Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Hiloti Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 pyle1999

pyle1999

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 11 July 2010 - 08:48 PM

About two weeks ago, my web browser started randomly displaying pop ups without any warning. It is not overwhelming in that one only pops up about every other hour, but still I was immediately alarmed. I also noticed that whenever I use my Google toolbar to search the internet, it instead takes me to a spam site. I have tried several different malware removal tools both in safe mode and otherwise (including Malwarebyte and Spybot). Malwarebyte detected and removed both the Hiloti trojan and Malware Defense, however the Hiloti trojan seems to perpetuate itself. It seems to be regularly installing other malware onto my system, which also fits its description.

More recently Firefox has started to crash and also to considerably slow down. I've noticed through task manager that both Firefox and the svhost processes take considerably more memory to run. Also Firefox crashes much more often and sometimes the svhost process terminates without warning.

I've included both DDS files, however GMER appears to make my system crash each time I try to run it. It scans perfectly fine for about an hour, but then I get the blue screen of death listed that the system shut down due to a 'hard error'. If needed I could feasibly post the GMER file without scanning the files (it seems to crash during this part of the scan).

Thanks for your time.

DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sue H Coffman at 18:52:16.68 on Fri 07/09/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2005.1106 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\inetsrv\svchost.exe /service
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Documents and Settings\Sue H Coffman\My Documents\downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=14986&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ftp.newaol.com/aoltoolbar/download.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\sue h coffman\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {B67514D9-A114-4BB3-A0C9-CEED9B174BDF} = 66.174.95.44 69.78.96.14
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\suehco~1\applic~1\mozilla\firefox\profiles\r29mfc8c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BT3&o=14987&locale=en_US&q=
FF - plugin: c:\documents and settings\sue h coffman\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-1 214664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-1 144704]
R2 svchost32;Windows Service Manager;c:\windows\system32\inetsrv\svchost.exe /service [2010-6-30 42436]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-1 40552]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-7-23 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-7-23 14336]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S1 H86T5D2;H86T5D2;c:\windows\system32\drivers\H86T5D2.sys [2004-8-11 295168]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-29 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-1 34248]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]

=============== Created Last 30 ================

2010-07-09 16:13:27 440 --sha-r- c:\documents and settings\sue h coffman\ntuser.pol
2010-07-09 16:11:59 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-03 09:12:14 0 d-----w- c:\windows\system32\msapps
2010-06-30 21:56:47 3094 ----a-w- c:\windows\system32\tmp.reg
2010-06-30 05:00:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 05:00:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-29 22:40:52 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-29 22:40:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-29 03:55:04 0 d-sha-r- C:\cmdcons
2010-06-28 00:15:59 120 ----a-w- c:\windows\Cbutebevami.dat
2010-06-28 00:15:59 0 ----a-w- c:\windows\Onolo.bin
2010-06-14 05:10:44 0 d-----w- c:\program files\Rosetta Stone
2010-06-14 05:10:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone

==================== Find3M ====================

2094-01-28 01:15:14 42512 ----a-w- c:\windows\fonts\a\AnkeCalligraph.ttf
2094-01-20 02:55:14 48268 ----a-w- c:\windows\fonts\a\Anke Print.ttf
2010-04-16 12:54:02 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

============= FINISH: 18:52:48.37 ===============

Attached Files


Edited by pyle1999, 11 July 2010 - 08:51 PM.


BC AdBot (Login to Remove)

 


#2 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 15 July 2010 - 05:29 PM

Update: I finally ran GMER in safe mode. While it didn't list any of the problems that it listed in 'normal' mode, I did at least deduct that no files were the problem. So then I ran GMER and stopped the scan after it reached the files. Attached is the Ark.txt.

Attached Files

  • Attached File  Ark.txt   303.98KB   2 downloads


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 16 July 2010 - 02:39 AM

Hello, pyle1999.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 16 July 2010 - 08:16 PM

Again running GMER was problematic. It stalled then crashed after running it both with only IAT/EAT, other drives, and show all disabled; then again after I tried disabling Devices as well. It did work after disabling Files as well (and like I noted in my previous post, I successfully ran a GMER scan with files enabled in safe mode that detected no problems). I've included the GMER log with IAT/EAT, other drives, files, and show all disabled.

Thanks again! This trojan is driving me nuts...

