | R--D | C] -- C:\Users\USER\Desktop
[2010/06/04 21:56:38 | 000,000,000 | -H-D | C] -- C:\Users\USER\AppData
[2010/06/04 21:56:38 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Microsoft
[2010/06/04 21:56:38 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Media Center Programs
[2010/06/04 21:53:16 | 000,000,000 | ---D | C] -- C:\Recovery
[2010/06/04 21:17:43 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/06/04 21:15:37 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/06/04 21:15:02 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2010/04/14 12:50:14 | 000,385,536 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys

========== Files - Modified Within 90 Days ==========

[2010/07/05 11:44:06 | 005,505,024 | -HS- | M] () -- C:\Users\USER\NTUSER.DAT
[2010/07/05 11:41:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe
[2010/07/05 11:27:26 | 000,014,224 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/05 11:27:26 | 000,014,224 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/05 10:48:01 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/05 10:08:42 | 002,672,312 | ---- | M] () -- C:\Users\USER\Desktop\esetsmartinstaller_enu.exe
[2010/07/05 10:01:41 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/05 10:01:41 | 000,619,206 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/05 10:01:41 | 000,107,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/05 09:58:42 | 000,015,134 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/07/05 09:57:25 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/05 09:57:21 | 000,000,232 | -H-- | M] () -- C:\Windows\tasks\017d5d2e.job
[2010/07/05 09:57:20 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/05 09:57:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/05 09:57:07 | 1610,014,720 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/05 09:56:36 | 000,024,144 | ---- | M] () -- C:\Windows\System32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/07/05 09:56:36 | 000,024,144 | ---- | M] () -- C:\Windows\System32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/07/05 09:56:36 | 000,016,348 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/07/05 09:56:36 | 000,016,348 | ---- | M] () -- C:\Windows\System32\BMXState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/07/05 09:56:36 | 000,001,080 | ---- | M] () -- C:\Windows\System32\settingsbkup.sfm
[2010/07/05 09:56:36 | 000,001,080 | ---- | M] () -- C:\Windows\System32\settings.sfm
[2010/07/05 09:56:36 | 000,000,288 | ---- | M] () -- C:\Windows\System32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
[2010/07/05 09:56:36 | 000,000,288 | ---- | M] () -- C:\Windows\System32\DVCState-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
[2010/07/05 09:56:17 | 006,291,456 | -H-- | M] () -- C:\Users\USER\AppData\Local\IconCache.db
[2010/07/05 09:56:15 | 003,382,339 | ---- | M] () -- C:\Windows\{00000005-00000000-00000002-00001102-00000002-80671102}.CDF
[2010/07/05 09:56:15 | 003,382,339 | ---- | M] () -- C:\Windows\{00000005-00000000-00000002-00001102-00000002-80671102}.BAK
[2010/07/05 09:08:06 | 005,434,248 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\USER\Desktop\mbam-rules.exe
[2010/07/05 09:01:54 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/04 00:13:46 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\USER\Desktop\mbam-setup-1.46.exe
[2010/07/01 10:31:21 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/07/01 10:31:15 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/28 15:12:01 | 284,011,545 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/27 09:42:28 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100627-103518.backup
[2010/06/24 21:31:32 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100624-215550.backup
[2010/06/24 11:01:06 | 000,002,043 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk
[2010/06/24 10:40:25 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100624-120303.backup
[2010/06/21 10:34:08 | 000,408,517 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100621-150043.backup
[2010/06/20 15:11:17 | 000,000,120 | ---- | M] () -- C:\Users\USER\AppData\Local\Flonalibikixe.dat
[2010/06/20 14:22:41 | 000,000,179 | ---- | M] () -- C:\Windows\wininit.ini
[2010/06/20 12:46:46 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/06/20 12:46:46 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/20 11:28:22 | 000,408,517 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100621-103408.backup
[2010/06/20 11:19:24 | 000,408,517 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100620-112822.backup
[2010/06/20 11:07:04 | 000,001,244 | ---- | M] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/20 10:08:39 | 000,000,000 | ---- | M] () -- C:\Users\USER\AppData\Local\Qgipape.bin
[2010/06/18 22:16:02 | 000,000,728 | ---- | M] () -- C:\Windows\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
[2010/06/17 15:02:58 | 000,001,822 | ---- | M] () -- C:\Windows\System32\batcgr
[2010/06/15 22:08:56 | 000,012,800 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Windows\System32\drivers\EIO.sys
[2010/06/15 22:00:19 | 000,299,976 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/15 17:23:41 | 000,063,552 | ---- | M] () -- C:\Users\USER\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/06/08 15:08:04 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
[2010/06/08 14:47:43 | 000,001,979 | ---- | M] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2010/06/08 14:23:33 | 000,001,913 | ---- | M] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/07 19:31:42 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2010/06/06 23:30:12 | 000,001,411 | ---- | M] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/06 23:03:21 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/06/06 21:46:44 | 000,000,011 | ---- | M] () -- C:\Windows\SBWIN.INI
[2010/06/06 17:56:20 | 000,000,338 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2010/06/06 17:56:20 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/06/06 17:11:37 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/06/04 22:06:35 | 000,524,288 | -HS- | M] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/06/04 22:06:35 | 000,524,288 | -HS- | M] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/06/04 22:06:35 | 000,065,536 | -HS- | M] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/06/04 21:56:39 | 000,000,020 | -HS- | M] () -- C:\Users\USER\ntuser.ini
[2010/06/04 21:18:18 | 000,042,045 | ---- | M] () -- C:\Windows\System32\license.rtf
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/14 12:50:14 | 000,385,536 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys

