Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer and Firefox Web Searches (via Google links) are Re-directed


  • This topic is locked This topic is locked
25 replies to this topic

#1 ScottRecinos

ScottRecinos

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 05 July 2010 - 02:38 PM

When I open Internet Explorer or Mozilla Firefox, they open to the correct home page, which is Google search page respectively. When I search for something, they take me to the list of websites. When I click on one of those links, either Internet Explorer or Mozilla Firefox takes me to a different site. In order to get to the right website, I have to copy and paste the address directly into the address bar. I have run spybot; CCleaner; and Malwarebyte, Norton Anti Virus and they all indicate my computer is free of viruses, spyware, etc. Please, help me. Thank you.
Best regards

My DDS and GMER logs are posted below.

Thanks!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Scott at 11:10:57.85 on Mon 07/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.367 [GMT -4:00]

AV: Freedom Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Freedom Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518090057.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3DE5D178-BD44-4709-A9CC-3211619A5B19} - No File
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Dell|Alert] c:\program files\dell\support\alert\bin\DAMon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\WECPUpdate.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41695A8E-6414-11D4-8FB3-00D0B7730277} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {671289C8-0D4A-4EDC-89DD-458C8AB6977A} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127216826468
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} - hxxp://www.spincam.com/360video/plugins/iVideoViewer3_0.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://phobos.apple.com/detection/ITDetector.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.1.6 HP000D9D084D83

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\gmqmna0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\documents and settings\scott\application data\mozilla\firefox\profiles\gmqmna0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-22 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-22 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-22 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-22 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-22 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-22 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-22 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-22 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2007-12-7 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2007-12-7 545088]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-22 83496]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2007-12-7 19232]