Logfile of random's system information tool 1.08 (written by random/random)
Run by Sue H Coffman at 2010-07-16 09:56:20
Microsoft Windows XP Professional Service Pack 2
System drive C: has 111 GB (73%) free of 153 GB
Total RAM: 2005 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:56:54, on 7/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sue H Coffman\My Documents\downloads\RSIT(2).exe
C:\Program Files\trend micro\Sue H Coffman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080716
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ftp.newaol.com/aoltoolbar/download.html
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ursssqsys] rundll32.exe "ursttu.dll",DllRegisterServer
O4 - HKLM\..\Run: [dddabadrv] rundll32.exe "bywwvt.dll",s
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wvvwtsdrv] rundll32.exe "bywwvt.dll",s
O4 - HKUS\S-1-5-18\..\Run: [cbbxwvsys] rundll32.exe "ursttu.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nnkjhfdrv] rundll32.exe "bywwvt.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbbxwvsys] rundll32.exe "ursttu.dll",DllRegisterServer (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B67514D9-A114-4BB3-A0C9-CEED9B174BDF}: NameServer = 66.174.95.44 69.78.96.14
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMServer - Unknown owner - C:\WINDOWS\system32\msapps\comsrvr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sentinel HASP License Manager (hasplms) - SafeNet Inc. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11461 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005UA.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}]
WsftpBrowserHelper Class - C:\Program Files\WS_FTP Pro\wsbho2k0.dll [2003-05-23 131118]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-14 278192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-06-14 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-14 278192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-28 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-28 137752]
"PMX Daemon"=C:\WINDOWS\system32\ICO.EXE [2006-11-08 49152]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-09-24 1036288]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-16 29744]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-26 17920]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2008-07-23 26112]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-07-23 98304]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"ursssqsys"=ursttu.dll,DllRegisterServer []
"dddabadrv"=bywwvt.dll,s []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-16 68856]
"Google Update"=C:\Documents and Settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 135664]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"wvvwtsdrv"=bywwvt.dll,s []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-28 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-05-09 52224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
ursttu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\H86T5D2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\H86T5D2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoRun"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1216861828\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1216861828\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1216861828\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1216861828\EE\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\WINDOWS\system32\hasplms.exe"="C:\WINDOWS\system32\hasplms.exe:*:Enabled:HASP LLM"
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application"
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component"
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application"