========== Files Created - No Company Name ==========

[2010/07/05 10:08:40 | 002,672,312 | ---- | C] () -- C:\Users\USER\Desktop\esetsmartinstaller_enu.exe
[2010/07/05 09:01:54 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/24 11:01:06 | 000,002,043 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk
[2010/06/23 22:44:45 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/23 22:44:44 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/23 22:44:43 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/23 22:44:43 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/23 22:44:43 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/20 12:46:46 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/06/20 12:46:46 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/06/20 12:43:46 | 000,000,179 | ---- | C] () -- C:\Windows\wininit.ini
[2010/06/20 11:07:04 | 000,001,244 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/06/18 22:15:49 | 000,000,728 | ---- | C] () -- C:\Windows\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
[2010/06/17 15:02:58 | 000,001,822 | ---- | C] () -- C:\Windows\System32\batcgr
[2010/06/16 22:36:07 | 000,000,120 | ---- | C] () -- C:\Users\USER\AppData\Local\Flonalibikixe.dat
[2010/06/16 22:36:07 | 000,000,000 | ---- | C] () -- C:\Users\USER\AppData\Local\Qgipape.bin
[2010/06/16 20:01:25 | 000,000,232 | -H-- | C] () -- C:\Windows\tasks\017d5d2e.job
[2010/06/15 22:15:00 | 000,009,880 | ---- | C] () -- C:\Windows\System32\nvdisp.nvu
[2010/06/13 20:16:07 | 147,724,909 | ---- | C] () -- C:\Users\USER\Duke Nukem 3d WinXP-Vista (Original no MOD) - Internet Multiplayer Ready Pack v3.0. Not DNF Forever.zip
[2010/06/08 15:08:04 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/06/08 14:47:43 | 000,001,979 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2010/06/08 14:38:26 | 000,000,880 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/08 14:38:26 | 000,000,876 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/08 14:23:33 | 000,001,913 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/07 19:31:42 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2010/06/07 13:03:12 | 000,002,516 | ---- | C] () -- C:\Windows\System32\P16X.ini
[2010/06/07 11:45:27 | 284,011,545 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/06/06 23:50:25 | 000,015,134 | ---- | C] () -- C:\Windows\System32\Config.MPF
[2010/06/06 23:48:02 | 000,000,338 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job
[2010/06/06 23:48:00 | 000,000,316 | ---- | C] () -- C:\Windows\tasks\McQcTask.job
[2010/06/06 23:30:12 | 000,001,411 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/06 23:03:21 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/06/06 21:52:07 | 000,016,348 | ---- | C] () -- C:\Windows\System32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/06/06 21:52:07 | 000,016,348 | ---- | C] () -- C:\Windows\System32\BMXState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/06/06 21:52:07 | 000,001,080 | ---- | C] () -- C:\Windows\System32\settingsbkup.sfm
[2010/06/06 21:52:07 | 000,001,080 | ---- | C] () -- C:\Windows\System32\settings.sfm
[2010/06/06 21:52:07 | 000,000,288 | ---- | C] () -- C:\Windows\System32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
[2010/06/06 21:52:07 | 000,000,288 | ---- | C] () -- C:\Windows\System32\DVCState-{00000005-00000000-00000002-00001102-00000002-80671102}.dat
[2010/06/06 21:48:23 | 003,382,339 | ---- | C] () -- C:\Windows\{00000005-00000000-00000002-00001102-00000002-80671102}.BAK