=============== Created Last 30 ================

2010-07-05 13:07:57 0 ----a-w- c:\documents and settings\scott\defogger_reenable
2010-06-26 10:26:28 0 d-----w- c:\temp\r1ptemp39
2010-06-23 21:55:08 0 d-----w- c:\program files\Conduit
2010-06-23 21:55:02 0 d-----w- c:\program files\iUserbar
2010-06-13 22:41:33 516096 ----a-w- c:\windows\system32\CLVSDS.ax
2010-06-13 22:41:33 348160 ----a-w- c:\windows\system32\cdga.dll
2010-06-13 22:41:33 270336 ----a-w- c:\windows\system32\cdg.dll
2010-06-13 22:41:33 14909 ----a-w- c:\windows\system32\A_reg.reg
2010-06-13 22:41:33 110592 ----a-w- c:\windows\system32\PropListCtrl.ocx
2010-06-13 22:16:51 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-07-02 22:38:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 16:24:17 2428596 ----a-w- c:\program files\aoadvdcopy.exe
2010-05-23 14:46:02 5518118 ----a-w- c:\program files\DVD2iPodFull7.27Ekdi.exe
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-08-22 14:19:57 347434768 ----a-w- c:\program files\430_b023_multilanguage.exe
2001-08-18 11:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_16.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-05-12 12:36:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 11:15:53.56 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-05 15:01:39
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\fxtoapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwClose [0xF0018B4C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF75EFDB0]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwCreateSection [0xF0018DB7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF75EFDC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF75EFDF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF75EFE46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF75EFD9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF75EFD74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF75EFD88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF75EFDDA]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwSetInformationFile [0xF0018235]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF75EFE1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF75EFE06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF75EFE70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF75EFE5C]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwWriteFile [0xF0017E81]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF75EFE30]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) IoCreateFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtClose
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCreateSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtSetInformationFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtWriteFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP F0018DBB \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtClose 805678CD 5 Bytes JMP F0018B50 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!IoCreateFile 8056CE43 5 Bytes JMP F00179AA \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtSetInformationFile 80574B2A 5 Bytes JMP F0018239 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtWriteFile 80574DD5 7 Bytes JMP F0017E85 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
.rsrc C:\WINDOWS\System32\DRIVERS\rasacd.sys entry point in ".rsrc" section [0xF6C25C14]
PAGE Fastfat.SYS EFFE69C8 7 Bytes JMP F001939E \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D0014
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C000A4
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00087
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00047
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F66
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F77
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F30
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F4B
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F15
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0006C
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F94
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00036
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00025
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C000C9
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0036
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F79
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF001B
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FAA
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE003F
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE001D
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE002E
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0FC3
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006E0FB2
.text C:\WINDOWS\System32\svchost.exe[404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 016E0000
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 016E0FD4
.text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 016E0FE5
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01730000
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0173006E
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0173005D
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0173004C
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01730F83
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01730FB9
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01730090
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0173007F
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017300BC
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01730F19
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01730F08
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01730F9E
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01730FE5
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01730F54
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01730025
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01730FD4
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017300A1
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0172002F
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01720FA1
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01720FD4
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0172000A
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01720FB2
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01720FE5
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01720054
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01720FC3
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0171005D
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 01710042
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0171000C
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01710FE3
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01710031
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01710FD2
.text C:\WINDOWS\system32\services.exe[992] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 016F0FEF
.text C:\WINDOWS\system32\services.exe[992] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 016F0014
.text C:\WINDOWS\system32\services.exe[992] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 016F0FDE
.text C:\WINDOWS\system32\services.exe[992] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 016F002F
.text C:\WINDOWS\system32\services.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01700FEF
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E60036
.text C:\WINDOWS\system32\lsass.exe[1004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0093
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0082
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB005B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB00BA
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0F72
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0F3C
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0F57
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0F2B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0040
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00CB
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0FAF
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA006C
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EA0051
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0040
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90F9A
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FB5
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FC6
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FD7
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\lsass.exe[1004] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\lsass.exe[1004] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\lsass.exe[1004] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\lsass.exe[1004] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 025A001B
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 025A0FE5
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025F0FE5
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025F0F8D
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025F0082
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025F0065
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025F0FA8
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025F0FC3
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025F0F5F
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025F0F70
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025F00E7
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025F00CC
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025F0F29
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025F0054
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025F000A
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025F009D
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025F0FD4
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025F001B
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025F0F44
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025E0036
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025E005B
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025E0FEF
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025E0025
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025E0F9E
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025E0000
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025E0FAF
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7E, 8A] {JLE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025E0FCA
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025D0025
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 025D0014
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025D0FB5
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025D0FEF
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025D0FA4
.text C:\WINDOWS\system32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025D0FC6
.text C:\WINDOWS\system32\svchost.exe[1164] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[1164] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 025B0FE5
.text C:\WINDOWS\system32\svchost.exe[1164] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 025B0FD4
.text C:\WINDOWS\system32\svchost.exe[1164] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 025B001B
.text C:\WINDOWS\system32\svchost.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025C0FEF
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F57
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F72
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F83
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FAF
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F0E
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F29
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70093
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70082
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700AE
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F46
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70071
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60073
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FB6
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60058
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F6003D
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F9E
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FAF
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50029
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E30047
.text C:\WINDOWS\system32\svchost.exe[1268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40000
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DD0040
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD001B
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 056D000A
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 056D0F6D
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 056D0F7E
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 056D0062
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 056D0047
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 056D0036
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 056D0089
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 056D0F37
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 056D0F0B
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 056D0F1C
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 056D0EF0
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 056D0FA5
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 056D0FEF
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 056D0F52
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 056D0025
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 056D0FDE
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 056D00A4
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 056C0FC0
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 056C0F76
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 056C0FDB
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 056C0011
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 056C003D
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 056C0000
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 056C0FA5
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 8D]
.text C:\WINDOWS\Explorer.EXE[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 056C002C
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F9C
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FAD
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FC8
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E0001D
.text C:\WINDOWS\Explorer.EXE[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FE3
.text C:\WINDOWS\Explorer.EXE[1328] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE0000
.text C:\WINDOWS\Explorer.EXE[1328] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE001B
.text C:\WINDOWS\Explorer.EXE[1328] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE002C
.text C:\WINDOWS\Explorer.EXE[1328] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DE0FDB
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50073
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F7E
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50058
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FA5
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500AB
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A5008E
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A50F1C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F2D
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F0B
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F63
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A50F3E
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00940F79
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00940FD4
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00940F8A
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00940036
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00940FAF
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F9C
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FB7
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FE3
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FC8
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00920047
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0089
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F9E
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0FAF
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0FC0
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0FDB
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD00B5
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD00A4
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00E1
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F52
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD00F2
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0062
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD001B
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0F79
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0047
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD002C
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD00D0
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC003D
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0FB6
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC002C
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0011
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0073
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CC0FC7
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EC, 88]
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC004E
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0F9A
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0025
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB0FBC
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FAB
.text C:\WINDOWS\System32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0FE3
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C90000
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C90011
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C90FDB
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C9002C
.text C:\WINDOWS\System32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\System32\svchost.exe[1656] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1656] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90082
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F97
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90065
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900D5
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C900AE
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90101
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900F0
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C9011C
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90040
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90093
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90025
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90014
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F72
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F4D
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80F68
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C80F8D
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes CALL C89FEDE5
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C8000A
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70053
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70042
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C7001D
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FC8
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70FE3
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006F0FC0
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006F0011
.text C:\WINDOWS\System32\svchost.exe[1656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DB000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00390FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390F72
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0039000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00390F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [59, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003A0F95
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 003A0FA6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003A0FC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003A0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003A0020
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003A0FDE
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[2592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006E0FC3
.text C:\WINDOWS\System32\svchost.exe[2592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC000A
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0084
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0073
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0062
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FA5
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FB6
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00D5
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00BA
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC010B
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F72
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC011C
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0047
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC001B
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC00A9
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FDB
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC002C
.text C:\WINDOWS\System32\svchost.exe[2592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00F0
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0062
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB001B
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0051
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0FAF
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0040
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA004E
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0033
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0022
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FCD
.text C:\WINDOWS\System32\svchost.exe[2592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\System32\svchost.exe[2592] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[2592] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[2592] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\System32\svchost.exe[2592] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006F0FA8
.text C:\WINDOWS\system32\SearchIndexer.exe[2884] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DB000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390076
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0039000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390065
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00390FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00390FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [59, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003A0F9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!system 77C293C7 5 Bytes JMP 003A0FB7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003A0FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003A0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003A0027
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003A000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4844] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[4872] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[4872] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090014
.text C:\WINDOWS\System32\svchost.exe[4872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FDE
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001E0FE5
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001E0F63
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001E0058
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001E0F7E
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001E003D
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001E0011
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001E0F10
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001E0F2B
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001E00B3
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001E0098
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001E0EFF
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001E002C
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001E0000
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001E0F52
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001E0FA5
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001E0FC0
.text C:\WINDOWS\System32\svchost.exe[4872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001E0073
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0036
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0062
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0025
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0014
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0051
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0FAF
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\System32\svchost.exe[4872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00420FA4
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!system 77C293C7 5 Bytes JMP 0042002F
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0042000A
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00420FE3
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00420FB5
.text C:\WINDOWS\System32\svchost.exe[4872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00420FC6
.text C:\WINDOWS\System32\svchost.exe[4872] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006A0000
.text C:\WINDOWS\System32\svchost.exe[4872] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006A001B
.text C:\WINDOWS\System32\svchost.exe[4872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\System32\svchost.exe[4872] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\System32\svchost.exe[4872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[5500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[5500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[5500] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0073000C
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0011
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0058
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FDB
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0F9B
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D003D
.text C:\WINDOWS\System32\svchost.exe[5500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0022
.text C:\WINDOWS\System32\svchost.exe[5500] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 016D000A
.text C:\WINDOWS\System32\svchost.exe[5500] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00420FB4
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!system 77C293C7 5 Bytes JMP 0042003F
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0042002E
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00420000
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00420FCF
.text C:\WINDOWS\System32\svchost.exe[5500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00420011

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85E5CEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ C:\Program Files\Common Files\supportsoft\bin\tgctlsi.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@InprocServer32 ?v{Vln,)d@k?EQi_xAZ6SupportSoftClientSmartIssueControl>+u0Tfdq{J@sYTb6GjINd?
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\ProgID@ SPRT.SmartIssue.1
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\Programmable@
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\TypeLib@ {01010e01-5e80-11d8-9e86-0007e96c65ae}
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\VersionIndependentProgID@ SPRT.SmartIssue

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\rasacd.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 05 July 2010 - 04:42 PM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 07 July 2010 - 01:17 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:

1. Run DDS again and post back DDS.txt and Attach.txt. No need to attach Attach.txt, just post it normally.
2. Run GMER again and post the fresh GMER Log in your next post.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 08 July 2010 - 04:49 AM

I re-ran DDS as you suggested and the DDS.txt and Attach.txt logs are below

I was UNABLE to successfully re-run GMER. I had two hard "blue screen" crashes while it ran. The first crash resulted in the following text:

STOP: c000021e (Fatal System Error) The windows subsystem systme process terminated unexpectedly with a status of 0xc0000005 (0x00090000 0x0293dfc). The system has been shut down.