======List of files/folders created in the last 1 months======

2010-07-16 09:56:21 ----D---- C:\Program Files\trend micro
2010-07-16 09:56:20 ----D---- C:\rsit
2010-07-15 07:45:35 ----ASH---- C:\hiberfil.sys
2010-07-13 19:05:38 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-07-13 19:05:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-13 19:05:36 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-07-11 22:05:10 ----AH---- C:\WINDOWS\system32\bywwvt.dll
2010-07-11 22:00:07 ----AH---- C:\WINDOWS\system32\ursttu.dll
2010-07-09 12:11:59 ----HD---- C:\WINDOWS\system32\GroupPolicy
2010-07-03 05:12:14 ----D---- C:\WINDOWS\system32\msapps
2010-06-30 17:20:46 ----SHD---- C:\RECYCLER
2010-06-30 00:04:38 ----A---- C:\ComboFix.txt
2010-06-29 18:40:52 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-06-29 18:40:52 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-29 11:09:02 ----A---- C:\WINDOWS\system32\tmp.txt
2010-06-29 11:09:00 ----A---- C:\rapport.txt
2010-06-28 23:55:08 ----A---- C:\Boot.bak
2010-06-28 23:55:04 ----RASHD---- C:\cmdcons
2010-06-28 23:46:13 ----D---- C:\WINDOWS\ERDNT
2010-06-28 23:42:37 ----D---- C:\Qoobox
2010-06-28 21:40:44 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2010-07-16 09:56:52 ----A---- C:\WINDOWS\ModemLog_Novatel Wireless Modem #2.txt
2010-07-16 09:56:30 ----D---- C:\WINDOWS\Temp
2010-07-16 09:56:28 ----D---- C:\WINDOWS\Prefetch
2010-07-16 09:56:21 ----D---- C:\Program Files
2010-07-16 09:53:07 ----D---- C:\Program Files\Mozilla Firefox
2010-07-15 22:47:41 ----D---- C:\WINDOWS
2010-07-15 22:47:23 ----D---- C:\MDT
2010-07-15 22:47:03 ----D---- C:\WINDOWS\system32\drivers
2010-07-15 22:45:55 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-07-15 20:06:25 ----D---- C:\WINDOWS\system32
2010-07-15 07:52:04 ----D---- C:\Documents and Settings\Sue H Coffman\Application Data\Adobe
2010-07-14 11:55:48 ----SHD---- C:\WINDOWS\Installer
2010-07-12 00:03:07 ----D---- C:\Documents and Settings\Sue H Coffman\Application Data\BitTorrent
2010-07-11 16:45:54 ----D---- C:\WINDOWS\system32\inetsrv
2010-07-09 09:03:17 ----RD---- C:\WINDOWS\Offline Web Pages
2010-07-08 21:52:17 ----D---- C:\WINDOWS\system32\FxsTmp
2010-07-07 23:56:37 ----D---- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
2010-07-03 12:58:27 ----SHD---- C:\System Volume Information
2010-07-03 12:58:27 ----D---- C:\WINDOWS\system32\Restore
2010-07-03 12:58:05 ----HD---- C:\WINDOWS\$hf_mig$
2010-07-01 09:24:46 ----D---- C:\WINDOWS\Minidump
2010-06-30 08:00:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-06-30 00:03:41 ----A---- C:\WINDOWS\system.ini
2010-06-30 00:03:36 ----D---- C:\WINDOWS\system32\drivers\etc
2010-06-30 00:01:57 ----D---- C:\WINDOWS\AppPatch
2010-06-30 00:01:57 ----D---- C:\Program Files\Common Files
2010-06-30 00:01:54 ----D---- C:\WINDOWS\system32\CatRoot2
2010-06-29 20:48:00 ----A---- C:\WINDOWS\wininit.ini
2010-06-28 23:55:08 ----RASH---- C:\boot.ini
2010-06-28 22:16:25 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2010-06-28 19:05:03 ----RSD---- C:\WINDOWS\assembly
2010-06-28 07:46:46 ----D---- C:\WINDOWS\Debug
2010-06-27 22:11:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-06-21 10:37:40 ----D---- C:\Program Files\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-07-23 14576]
R0 DRVMCDB;DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [2007-07-23 99808]
R0 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\drivers\iaStor.sys [2007-12-03 308248]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2008-06-16 44944]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-04-11 82944]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R2 aksfridge;aksfridge; \??\C:\WINDOWS\system32\drivers\aksfridge.sys []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-07-23 8552]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 hardlock;hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-09-24 307712]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-07-23 45056]
R3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2001-08-17 19200]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-28 5761728]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NWADI;NWADI Bus Enumerator; C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2008-06-02 222720]
R3 NWUSBModem;Novatel Wireless USB Modem Driver; C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys [2008-05-09 174336]
R3 NWUSBPort;Novatel Wireless USB Status Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser.sys [2008-05-09 174336]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2008-05-09 174336]
R3 pmxmouse;PMXMOUSE; C:\WINDOWS\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
R3 pmxusblf;PMXUSBLF; C:\WINDOWS\system32\DRIVERS\pmxusblf.sys [2007-05-24 14336]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2007-09-24 392960]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;JVC DV Camera Storage; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 H86T5D2;H86T5D2; C:\WINDOWS\system32\drivers\H86T5D2.sys []
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-12-12 1124097]
S3 akshasp;SafeNet Inc. HASP Key; C:\WINDOWS\system32\DRIVERS\akshasp.sys [2009-03-13 238208]
S3 aksusb;SafeNet Inc. USB Key; C:\WINDOWS\system32\DRIVERS\aksusb.sys [2009-06-22 16384]
S3 catchme;catchme; \??\C:\DOCUME~1\SUEHCO~1\LOCALS~1\Temp\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 NWUSBCDFIL;Novatel Wireless Installation CD; C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2008-07-07 20480]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-05-09 40704]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-04-11 87808]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-04 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-04 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-04 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-04 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-12 44032]
R2 hasplms;Sentinel HASP License Manager; C:\WINDOWS\system32\hasplms.exe [2009-12-16 3750400]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-06-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 COMServer;COMServer; C:\WINDOWS\system32\msapps\comsrvr.exe s []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-29 135664]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-09-25 651720]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-16 29744]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-17 182768]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2009-11-20 68096]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-05-09 823808]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-07-16 09:56:55