[2010/06/06 21:48:19 | 003,382,339 | ---- | C] () -- C:\Windows\{00000005-00000000-00000002-00001102-00000002-80671102}.CDF
[2010/06/06 21:47:11 | 000,024,144 | ---- | C] () -- C:\Windows\System32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/06/06 21:47:11 | 000,024,144 | ---- | C] () -- C:\Windows\System32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000002-80671102}.rfx
[2010/06/06 21:28:06 | 000,007,062 | ---- | C] () -- C:\Windows\System32\audiopid.vxd
[2010/06/06 20:56:21 | 000,035,674 | ---- | C] () -- C:\Windows\System32\Emu10kx.ini
[2010/06/06 20:56:21 | 000,000,026 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2010/06/06 20:56:18 | 000,004,398 | ---- | C] () -- C:\Windows\System32\SBLive.ico
[2010/06/06 20:56:18 | 000,003,126 | ---- | C] () -- C:\Windows\System32\Live.bmp
[2010/06/06 20:56:17 | 002,259,067 | ---- | C] () -- C:\Windows\System32\DEFAULT.ECW
[2010/06/06 20:56:17 | 000,251,970 | ---- | C] () -- C:\Windows\System32\CTSTATIC.DAT
[2010/06/06 20:56:16 | 000,189,490 | ---- | C] () -- C:\Windows\System32\CTDLANG.DAT
[2010/06/06 20:56:16 | 000,142,968 | ---- | C] () -- C:\Windows\System32\CTBAS2W.DAT
[2010/06/06 20:56:16 | 000,114,972 | ---- | C] () -- C:\Windows\System32\CTBASICW.DAT
[2010/06/06 20:56:16 | 000,053,674 | ---- | C] () -- C:\Windows\System32\CTDAUGHT.DAT
[2010/06/06 20:56:13 | 000,184,320 | ---- | C] () -- C:\Windows\PSCONV.EXE
[2010/06/06 20:56:13 | 000,036,864 | ---- | C] () -- C:\Windows\System32\REGPLIB.EXE
[2010/06/06 20:56:12 | 000,049,152 | ---- | C] () -- C:\Windows\System32\KILLAPPS.EXE
[2010/06/06 20:56:12 | 000,005,515 | ---- | C] () -- C:\Windows\System32\ENSDEF.INI
[2010/06/06 20:56:12 | 000,000,192 | ---- | C] () -- C:\Windows\System32\KILL.INI
[2010/06/06 20:56:12 | 000,000,059 | ---- | C] () -- C:\Windows\System32\DEFAULT8.SFM
[2010/06/06 20:56:12 | 000,000,059 | ---- | C] () -- C:\Windows\System32\DEFAULT4.SFM
[2010/06/06 20:56:12 | 000,000,059 | ---- | C] () -- C:\Windows\System32\DEFAULT.SFM
[2010/06/06 20:56:09 | 004,174,291 | ---- | C] () -- C:\Windows\CTDVAUDY.CDF
[2010/06/06 20:56:08 | 003,735,544 | ---- | C] () -- C:\Windows\CTDV10K2.CDF
[2010/06/06 20:56:07 | 003,382,339 | ---- | C] () -- C:\Windows\CTDV10K1.CDF
[2010/06/06 20:56:06 | 002,167,684 | ---- | C] () -- C:\Windows\System32\CT2MGM.SF2
[2010/06/06 20:56:06 | 001,048,576 | ---- | C] () -- C:\Windows\System32\CT1MGM.ROM
[2010/06/06 20:56:00 | 000,000,011 | ---- | C] () -- C:\Windows\SBWIN.INI
[2010/06/06 17:11:37 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/06/04 21:56:39 | 000,524,288 | -HS- | C] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/06/04 21:56:39 | 000,524,288 | -HS- | C] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/06/04 21:56:39 | 000,000,020 | -HS- | C] () -- C:\Users\USER\ntuser.ini
[2010/06/04 21:56:38 | 005,505,024 | -HS- | C] () -- C:\Users\USER\NTUSER.DAT
[2010/06/04 21:56:38 | 000,262,144 | -HS- | C] () -- C:\Users\USER\ntuser.dat.LOG1
[2010/06/04 21:56:38 | 000,065,536 | -HS- | C] () -- C:\Users\USER\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/06/04 21:56:38 | 000,000,290 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2010/06/04 21:56:38 | 000,000,272 | ---- | C] () -- C:\Users\USER\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/06/04 21:56:38 | 000,000,000 | -HS- | C] () -- C:\Users\USER\ntuser.dat.LOG2
[2010/06/04 21:15:02 | 1610,014,720 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/14 00:36:08 | 000,193,024 | ---- | C] () -- C:\Windows\System32\sppcomapi.dll