After the 2nd crash, the following message appeared: STOP: d00000 0000 Unknown hard error. Unkown hard

Thank you in adavnce for your assistance


DDS (Ver_10-03-17.01) - NTFSx86
Run by Scott at 18:30:47.29 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.316 [GMT -4:00]

AV: Freedom Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Freedom Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG12.exe
C:\Documents and Settings\Scott\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518090057.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3DE5D178-BD44-4709-A9CC-3211619A5B19} - No File
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\WECPUpdate.exe -s
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41695A8E-6414-11D4-8FB3-00D0B7730277} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {671289C8-0D4A-4EDC-89DD-458C8AB6977A} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127216826468
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} - hxxp://www.spincam.com/360video/plugins/iVideoViewer3_0.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://phobos.apple.com/detection/ITDetector.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.1.6 HP000D9D084D83

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\gmqmna0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\documents and settings\scott\application data\mozilla\firefox\profiles\gmqmna0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-22 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-22 54776]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-22 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-22 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-22 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-22 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-22 83496]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2007-12-7 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2007-12-7 545088]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2007-12-7 19232]

=============== Created Last 30 ================

2010-07-05 13:07:57 0 ----a-w- c:\documents and settings\scott\defogger_reenable
2010-06-26 10:26:28 0 d-----w- c:\temp\r1ptemp39
2010-06-23 21:55:08 0 d-----w- c:\program files\Conduit
2010-06-23 21:55:02 0 d-----w- c:\program files\iUserbar
2010-06-13 22:41:33 516096 ----a-w- c:\windows\system32\CLVSDS.ax
2010-06-13 22:41:33 348160 ----a-w- c:\windows\system32\cdga.dll
2010-06-13 22:41:33 270336 ----a-w- c:\windows\system32\cdg.dll
2010-06-13 22:41:33 14909 ----a-w- c:\windows\system32\A_reg.reg
2010-06-13 22:41:33 110592 ----a-w- c:\windows\system32\PropListCtrl.ocx
2010-06-13 22:16:51 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-07-02 22:38:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 16:24:17 2428596 ----a-w- c:\program files\aoadvdcopy.exe
2010-05-23 14:46:02 5518118 ----a-w- c:\program files\DVD2iPodFull7.27Ekdi.exe
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-08-22 14:19:57 347434768 ----a-w- c:\program files\430_b023_multilanguage.exe
2001-08-18 11:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_16.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-05-12 12:36:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 18:39:18.15 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/1/2002 7:00:30 PM
System Uptime: 7/5/2010 3:15:11 PM (51 hours ago)

Motherboard: Intel Corporation | | D845EPT2
Processor: Intel® Pentium® 4 CPU 2.40GHz | X1 | 2392/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 11.612 GiB free.
D: is CDROM ()
E: is CDROM (UDF)
F: is FIXED (NTFS) - 297 GiB total, 100.766 GiB free.
G: is CDROM (UDF)
H: is FIXED (NTFS) - 465 GiB total, 95.111 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1114: 3/17/2010 7:46:42 PM - Software Distribution Service 3.0
RP1115: 3/21/2010 7:16:11 PM - Software Distribution Service 3.0
RP1116: 3/29/2010 1:56:49 AM - System Checkpoint
RP1117: 3/29/2010 10:18:38 AM - Software Distribution Service 3.0
RP1118: 4/4/2010 8:19:21 PM - Software Distribution Service 3.0
RP1119: 4/6/2010 4:12:29 PM - Software Distribution Service 3.0
RP1120: 4/17/2010 7:04:38 AM - Software Distribution Service 3.0
RP1121: 4/17/2010 8:10:08 AM - Software Distribution Service 3.0
RP1122: 5/13/2010 7:15:27 AM - Software Distribution Service 3.0
RP1123: 5/14/2010 1:49:49 AM - Software Distribution Service 3.0
RP1124: 5/14/2010 3:01:34 AM - Software Distribution Service 3.0
RP1125: 5/22/2010 9:46:00 AM - Software Distribution Service 3.0
RP1126: 6/1/2010 3:22:36 PM - Software Distribution Service 3.0
RP1127: 6/3/2010 5:32:18 AM - Software Distribution Service 3.0
RP1128: 6/14/2010 7:46:28 AM - System Checkpoint
RP1129: 7/2/2010 6:37:42 PM - Installed Java™ 6 Update 20