======Uninstall list======

-->"C:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_CDBURNER_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MTP_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_NOMADJUKEBOXTYPE2_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA}
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DF9BF77-7E10-4973-965E-3B7013ABEA6D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DF9BF77-7E10-4973-965E-3B7013ABEA6D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABattleMap 0.79f-->"C:\Program Files\ABattleMap\Uninstall.exe" "C:\Program Files\ABattleMap\install.log"
Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Photoshop Elements 7.0-->msiexec /i {CB6075D9-F912-40AE-BEA6-E590DA24F16B}
Adobe Photoshop.com Inspiration Browser-->msiexec /qb /x {AFBBF30D-ADA9-4313-464E-14458B6BE034}
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Agere Systems Usb 2.0 Soft Modem-->agrsmdel
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
CANON iMAGE GATEWAY Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon MOV Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\Canon MOV Decoder\CanonMOVDecoderUnInstall.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities CameraWindow DC-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDC\Uninst.ini"
Canon Utilities CameraWindow-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera DC-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCameraDC\Uninst.ini"
Canon Utilities MyCamera-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
Catan (remove only)-->C:\Program Files\Catan\Uninstall.exe
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
CivCity-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{994E24A6-EC47-4201-8D0B-D4563B7AD66B}\setup.exe" -l0x9 -removeonly
Creative MediaSource 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN Vision M Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31C44235-A613-4E95-B297-207BF6C6A8C1}\SETUP.EXE" -l0x9 /remove
DecoTech Design Software v6.00-->C:\program files\DecoTech\bin\uninst.exe
Dell ETS Factory Installation-->C:\Program Files\InstallShield Installation Information\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}\setup.exe -runfromtemp -l0x0009 -removeonly
Digital Photo Navigator 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7EF4BD8-CA13-11D5-AE3D-005004B8E30C}\setup.exe"
Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe
Dungeon Keeper 2-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Bullfrog\Dungeon Keeper 2\Uninst.isu" -c"C:\Program Files\Bullfrog\Dungeon Keeper 2\uninst.dll"
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
Final Draft 7-->MsiExec.exe /I{78D62D17-D970-42DA-B8CF-5E5576293B33}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_223E2B8E7BAD9544.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Sue H Coffman\My Documents\downloads\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Extended Capabilities 4.7-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
ImageMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8539FF43-C430-4BBF-A600-73081D9D9214}\setup.exe"
ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager-->C:\WINDOWS\System32\Imsmudlg.exe
Intel® PRO Alerting Agent-->MsiExec.exe /X{53183B25-FBDC-4B95-856A-DCDD69DFEE18}
Intel® PRO Network Connections 12.1.12.4-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Ipswitch WS_FTP Pro-->C:\WINDOWS\ISUNINST.EXE -f"C:\PROGRA~1\WS_FTP~1\uninst.isu" -c"C:\PROGRA~1\WS_FTP~1\FTPInstUtils.dll"
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Logitech Harmony Remote Software 7-->C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Dreamweaver MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand MXa-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{939740B5-0064-4779-854A-8C1086181C05}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft VC9 runtime libraries-->MsiExec.exe /I{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}
Mobile Broadband Generic Drivers-->MsiExec.exe /i{7B2ADCB5-3F3D-478A-90A9-A8C04EF82BF6}
Mouse Suite for Desktop Computers-->C:\Program Files\InstallShield Installation Information\{448E2D77-E504-4221-B2C2-93646B344729}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (3.5.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PhotoshopdotcomInspirationBrowser-->MsiExec.exe /I{AFBBF30D-ADA9-4313-464E-14458B6BE034}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
Pure Networks Port Magic-->C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Remote Control USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Rosetta Stone V3-->MsiExec.exe /X{7210BCFE-ED8D-4261-8537-81B5A4BDFA2A}
Roxio Activation Module-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ED8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Sierra On-Line Games (Remove only)-->C:\SIERRA\SETUP.EXE /U
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TripleA Version 1_2_0_0-->C:\Program Files\TripleA\TripleA_1_2_0_0\uninstaller.exe
Update for Office 2007 (KB934391)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB896256)-->"C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VZAccess Manager-->MsiExec.exe /I{7641FD7D-E94E-424E-A95C-0593C84DC0C0}
WAV to MP3 Encoder-->C:\PROGRA~1\WAVTOM~1\UNWISE.EXE C:\PROGRA~1\WAVTOM~1\INSTALL.LOG
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======System event log======

Computer Name: SUESHOMEWORK
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 13585
Source Name: SideBySide
Time Written: 20100628110930.000000-240
Event Type: error
User:

Computer Name: SUESHOMEWORK
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13583
Source Name: Tcpip
Time Written: 20100628084153.000000-240
Event Type: warning
User:

Computer Name: SUESHOMEWORK
Event Code: 59
Message: Generate Activation Context failed for C:\Program Files\Verizon Wireless\VZAccess Manager\ATTExtension.dll.
Reference error message: The operation completed successfully.
.