========== LOP Check ==========

[2010/06/18 21:57:48 | 000,000,000 | ---D | M] -- C:\Users\USER\AppData\Roaming\EPSON
[2010/06/08 14:48:44 | 000,000,000 | ---D | M] -- C:\Users\USER\AppData\Roaming\Thunderbird
[2010/07/05 09:58:51 | 000,000,000 | ---D | M] -- C:\Users\USER\AppData\Roaming\uTorrent
[2010/07/05 09:57:21 | 000,000,232 | -H-- | M] () -- C:\Windows\Tasks\017d5d2e.job
[2010/06/06 17:56:20 | 000,000,338 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2010/06/06 17:56:20 | 000,000,316 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2010/06/19 00:29:54 | 000,024,420 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\agp440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\agp440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iastorv.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/14 02:16:15 | 000,193,024 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\sppcomapi.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemdrive%\*.sys /90 /md5 >
[2010/07/05 09:57:07 | 1610,014,720 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/06/20 12:46:46 | 000,000,000 | RHS- | M] () MD5=D41D8CD98F00B204E9800998ECF8427E -- C:\IO.SYS
[2010/06/20 12:46:46 | 000,000,000 | RHS- | M] () MD5=D41D8CD98F00B204E9800998ECF8427E -- C:\MSDOS.SYS
[2010/07/05 09:57:09 | 2146,689,024 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys

< End of report >




Extra.txt:

OTL Extras logfile created on: 05/07/2010 11:42:48 - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Users\USER\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 201.55 Gb Free Space | 86.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.83 Gb Total Space | 37.63 Gb Free Space | 16.16% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-PC
Current User Name: USER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1BA7B068-4719-42A3-B553-D4ED97434F92}" = ASUS Utilities
"{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}" = O2 Broadband Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{70014586-7BBA-4A92-A610-CDC896C48F8F}" = NETGEAR WG311v3 PCI Adapter
"{74B1CEB6-B4BF-46FD-8080-CE3C1809B010}" = O2InstV3Win7UpdateV2
"{7CE0803C-CA6A-4D7A-8FB8-055EBB4AF141}" = The Typing of The Dead US
"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"EPSON Printer and Utilities" = EPSON Printer Software
"ESET Online Scanner" = ESET Online Scanner v3
"HijackThis" = HijackThis 2.0.2
"InstallShield_{70014586-7BBA-4A92-A610-CDC896C48F8F}" = NETGEAR WG311v3 PCI Adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"MSC" = McAfee SecurityCenter
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"WinRAR archiver" = WinRAR archiver
"WORD" = Microsoft Office Word 2007

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04/07/2010 13:07:51 | Computer Name = USER-PC | Source = Software Protection Platform Service | ID = 8198
Description = License Activation (slui.exe) failed with the following error code:
0x80070005

Error - 04/07/2010 13:07:51 | Computer Name = USER-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x00000000.

Error - 04/07/2010 13:11:09 | Computer Name = USER-PC | Source = Software Protection Platform Service | ID = 8198
Description = License Activation (slui.exe) failed with the following error code:
0x80070005

Error - 04/07/2010 13:11:09 | Computer Name = USER-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x00000000.