==== Installed Programs ======================


2600
2600_Help
2600Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.5
Adobe Shockwave Player 11
AiO_Scan
AiOSoftware
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Authentium
AviSynth 2.5
BCM V.92 56K Modem
BlackBerry Desktop Software 4.2.2
BlackBerry Desktop Software 4.3
Bonjour
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Classic PhoneTools
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Cucusoft DVD to iPod Converter 8.01
Dell Modem-On-Hold
Destinations
Digital Line Detect
Director
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
Drive Manager
Easy CD Creator 5 Basic
EazyPaper
exPressit S.E. 2.1
Fax
FoxyTunes for Firefox
Garmin City Navigator North America NT 2009.11 Update
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Toolbar for Internet Explorer
Google Update Helper
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
HP Image Zone 4.7
HP Image Zone Express
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HP Unload DLL Patch
HPODiscovery
HPSystemDiagnostics
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
KB408682
LEGO Creator Knights' Kingdom Demo
LG USB Modem driver
Logitech Desktop Messenger
Logitech MouseWare 9.79.1
Logitech QuickCam Driver Package
Logitech Resource Center
Logitech Webcam Software
Malwarebytes' Anti-Malware
McAfee Internet Security
McAfee Online Backup
McAfee Virtual Technician
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Home Publishing 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Express 7.0
Microsoft Picture It! Photo 2002
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser
Modem Helper
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero OEM
NeroVision Express
NVIDIA DVD Decoder
NVIDIA Windows 2000/XP Display Drivers
Oracle JInitiator 1.1.8.13
Oracle JInitiator 1.1.8.19
overland
Paint Shop Pro 7
Palm Desktop
Palm VersaMail™
PestPatrol SDK
PRO200WL
ProductContext
QFolder
Quicken 2009
QuickTime
Reading Blaster 1st Grade
Readme
RealPlayer
Roxio Media Manager
Santa Cruz
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sesame Street Elmo's Preschool
Shockwave
Skype™ 3.8
SplashID Standalone Installer
Spybot - Search & Destroy
TrayApp
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2008 wvaiper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2009 wvaiper
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
U2
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb981726)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Broadband Toolbar (IE only)
Verizon Help and Support Tool
Verizon Servicepoint 1.5.12
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Vz In Home Agent
WD Diagnostics
WD Firewire HID Driver
WD SmartWare
WDCSAM Driver
WebFldrs XP
WebReg
WexTech AnswerWorks
Windows Blaster Worm Removal Tool (KB833330)
Windows Defender Signatures
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Essentials Media Codec Pack 2.2
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
Works Synchronization

==== Event Viewer Messages From Past Week ========

7/5/2010 3:02:17 PM, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 3:02:14 PM, error: Service Control Manager [7034] - The McAfee Online Backup service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 3:02:14 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/5/2010 3:02:14 PM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
7/4/2010 9:28:14 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/4/2010 8:36:38 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/4/2010 8:18:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
7/4/2010 8:18:37 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/4/2010 8:18:37 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/4/2010 10:15:53 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/4/2010 10:14:03 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Volume Shadow Copy service to connect.
7/4/2010 10:14:03 AM, error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/4/2010 10:14:02 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
7/3/2010 8:20:53 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.3 with the system having network hardware address 00:1F:3B:B4:AB:A1. Network operations on this system may be disrupted as a result.
7/2/2010 7:21:32 PM, error: Service Control Manager [7022] - The IPv6 Helper Service service hung on starting.
7/2/2010 7:21:32 PM, error: Service Control Manager [7022] - The dvpapi service hung on starting.
7/2/2010 7:19:15 PM, error: Print [19] - Sharing printer failed + 1722, Printer Quicken PDF Printer share name Quicken PDF Printer.
7/2/2010 7:19:08 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/2/2010 7:19:08 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 08 July 2010 - 01:27 PM

The following programs appear in your DDS Log:

AV: Freedom Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Freedom Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}


But they do not appear in your Installed Programs List in Attach.txt. Did you recently/some time ago uninstall Freedom AntiVirus and Firewall?


Since GMER crashed on you, let's try another rootkit scanner:


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 08 July 2010 - 03:16 PM

I've tried to uninstall the Freedom Anti virus software on numerous occassions w/o complete success (obviously). I don't need it or want it w/ my McAfee.

Here is the SysProt log. Thanks for your assistance.

The SysProt log:
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\smss.exe
PID: 832
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 1000
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1160
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1268
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1412
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1520
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1616
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1768
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 2044
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PID: 188
Hidden: No
Window Visible: No

Name: C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
PID: 240
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\Crypserv.exe
PID: 376
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Command Software\dvpapi.exe
PID: 412
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PID: 656
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 740
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PID: 1056
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Motive\McciCMService.exe
PID: 1404
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PID: 1900
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\HPZipm12.exe
PID: 1988
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PID: 1112
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\TCPSVCS.EXE
PID: 476
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\snmp.exe
PID: 1692
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1252
Hidden: No
Window Visible: No

Name: C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PID: 2076
Hidden: No
Window Visible: No

Name: C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
PID: 2336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 2440
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PID: 2480
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\searchindexer.exe
PID: 2704
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PID: 3024
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\CAL\CALMAIN.exe
PID: 3048
Hidden: No
Window Visible: No

Name: C:\WINDOWS\BCMSMMSG.exe
PID: 3300
Hidden: No
Window Visible: No

Name: C:\Program Files\Verizon\McciTrayApp.exe
PID: 3340
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PID: 3400
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
PID: 3480
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 3488
Hidden: No
Window Visible: Yes

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3544
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\ctfmon.exe
PID: 3608
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PID: 3636
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3656
Hidden: No
Window Visible: No