Record Number: 13576
Source Name: SideBySide
Time Written: 20100628074827.000000-240
Event Type: error
User:

Computer Name: SUESHOMEWORK
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.MFC.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 13575
Source Name: SideBySide
Time Written: 20100628074827.000000-240
Event Type: error
User:

Computer Name: SUESHOMEWORK
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 13574
Source Name: SideBySide
Time Written: 20100628074827.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: SUESHOMEWORK
Event Code: 20
Message:
Record Number: 3512
Source Name: Google Update
Time Written: 20100706023105.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SUESHOMEWORK
Event Code: 20
Message:
Record Number: 3511
Source Name: Google Update
Time Written: 20100706013905.000000-240
Event Type: error
User: SUESHOMEWORK\Sue H Coffman

Computer Name: SUESHOMEWORK
Event Code: 20
Message:
Record Number: 3510
Source Name: Google Update
Time Written: 20100706013105.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SUESHOMEWORK
Event Code: 20
Message:
Record Number: 3508
Source Name: Google Update
Time Written: 20100706003905.000000-240
Event Type: error
User: SUESHOMEWORK\Sue H Coffman

Computer Name: SUESHOMEWORK
Event Code: 20
Message:
Record Number: 3507
Source Name: Google Update
Time Written: 20100706003105.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-16 20:00:52
Windows 5.1.2600 Service Pack 2
Running: 9py14dj5.exe; Driver: C:\DOCUME~1\SUEHCO~1\LOCALS~1\Temp\fxdyypod.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7FEC]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FEC] ZwCreateKey [0x804D7FEC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D7FF1]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D7FF6