Error - 05/07/2010 03:30:39 | Computer Name = USER-PC | Source = Software Protection Platform Service | ID = 8198
Description = License Activation (slui.exe) failed with the following error code:
0x80070005

Error - 05/07/2010 03:30:39 | Computer Name = USER-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x00000000.

Error - 05/07/2010 03:46:52 | Computer Name = USER-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 05/07/2010 04:26:04 | Computer Name = USER-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

Error - 05/07/2010 04:57:20 | Computer Name = USER-PC | Source = Software Protection Platform Service | ID = 8198
Description = License Activation (slui.exe) failed with the following error code:
0x80070005

Error - 05/07/2010 04:57:20 | Computer Name = USER-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x00000000.

[ System Events ]
Error - 28/06/2010 20:29:58 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 29/06/2010 19:00:52 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 01/07/2010 05:27:29 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 01/07/2010 05:31:17 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 01/07/2010 06:06:39 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 03/07/2010 07:24:42 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 03/07/2010 08:30:52 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 04/07/2010 13:11:19 | Computer Name = USER-PC | Source = DCOM | ID = 10010
Description =

Error - 04/07/2010 13:11:44 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 05/07/2010 04:56:22 | Computer Name = USER-PC | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.


< End of report >


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 07 July 2010 - 12:46 PM

Hi,


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    PRC - File not found -- C:\Users\USER\AppData\Roaming\d2e.exe
    [2010/06/16 22:36:07 | 000,000,120 | ---- | C] () -- C:\Users\USER\AppData\Local\Flonalibikixe.dat
    [2010/06/16 22:36:07 | 000,000,000 | ---- | C] () -- C:\Users\USER\AppData\Local\Qgipape.bin
    [2010/06/16 20:01:25 | 000,000,232 | -H-- | C] () -- C:\Windows\tasks\017d5d2e.job
    [2010/06/15 22:15:00 | 000,009,880 | ---- | C] () -- C:\Windows\System32\nvdisp.nvu
    [2010/07/05 09:57:21 | 000,000,232 | -H-- | M] () -- C:\Windows\Tasks\017d5d2e.job
    [2009/07/14 02:16:15 | 000,193,024 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\sppcomapi.dll
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.



How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 08 July 2010 - 09:23 AM

Hi Tom,
my computer is running pretty good so far no pop ups as of yet, but im having a bit of trouble with the last instructions you gave me.
I attempt to do the custom fix in OLT and it just freezes or stops responding at "PRC - File not found -- C:\Users\USER\AppData\Roaming\d2e.exe" point.
Any suggestions?

your assistance has been great,

thankyou

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 10 July 2010 - 07:32 AM

Please try the fix again in safe mode smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 12 July 2010 - 09:54 AM

Hi tom im not having much luck with the OLT fix, even when i try it in safe mode it still gets stuck on not responding.
What you suggest?

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 14 July 2010 - 01:11 PM

Weird. Please take out the one PRC line and run the fix, post back with the follow up scan.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 3ert250

3ert250
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 15 July 2010 - 05:13 AM

Hi Tom the OLT Fix worked with the PRC line removed. just letting you know i wont have access to my computer until next wednesday so reply wil bel delayed. here are the OLT results, once again thanks for your help:

========== OTL ==========
C:\Users\USER\AppData\Local\Flonalibikixe.dat moved successfully.
C:\Users\USER\AppData\Local\Qgipape.bin moved successfully.
C:\Windows\Tasks\017d5d2e.job moved successfully.
C:\Windows\System32\nvdisp.nvu moved successfully.
File C:\Windows\Tasks\017d5d2e.job not found.
File move failed. C:\Windows\System32\sppcomapi.dll scheduled to be moved on reboot.

OTL by OldTimer - Version 3.2.8.1 log created on 07152010_105820

Files\Folders moved on Reboot...
C:\Windows\System32\sppcomapi.dll moved successfully.

Registry entries deleted on Reboot...


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 16 July 2010 - 02:21 PM

Please post back with the follow up scan when you are back smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:45 PM

Posted 19 July 2010 - 10:57 AM

Still with me?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users