Name: C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PID: 3684
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 3692
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PID: 552
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 564
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PID: 2700
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\alg.exe
PID: 1648
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PID: 4772
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 4864
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\notepad.exe
PID: 1152
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Verizon\McciBrowser.exe
PID: 4296
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\searchprotocolhost.exe
PID: 2992
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 5420
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1048
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\searchfilterhost.exe
PID: 5104
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Scott\Desktop\SysProt\SysProt.exe
PID: 616
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Scott\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: ED67D000
Module End: ED688000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806EDA80
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EE000
Module End: 8070E300
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7C23000
Module End: F7C25000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7B33000
Module End: F7B36000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F76D4000
Module End: F7702000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7C25000
Module End: F7C27000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F76C3000
Module End: F76D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7723000
Module End: F772D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7CEB000
Module End: F7CEC000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F79A3000
Module End: F79AA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7733000
Module End: F773E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F76A4000
Module End: F76C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F79AB000
Module End: F79B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7743000
Module End: F7750000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F768C000
Module End: F76A4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7753000
Module End: F775C000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F7763000
Module End: F7770000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F766C000
Module End: F768C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F765A000
Module End: F766C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: F75FD000
Module End: F765A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7773000
Module End: F777C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F75E6000
Module End: F75FD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F75D3000
Module End: F75E6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7546000
Module End: F75D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7519000
Module End: F7546000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F74FF000
Module End: F7519000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F7783000
Module End: F778E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tunmp.sys
Service Name: tunmp
Module Base: F74D7000
Module End: F74DA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F7210000
Module End: F7219000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6BC9000
Module End: F6C90000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6BB5000
Module End: F6BC9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F79D3000
Module End: F79D9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6B91000
Module End: F6BB5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F79DB000
Module End: F79E3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS
Service Name: DM9102
Module Base: F79E3000
Module End: F79EB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\BCMSM.sys
Service Name: BCMModem
Module Base: F6A84000
Module End: F6B91000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F6A61000
Module End: F6A84000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F79EB000
Module End: F79F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcspud.sys
Service Name: tbcspud
Module Base: F6A3D000
Module End: F6A61000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcos.sys
Service Name: ---
Module Base: F7C67000
Module End: F7C69000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F71F0000
Module End: F7200000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F74CB000
Module End: F74CF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6A29000
Module End: F6A3D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F71E0000
Module End: F71ED000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F79FB000
Module End: F7A01000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
Service Name: L8042pr2
Module Base: F71D0000
Module End: F71DC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
Service Name: LMouFlt2
Module Base: F71C0000
Module End: F71D0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7A03000
Module End: F7A09000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F71B0000
Module End: F71BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: pfc
Module Base: F74C7000
Module End: F74CA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Service Name: MxlW2k
Module Base: F7A0B000
Module End: F7A12000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F71A0000
Module End: F71B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7190000
Module End: F719F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Service Name: pwd_2k
Module Base: F6A10000
Module End: F6A29000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F7A13000
Module End: F7A19000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serscan.sys
Service Name: StillCam
Module Base: F7C6D000
Module End: F7C6F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7E02000
Module End: F7E03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mfendisk.sys
Service Name: mfendisk
Module Base: F69B0000
Module End: F69C4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: F7C83000
Module End: F7C85000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F6DE9000
Module End: F6DF6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F74B7000
Module End: F74BA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6999000
Module End: F69B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F6DD9000
Module End: F6DE4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F6DC9000
Module End: F6DD5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7A1B000
Module End: F7A20000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6988000
Module End: F6999000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F6DB9000
Module End: F6DC2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfeavfk.sys
Service Name: mfeavfk
Module Base: F6964000
Module End: F6988000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfefirek.sys
Service Name: mfefirek
Module Base: F6919000
Module End: F6964000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7A23000
Module End: F7A28000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7A2B000
Module End: F7A30000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimSerPort
Module Base: F7A33000
Module End: F7A3A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F6DA9000
Module End: F6DB3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7C87000
Module End: F7C89000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F6893000
Module End: F68F1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7BBF000
Module End: F7BC3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mmc_2K.SYS
Service Name: mmc_2K
Module Base: F7A3B000
Module End: F7A41000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F77C3000
Module End: F77CD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F77F3000
Module End: F7802000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7C8B000
Module End: F7C8D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: F7BDF000
Module End: F7BE3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcwdm.sys
Service Name: tbcwdm
Module Base: EFB01000
Module End: EFB87000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: EFADD000
Module End: EFB01000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7833000
Module End: F7842000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Service Name: gameenum
Module Base: F7BE7000
Module End: F7BEA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F7A43000
Module End: F7A48000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F7BF7000
Module End: F7BFA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F7A4B000
Module End: F7A52000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\MOBK.sys
Service Name: MOBKFilter
Module Base: EFACA000
Module End: EFADD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7C8D000
Module End: F7C8F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7D25000
Module End: F7D26000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7C8F000
Module End: F7C91000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7A5B000
Module End: F7A62000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7A63000
Module End: F7A69000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7C91000
Module End: F7C93000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7C93000
Module End: F7C95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Service Name: cdudf_xp
Module Base: EFA70000
Module End: EFAAA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7A6B000
Module End: F7A70000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7A73000
Module End: F7A7B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Service Name: UdfReadr_xp
Module Base: EFA2B000
Module End: EFA5E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7C1B000
Module End: F7C1E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EF9DE000
Module End: EF9F1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EF985000
Module End: EF9DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfetdi2k.sys
Service Name: mfetdi2k
Module Base: EF972000
Module End: EF985000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wdcsam.sys
Service Name: WDC_SAM
Module Base: F6909000
Module End: F690C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF94C000
Module End: EF972000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip6.sys
Service Name: Tcpip6
Module Base: EF914000
Module End: EF94C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF8EC000
Module End: EF914000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF8CA000
Module End: EF8EC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7853000
Module End: F785C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF89F000
Module End: EF8CA000
Hidden: No

Module Name: C:\WINDOWS\system32\ckldrv.sys
Service Name: NetworkX
Module Base: F7A7B000
Module End: F7A80000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF82F000
Module End: EF89F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7883000
Module End: F788E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ip6fw.sys
Service Name: ip6fw
Module Base: F7893000
Module End: F789C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F78A3000
Module End: F78AC000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EFB8B000
Module End: EFB8E000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7A8B000
Module End: F7A90000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7D7F000
Module End: F7D80000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: F6E29000
Module End: F6E32000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EF693000
Module End: EF697000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Udfs.SYS
Service Name: Udfs
Module Base: EF45E000
Module End: EF46F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EF449000
Module End: EF45E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F7873000
Module End: F7882000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EF2D6000
Module End: EF303000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7C55000
Module End: F7C57000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys
Service Name: CSS DVP
Module Base: EF100000
Module End: EF1BE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: EF0DC000
Module End: EF100000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EEF6D000
Module End: EEFC4000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\NvNdis.sys
Service Name: NvNdis
Module Base: EF094000
Module End: EF09D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EF014000
Module End: EF024000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cfwids.sys
Service Name: cfwids
Module Base: F7953000
Module End: F795F000
Hidden: No