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9EF0A78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9EF0A738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x9EF0A74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9EF0A83F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9EF0A86B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0x9EF0A8D9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0x9EF0A8C3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9EF0A7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x9EF0A905]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x9EF0A710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x9EF0A724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9EF0A79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0x9EF0A941]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0x9EF0A8AD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0x9EF0A897]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9EF0A855]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x9EF0A92D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x9EF0A919]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x9EF0A776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x9EF0A762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9EF0A881]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9EF0A7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0x9EF0A8EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9EF0A7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9EF0A7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AB0 7 Bytes JMP 9EF0A7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP 9EF0A78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E36 7 Bytes JMP 9EF0A7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C44 5 Bytes JMP 9EF0A7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7216 7 Bytes JMP 9EF0A7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CA150 5 Bytes JMP 9EF0A714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA3DC 5 Bytes JMP 9EF0A728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCB9A 5 Bytes JMP 9EF0A766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE70 7 Bytes JMP 9EF0A750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF26 5 Bytes JMP 9EF0A73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D0430 5 Bytes JMP 9EF0A77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D167A 5 Bytes JMP 9EF0A7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80620638 7 Bytes JMP 9EF0A89B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80620986 5 Bytes JMP 9EF0A91D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C3E 7 Bytes JMP 9EF0A885 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620F06 7 Bytes JMP 9EF0A8F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062174C 7 Bytes JMP 9EF0A8B1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FA4 7 Bytes JMP 9EF0A859 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A0E 7 Bytes JMP 9EF0A843 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622BDE 7 Bytes JMP 9EF0A86F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DBE 7 Bytes JMP 9EF0A8DD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623028 7 Bytes JMP 9EF0A8C7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80623C38 7 Bytes JMP 9EF0A945 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062415E 5 Bytes JMP 9EF0A931 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80624278 5 Bytes JMP 9EF0A909 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA3896A00]
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0x9EC14000, 0x49379, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0x9EC6A224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0x9EC6A000, 0x4000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9E90C400, 0x6EB98, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9E996C20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9E996C20]
.protect˙˙˙˙hardlockunknown last code section [0x9E996A00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x9E996A00, 0x50CA, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[340] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[340] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[340] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 019C0FEF
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 019C0F86
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 019C0F97
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 019C0FB2
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 019C0065
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 019C002F
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 019C00B1
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 019C0F75
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 019C00F1
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 019C0F58
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 019C010C
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 019C004A
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 019C0FDE
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 019C0096
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 019C0014
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 019C0FC3
.text C:\WINDOWS\Explorer.EXE[340] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 019C00CC
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 019B0FCD
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 019B006F
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 019B001E
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 019B0FDE
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 019B0FB2
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 019B0054
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 019B0FEF
.text C:\WINDOWS\Explorer.EXE[340] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 019B0039
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019A0FAB
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!system 77C293C7 5 Bytes JMP 019A0FBC
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019A001B
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019A0000
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019A002C
.text C:\WINDOWS\Explorer.EXE[340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019A0FD7
.text C:\WINDOWS\Explorer.EXE[340] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 01990000
.text C:\WINDOWS\Explorer.EXE[340] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 01990FE5
.text C:\WINDOWS\Explorer.EXE[340] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 01990FCA
.text C:\WINDOWS\Explorer.EXE[340] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 0199001D
.text C:\WINDOWS\Explorer.EXE[340] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01980000
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F5E
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0007005D
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0007004C
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F30
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F15
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0007006E
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B3005D
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30042
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30027
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FD2
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B3000C
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00060022
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0006005F
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060044
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060033
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00050FC8
.text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30F68
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30053
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30042
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30F83
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F30082
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F30F3A
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30F15
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F300AE
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F300C9
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F30F57
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F30FC0
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F30FD1
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F30093
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F20F83
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F20FA5
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F2002C
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01110049
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 01110038
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0111001D
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01110FC8
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0111000C
.text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\lsass.exe[796] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 00F1001D
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CE0F1F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CE0F3A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CE0F57
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CE0F72
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CE004C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CE003B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CE0ED8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CE0EF3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CE0EB3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CE0F83
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CE0F0E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CE0014
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CE0071
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CD0F83
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CD001B
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CD0040
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0F9E
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0029
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF000C
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00CC0FD9
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 00CC002C
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C90F7E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C9007D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C90062
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C90F41
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C90F5C
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C90F15
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C900B8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C90F04
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C90F6D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C90F30
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C80070
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C80FDB
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C8005F
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C8004E
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C8003D
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0022
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FA1
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FBC
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FE3
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0011
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02370000
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02370065
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02370F70
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02370F81
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0237004A
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02370FA8
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 023700A4
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02370087
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 023700D0
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02370F37
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02370F26
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0237002F
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02370FE5
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02370076
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02370FB9
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02370FD4
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 023700B5
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02360FCA
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02360F9B
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02360011
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02360FE5
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0236004E
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0236003D
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02360000
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0236002C
.text C:\WINDOWS\System32\svchost.exe[1132] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 035F0F9A
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 035F0FAB
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 035F0011
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 035F0000
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 035F0FBC
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 035F0FE3
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 0235001B
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 02350000
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 02350036
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 02350053
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0234000A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0077007D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00770F88
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00770FA5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00770098
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00770F5C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00770F09
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00770F24
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007700C7
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0077002C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00770F6D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00770FC0
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00770FDB
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00770F35
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00760040
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00760080
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00760065
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780F99
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780FB4
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0078002E
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0078000C
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FD9
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0078001D
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00750FE5
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00750011
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 00750FCA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00910056
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00910F6B
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00910F7C
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00910F97
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00910FB2
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0091009F
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0091008E
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009100DF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009100BA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009100F0
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00910039
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00910071
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00910FC3
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00910014
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00910F3C
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007F0FB9
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007F0039
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007F0F7C
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007F0F8D
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007F0F9E
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920049
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092002E
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FD9
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 007E0FDE
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 007E0014
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 007E0025
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B10F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B10F99
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B10FAA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B10073
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B1004E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B100BF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B10F77
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B100FF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B10F5C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B10110
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B10FD1
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B10011
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B100A2
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B1003D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B100DA
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B00F72
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B00039
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B00F8D
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B00FA8
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20029
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B2000C
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B2003A
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 00AF0027
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AE000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1720] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1720] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[2208] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\wuauclt.exe[2208] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\wuauclt.exe[2208] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00AA000C
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0F8B
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F9C
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FB7
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\wuauclt.exe[2208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002D0F79
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002D000A
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002D0F94
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002D0040
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2208] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A30090
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A3007F
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30FA5
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30062
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A300B7
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A30F6F
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A30F28
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F39
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A30F17
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A30F80
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A30FCA
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[2448] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A30F54
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A20F9E
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A20FCA
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[2448] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A20F8D
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10F7F
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10F9A
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FAB
.text C:\WINDOWS\system32\svchost.exe[2448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FC6
.text C:\WINDOWS\system32\svchost.exe[2448] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[2448] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[2448] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 007F002C
.text C:\WINDOWS\system32\svchost.exe[2448] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 007F0047
.text C:\WINDOWS\system32\wuauclt.exe[2692] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\wuauclt.exe[2692] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0084000A
.text C:\WINDOWS\system32\wuauclt.exe[2692] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 003D000C
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02660000
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 026600A2
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02660091
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02660080
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02660FC3
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0266004A
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026600D3
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02660F8B
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 026600F8
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02660F55
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02660F3A
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02660065
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02660FE5
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02660F9C
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02660FD4
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0266001B
.text C:\WINDOWS\system32\wuauclt.exe[2692] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02660F70
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02640FA8
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!system 77C293C7 5 Bytes JMP 02640FB9
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02640029
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02640FEF
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02640FD4
.text C:\WINDOWS\system32\wuauclt.exe[2692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02640018
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02650FAF
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02650062
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0265000A
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02650FD4
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02650051
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02650036
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02650FEF
.text C:\WINDOWS\system32\wuauclt.exe[2692] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02650025
.text C:\WINDOWS\system32\wuauclt.exe[2692] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 02630011
.text C:\WINDOWS\system32\wuauclt.exe[2692] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 02630000
.text C:\WINDOWS\system32\wuauclt.exe[2692] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 02630FDB
.text C:\WINDOWS\system32\wuauclt.exe[2692] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 02630038
.text C:\WINDOWS\system32\wuauclt.exe[2692] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02620000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Disk \Device\Harddisk1\DR15 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+10 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+a aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk2\DR5 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+b aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk3\DR6 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+c aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk4\DR7 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk5\DP(1)0-0+d aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk5\DR8 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk6\DP(1)0-0+e aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk6\DR9 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  info.txt   29.21KB   1 downloads
  • Attached File  log.txt   35.67KB   1 downloads
  • Attached File  gmer.log   134.27KB   3 downloads