Module Name: C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
Service Name: LVPr2Mon
Module Base: F7A53000
Module End: F7A58000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EDC76000
Module End: EDCB7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfeapfk.sys
Service Name: mfeapfk
Module Base: ED74D000
Module End: ED763000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfebopk.sys
Service Name: mfebopk
Module Base: EEB3D000
Module End: EEB48000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F79F3000
Module End: F79FA000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 804F0EB6
Jump To: F762FE34
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwWriteFile
At Address: 80574DD5
Jump To: EF110E85
Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 805738C6
Jump To: F762FE60
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 805824CC
Jump To: F762FE74
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 80572A6E
Jump To: F762FE0A
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetSecurityObject
At Address: 8059B1F3
Jump To: F762FE20
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationFile
At Address: 80574B2A
Jump To: EF111239
Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys

Hooked Function: ZwRenameKey
At Address: 8064EAEA
Jump To: F762FDDE
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 8058E5C4
Jump To: F762FD8C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 805719AC
Jump To: F762FD78
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 80568D48
Jump To: F762FDA0
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 80573D41
Jump To: F762FE4A
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 80592D64
Jump To: F762FDF4
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 80595316
Jump To: F762FDC8
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateSection
At Address: 805652B3
Jump To: EF111DBB
Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys

Hooked Function: ZwCreateKey
At Address: 80570833
Jump To: F762FDB4
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwClose
At Address: 805678CD
Jump To: EF111B50
Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys

Hooked Function: IoCreateFile
At Address: 8056CE43
Jump To: EF1109AA
Module Name: C:\WINDOWS\system32\DRIVERS\css-dvp.sys

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.exe
Status: Access denied



#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 08 July 2010 - 07:00 PM

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 08 July 2010 - 09:34 PM

ComboFix 10-07-07.02 - Scott 07/08/2010 21:26:46.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.596 [GMT -4:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: Freedom Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Freedom Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scott\GoToAssistDownloadHelper.exe
c:\program files\Shared
C:\test.txt
c:\windows\Downloaded Program Files\ocget.dll
c:\windows\search_res.txt
c:\windows\system\olepro32.dll
c:\windows\system32\tmp.reg
c:\windows\system32\zip32.dll

Infected copy of c:\windows\system32\drivers\RASACD.SYS was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP


((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.

2010-06-26 10:26 . 2010-06-26 10:26 -------- d-----w- c:\temp\r1ptemp39
2010-06-24 21:38 . 2010-06-24 21:38 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Conduit
2010-06-24 21:37 . 2010-06-24 22:03 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\iUserbar
2010-06-23 21:55 . 2010-06-23 21:55 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Conduit
2010-06-23 21:55 . 2010-06-23 21:55 -------- d-----w- c:\program files\Conduit
2010-06-23 21:55 . 2010-06-24 22:08 -------- d-----w- c:\program files\iUserbar
2010-06-13 22:41 . 2010-06-13 22:41 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Cucusoft
2010-06-13 22:41 . 2009-08-12 20:48 270336 ----a-w- c:\windows\system32\cdg.dll
2010-06-13 22:41 . 2006-09-27 21:46 348160 ----a-w- c:\windows\system32\cdga.dll
2010-06-13 22:41 . 2006-07-18 01:42 14909 ----a-w- c:\windows\system32\A_reg.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 00:29 . 2008-01-03 22:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 12:00 . 2010-05-23 23:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-07-04 11:42 . 2010-05-23 16:25 -------- d-----w- c:\program files\AoA DVD Copy
2010-07-02 22:38 . 2010-06-04 19:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-27 13:07 . 2004-08-27 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-27 11:40 . 2004-08-27 02:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-27 11:33 . 2009-03-07 19:12 -------- d-----w- c:\program files\CCleaner
2010-06-13 22:13 . 2005-02-28 22:09 -------- d-----w- c:\program files\Java
2010-06-13 22:11 . 2007-12-10 00:08 -------- d-----w- c:\program files\InterActual
2010-05-30 15:36 . 2010-03-28 20:13 -------- d-----w- c:\documents and settings\Scott\Application Data\Media Player Classic
2010-05-30 15:24 . 2009-12-01 13:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 23:15 . 2010-05-29 23:15 -------- d-----w- c:\documents and settings\Scott\Application Data\EuroTalk
2010-05-23 23:21 . 2002-09-24 03:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-23 23:02 . 2010-05-23 23:02 -------- d-----w- c:\program files\Common Files\Common Share
2010-05-23 16:26 . 2010-05-23 16:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-23 16:24 . 2010-05-23 16:23 2428596 ----a-w- c:\program files\aoadvdcopy.exe
2010-05-23 14:53 . 2010-03-28 19:23 -------- d-----w- c:\program files\Cucusoft
2010-05-23 14:46 . 2010-05-23 14:45 5518118 ----a-w- c:\program files\DVD2iPodFull7.27Ekdi.exe
2010-05-22 21:06 . 2010-05-22 21:04 -------- d-----w- c:\program files\iTunes
2010-05-22 21:04 . 2004-09-03 11:09 -------- d-----w- c:\program files\iPod
2010-05-22 21:04 . 2007-11-10 16:47 -------- d-----w- c:\program files\Common Files\Apple
2010-05-22 20:46 . 2010-05-22 20:46 -------- d-----w- c:\program files\Bonjour
2010-05-21 18:14 . 2009-10-02 19:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 21:15 . 2008-10-04 11:59 -------- d-----w- c:\program files\Verizon
2010-05-15 14:16 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Scott\Application Data\CameraWindowDC
2010-05-14 07:07 . 2008-05-04 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-29 19:39 . 2009-12-01 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-01 13:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16 . 2010-03-23 02:19 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-03-23 02:19 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-03-23 02:19 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-03-23 02:19 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-03-23 02:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-03-23 02:19 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-03-23 02:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 21:16 . 2010-03-23 02:19 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-01-05 22:04 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-22 14:19 . 2009-08-22 14:15 347434768 ----a-w- c:\program files\430_b023_multilanguage.exe
2010-04-27 21:16 . 2010-03-23 02:19 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2001-08-18 11:00 . 2001-08-18 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2001-08-18 11:00 50688 --sh--w- c:\windows\twain_32.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 --sh--w- c:\windows\Twunk_16.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 --sh--w- c:\windows\Twunk_32.dll
2008-04-14 00:11 . 2001-08-18 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 11:00 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2001-08-18 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-01-25 196608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 21:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 19:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2003-10-01 15:01 114688 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-10 01:50 155648 ----a-r- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-12-21 20:31 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-21 20:31 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-02-03 21:18 364544 ----a-w- c:\windows\SYSTEM32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2004-08-06 19:33 2502656 ------w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/22/2010 10:19 PM 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\SYSTEM32\DRIVERS\MOBK.sys [3/22/2010 10:22 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/22/2010 10:19 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/22/2010 10:19 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/22/2010 10:19 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/22/2010 10:20 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/22/2010 10:19 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 3:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 10:58 AM 20480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/22/2010 10:19 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/22/2010 10:19 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/22/2010 10:19 PM 88480]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [12/7/2007 4:13 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [12/7/2007 4:13 PM 545088]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 5:06 PM 11520]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:08 AM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/22/2010 10:19 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/22/2010 10:19 PM 83496]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [12/7/2007 4:13 PM 19232]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cabca6e3739eb8.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:08]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:08]

2010-07-09 c:\windows\Tasks\User_Feed_Synchronization-{8B515F78-A74D-46BF-9167-FE3BE2F90797}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-09 c:\windows\Tasks\User_Feed_Synchronization-{FB94AA82-9357-4196-B559-67E8970AB463}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} - hxxp://www.spincam.com/360video/plugins/iVideoViewer3_0.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\gmqmna0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\gmqmna0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-Freedom - c:\program files\Zero Knowledge\Freedom\Freedom.exe
MSConfigStartUp-Lexmark X83 Button Manager - c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe
MSConfigStartUp-Lexmark X83 Button Monitor - c:\progra~1\LEXMAR~1\ACMonitor_X83.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
AddRemove-Reading Blaster 1st Grade - D:\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 22:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2382750585-97400744-4212676017-1015\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\sxs.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\rundll32.exe
c:\windows\BCMSMMSG.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-07-08 22:22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-09 02:22

Pre-Run: 12,379,725,824 bytes free
Post-Run: 18,724,483,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 73730D82AA01A129BAAB72C573042429


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 09 July 2010 - 01:27 PM

Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    KILLALL::

    SecCenter::

    AV: Freedom Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: Freedom Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

    DDS::

    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    TB: {3DE5D178-BD44-4709-A9CC-3211619A5B19} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on scottrecinos's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 11 July 2010 - 08:32 AM

Thank you for your continued assistance. I'm out of Town this weekend and will implement the next recommended step tomorrow evening and post the results. Thanks again

#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 11 July 2010 - 11:55 AM

Ok, thanks for letting me know. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 12 July 2010 - 02:57 PM

ComboFix 10-07-11.07 - Scott 07/12/2010 14:52:37.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -4:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 00:29 . 2008-01-03 22:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 12:00 . 2010-05-23 23:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-07-04 11:42 . 2010-05-23 16:25 -------- d-----w- c:\program files\AoA DVD Copy
2010-07-02 22:38 . 2010-06-04 19:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-27 13:07 . 2004-08-27 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-27 11:40 . 2004-08-27 02:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-27 11:33 . 2009-03-07 19:12 -------- d-----w- c:\program files\CCleaner
2010-06-24 22:08 . 2010-06-23 21:55 -------- d-----w- c:\program files\iUserbar
2010-06-23 21:55 . 2010-06-23 21:55 -------- d-----w- c:\program files\Conduit
2010-06-13 22:13 . 2005-02-28 22:09 -------- d-----w- c:\program files\Java
2010-06-13 22:11 . 2007-12-10 00:08 -------- d-----w- c:\program files\InterActual
2010-05-30 15:36 . 2010-03-28 20:13 -------- d-----w- c:\documents and settings\Scott\Application Data\Media Player Classic
2010-05-30 15:24 . 2009-12-01 13:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 23:15 . 2010-05-29 23:15 -------- d-----w- c:\documents and settings\Scott\Application Data\EuroTalk
2010-05-23 23:21 . 2002-09-24 03:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-23 23:02 . 2010-05-23 23:02 -------- d-----w- c:\program files\Common Files\Common Share
2010-05-23 16:26 . 2010-05-23 16:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-23 16:24 . 2010-05-23 16:23 2428596 ----a-w- c:\program files\aoadvdcopy.exe
2010-05-23 14:53 . 2010-03-28 19:23 -------- d-----w- c:\program files\Cucusoft
2010-05-23 14:46 . 2010-05-23 14:45 5518118 ----a-w- c:\program files\DVD2iPodFull7.27Ekdi.exe
2010-05-22 21:06 . 2010-05-22 21:04 -------- d-----w- c:\program files\iTunes
2010-05-22 21:04 . 2004-09-03 11:09 -------- d-----w- c:\program files\iPod
2010-05-22 21:04 . 2007-11-10 16:47 -------- d-----w- c:\program files\Common Files\Apple
2010-05-22 20:46 . 2010-05-22 20:46 -------- d-----w- c:\program files\Bonjour
2010-05-21 18:14 . 2009-10-02 19:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 21:15 . 2008-10-04 11:59 -------- d-----w- c:\program files\Verizon
2010-05-15 14:16 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Scott\Application Data\CameraWindowDC
2010-05-14 07:07 . 2008-05-04 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-29 19:39 . 2009-12-01 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-01 13:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16 . 2010-03-23 02:19 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-03-23 02:19 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-03-23 02:19 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-03-23 02:19 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-03-23 02:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-03-23 02:19 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-03-23 02:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 21:16 . 2010-03-23 02:19 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-01-05 22:04 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-22 14:19 . 2009-08-22 14:15 347434768 ----a-w- c:\program files\430_b023_multilanguage.exe
2010-04-27 21:16 . 2010-03-23 02:19 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2001-08-18 11:00 . 2001-08-18 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2001-08-18 11:00 50688 --sh--w- c:\windows\twain_32.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 --sh--w- c:\windows\Twunk_16.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 --sh--w- c:\windows\Twunk_32.dll
2008-04-14 00:11 . 2001-08-18 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 01:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-01-25 196608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-29 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-9-23 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 21:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 19:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2003-10-01 15:01 114688 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-10 01:50 155648 ----a-r- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-12-21 20:31 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-21 20:31 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-02-03 21:18 364544 ----a-w- c:\windows\SYSTEM32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2004-08-06 19:33 2502656 ------w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/22/2010 10:19 PM 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\SYSTEM32\DRIVERS\MOBK.sys [3/22/2010 10:22 PM 54776]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/22/2010 10:19 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/22/2010 10:19 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/22/2010 10:19 PM 88480]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [12/7/2007 4:13 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [12/7/2007 4:13 PM 545088]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 5:06 PM 11520]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:08 AM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/22/2010 10:19 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/22/2010 10:19 PM 83496]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [12/7/2007 4:13 PM 19232]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cabca6e3739eb8.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:08]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:08]