Edited by aommaster, 16 July 2010 - 09:29 PM.


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 16 July 2010 - 09:45 PM

Hello, pyle1999.
Please copy and paste the logs directly into your reply, as they make it easier for me to read smile.gif

Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




P2P Program Warning!

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




Viewpoint Warning!

Your logs show Viewpoint Manager installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

Viewpoint to Plunge Into Adware

I suggest you remove the program now. Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player




It appears that you have previous run Combofix. Please post up the results of the combofix log located at c:\Combofix.txt

Also, I would like to bring to your attention Combofix's disclaimer:
QUOTE
You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Running Combofix without a helper's instructions can render your computer unbootable. See this topic for more information on Combofix. If you are getting help elsewhere, let me know so we can avoid confusion.


NEXT:

Please uninstall Ask Toolbar, as it has been associated with a number of adware.

In your next reply, please include the following:
  • Combofix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 16 July 2010 - 11:38 PM

I would still like to try to clean the computer. If all else fails I'll format, but I'd like to try some more fixes first. I haven't done any banking from this computer for a while and made sure never to save any sensitive information. I removed BitTorrent, the Ask Toolbar, and Viewpoint as requested. Also here is the Combofix file:

ComboFix 10-06-27.06 - Sue H Coffman 06/29/2010 23:57:48.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2005.1720 [GMT -4:00]
Running from: c:\documents and settings\Sue H Coffman\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}
c:\documents and settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}\chrome.manifest
c:\documents and settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}\chrome\content\_cfg.js
c:\documents and settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}\chrome\content\overlay.xul
c:\documents and settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}\install.rdf
c:\windows\system32\dumphive.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srcr.dat
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-29 22:40 . 2010-06-30 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-29 22:40 . 2010-06-29 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-28 19:00 . 2010-06-28 19:00 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-28 00:15 . 2010-06-29 16:05 0 ----a-w- c:\windows\Onolo.bin
2010-06-28 00:15 . 2010-06-28 21:15 120 ----a-w- c:\windows\Cbutebevami.dat
2010-06-28 00:12 . 2010-06-28 00:12 -------- d-----w- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\ifkjstclm
2010-06-14 06:02 . 2010-06-14 14:08 -------- d-----w- c:\documents and settings\Sue H Coffman\Application Data\ImgBurn
2010-06-14 05:48 . 2010-06-14 05:48 -------- d-----w- c:\program files\ImgBurn
2010-06-14 05:10 . 2010-06-14 05:10 -------- d-----w- c:\program files\Rosetta Stone
2010-06-14 05:10 . 2010-06-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\17003\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\17003\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\17003\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\17003\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 11:46 . 2009-12-14 06:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-21 14:37 . 2009-02-01 20:20 -------- d-----w- c:\program files\McAfee
2010-05-21 08:50 . 2010-01-21 17:10 -------- d-----w- c:\program files\Catan
2010-05-21 03:08 . 2009-10-18 22:41 -------- d-----w- c:\program files\Soulseek
2010-04-29 19:39 . 2009-12-14 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-14 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 12:54 . 2010-04-16 12:54 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 21:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]
"Google Update"="c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-22 135664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-16 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-07-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-24 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [7/23/2008 8:40 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [7/23/2008 8:40 PM 14336]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 4:58 AM 133968]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 8:10 PM 135664]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005Core.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005UA.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]

2010-06-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-10 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14986&l=dis
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ftp.newaol.com/aoltoolbar/download.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sue H Coffman\Application Data\Mozilla\Firefox\Profiles\r29mfc8c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BT3&o=14987&locale=en_US&q=
FF - plugin: c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AGRSMMSG - AGRSMMSG.exe
AddRemove-AOL Toolbar 5.0 - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 00:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-30 00:04:38
ComboFix-quarantined-files.txt 2010-06-30 04:04

Pre-Run: 110,544,314,368 bytes free
Post-Run: 110,770,810,880 bytes free

- - End Of File - - 0955B281B9D1707B58AD5C6082318106

Edited by pyle1999, 16 July 2010 - 11:39 PM.