2010-07-12 c:\windows\Tasks\User_Feed_Synchronization-{8B515F78-A74D-46BF-9167-FE3BE2F90797}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-12 c:\windows\Tasks\User_Feed_Synchronization-{FB94AA82-9357-4196-B559-67E8970AB463}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} - hxxp://www.spincam.com/360video/plugins/iVideoViewer3_0.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\gmqmna0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\gmqmna0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 15:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2382750585-97400744-4212676017-1015\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6104)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\program files\McAfee Online Backup\MOBKbackup.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\rundll32.exe
c:\windows\BCMSMMSG.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-07-12 15:31:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 19:31
ComboFix2.txt 2010-07-09 02:22

Pre-Run: 18,510,958,592 bytes free
Post-Run: 18,508,779,520 bytes free

- - End Of File - - 582CD1EB83902DFA84E370EE61B7FCC6

DDS (Ver_10-03-17.01) - NTFSx86
Run by Scott at 15:32:50.51 on Mon 07/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.551 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518090057.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\WECPUpdate.exe -s
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41695A8E-6414-11D4-8FB3-00D0B7730277} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {671289C8-0D4A-4EDC-89DD-458C8AB6977A} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127216826468
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} - hxxp://www.spincam.com/360video/plugins/iVideoViewer3_0.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://phobos.apple.com/detection/ITDetector.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\gmqmna0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\documents and settings\scott\application data\mozilla\firefox\profiles\gmqmna0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-22 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-22 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-22 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-22 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-22 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-22 152320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-22 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2007-12-7 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2007-12-7 545088]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-22 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-22 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-22 83496]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2007-12-7 19232]

=============== Created Last 30 ================

2010-07-09 01:09:21 0 d-sha-r- C:\cmdcons
2010-07-09 00:48:06 98816 ----a-w- c:\windows\sed.exe
2010-07-09 00:48:06 77312 ----a-w- c:\windows\MBR.exe
2010-07-09 00:48:06 256512 ----a-w- c:\windows\PEV.exe
2010-07-09 00:48:06 161792 ----a-w- c:\windows\SWREG.exe
2010-07-05 13:07:57 0 ----a-w- c:\documents and settings\scott\defogger_reenable
2010-06-26 10:26:28 0 d-----w- c:\temp\r1ptemp39
2010-06-23 21:55:08 0 d-----w- c:\program files\Conduit
2010-06-23 21:55:02 0 d-----w- c:\program files\iUserbar
2010-06-13 22:41:33 516096 ----a-w- c:\windows\system32\CLVSDS.ax
2010-06-13 22:41:33 348160 ----a-w- c:\windows\system32\cdga.dll
2010-06-13 22:41:33 270336 ----a-w- c:\windows\system32\cdg.dll
2010-06-13 22:41:33 14909 ----a-w- c:\windows\system32\A_reg.reg
2010-06-13 22:41:33 110592 ----a-w- c:\windows\system32\PropListCtrl.ocx
2010-06-13 22:16:51 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-07-02 22:38:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 16:24:17 2428596 ----a-w- c:\program files\aoadvdcopy.exe
2010-05-23 14:46:02 5518118 ----a-w- c:\program files\DVD2iPodFull7.27Ekdi.exe
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-08-22 14:19:57 347434768 ----a-w- c:\program files\430_b023_multilanguage.exe
2001-08-18 11:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_16.dll
2004-08-20 03:26:54 1216 --sh--w- c:\windows\Twunk_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-05-12 12:36:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 15:33:49.03 ===============


#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 12 July 2010 - 06:36 PM

Step # 1 Remove old versions of Java

Older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Java 2 Runtime Environment Standard Edition v1.3.1_04

Java 2 Runtime Environment, SE v1.4.1_02

Java 2 Runtime Environment, SE v1.4.2

Java tm 6 Update 3

Java tm 6 Update 5

Java tm 6 Update 7


Reboot your Computer.



Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO



Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post the MalwareBytes' Log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 13 July 2010 - 03:45 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4308

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/13/2010 5:48:06 AM
mbam-log-2010-07-13 (05-48-06).txt

Scan type: Quick scan
Objects scanned: 182333
Time elapsed: 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:47 AM

Posted 13 July 2010 - 06:19 PM

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)
  • First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.5.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.3.3 is a large program and if you prefer a smaller program you can get Foxit 4.0.0 instead from http://www.foxitsoftware.com/downloads/index.php

If you decide to install Foxit 4.0.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.



In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 ScottRecinos

ScottRecinos
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 14 July 2010 - 01:05 PM

I was able to uninstall the Adobe Reader 8.1.5 and install 9.3.3. However, I've been unable to get Kaspersky software to run. The website loads up, indicates my computer is compatable w/ the software, I accept the T&C's and then a pop up window opens up that states "Launch of the Java application is interrupted. Please establish an uniterrupted internet connection for work with this program". I tried it several times last night and again today (after also re-booting several times) and keep getting the same error message. (I also tried it on a lap top I own and it worked fine).

WRT to how things are going, I've definetly seen some improvements. The re-directing appears to have stopped and my browser seems much faster except for the last 2 nights when around 9 PM EDT, my browser (and computer) grind to a halt. Last night before I logged off, my CPU was running at 100% w/ no programs opened (I tried to launch IE 8 and nothing happened for 10 minutes before I bailed and went to bed).

Thank you for your continued assistance. I see a light at the end of the tunnel.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users