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 16 July 2010 - 11:46 PM

Hello, pyle1999.
QUOTE
I would still like to try to clean the computer.

That's no problem at all smile.gif

We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download a fresh copy of Combofix
  1. Please delete the copy of combofix you currently have.
  2. Now, download a fresh copy of ComboFix from one of these locations:
    Link 1
    Link 2

NEXT:

Please run Combofix again and post the log it produces


My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 17 July 2010 - 09:22 PM


It took me four tries, but finally was able to successfully run Combofix in safe mode. Here is the log:




ComboFix 10-07-15.05 - Sue H Coffman 07/17/2010 22:03:50.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2005.1633 [GMT -4:00]
Running from: c:\documents and settings\Sue H Coffman\My Documents\downloads\CombFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bywwvt.dll
c:\windows\system32\tmp.reg
c:\windows\system32\ursttu.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-16 13:56 . 2010-07-16 13:56 -------- d-----w- c:\program files\trend micro
2010-07-16 13:56 . 2010-07-16 13:56 -------- d-----w- C:\rsit
2010-07-13 23:05 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 23:05 . 2010-07-15 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 23:05 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 16:11 . 2010-07-09 16:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-03 09:12 . 2010-07-03 09:43 -------- d-----w- c:\windows\system32\msapps
2010-06-30 05:00 . 2010-07-09 00:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 05:00 . 2010-06-30 05:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-30 04:59 . 2010-07-14 11:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-29 22:40 . 2010-06-30 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-29 22:40 . 2010-06-29 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-28 19:00 . 2010-06-28 19:00 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-28 00:15 . 2010-06-29 16:05 0 ----a-w- c:\windows\Onolo.bin
2010-06-28 00:15 . 2010-06-28 21:15 120 ----a-w- c:\windows\Cbutebevami.dat
2010-06-28 00:12 . 2010-06-28 00:12 -------- d-----w- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\ifkjstclm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 03:56 . 2010-06-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-06-21 14:37 . 2009-02-01 20:20 -------- d-----w- c:\program files\McAfee
2010-06-14 14:08 . 2010-06-14 06:02 -------- d-----w- c:\documents and settings\Sue H Coffman\Application Data\ImgBurn
2010-06-14 05:48 . 2010-06-14 05:48 -------- d-----w- c:\program files\ImgBurn
2010-06-14 05:10 . 2010-06-14 05:10 -------- d-----w- c:\program files\Rosetta Stone
2010-05-21 03:08 . 2009-10-18 22:41 -------- d-----w- c:\program files\Soulseek
.

((((((((((((((((((((((((((((( SnapShot@2010-06-30_04.03.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 00:40 . 2010-06-30 02:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-24 00:40 . 2010-07-18 01:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-30 06:26 . 2010-07-18 01:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-24 00:40 . 2010-06-30 02:16 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]
"Google Update"="c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-22 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-16 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-07-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-24 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 4:58 AM 133968]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [7/23/2008 8:40 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [7/23/2008 8:40 PM 14336]
S1 H86T5D2;H86T5D2;c:\windows\system32\drivers\H86T5D2.sys --> c:\windows\system32\drivers\H86T5D2.sys [?]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 8:10 PM 135664]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005Core.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005UA.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14986&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ftp.newaol.com/aoltoolbar/download.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sue H Coffman\Application Data\Mozilla\Firefox\Profiles\r29mfc8c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-ursssqsys - ursttu.dll
HKU-Default-Run-cbbxwvsys - ursttu.dll
SafeBoot-H86T5D2



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 22:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x889FDEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11816
\Driver\iaStor -> iaStor.sys @ 0xb9e7e002
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel® 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d2aba0
PacketIndicateHandler -> NDIS.sys @ 0xb9d19a0b
SendHandler -> NDIS.sys @ 0xb9d2db31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pmxscrll.dll
c:\windows\system32\PMXCOMM.dll
c:\windows\system32\PMXHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\hasplms.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\Pmxmiced.exe
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2010-07-17 22:18:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-18 02:18
ComboFix2.txt 2010-06-30 04:04

Pre-Run: 118,073,704,448 bytes free
Post-Run: 115,938,189,312 bytes free

- - End Of File - - F75E62CCEED8E46C3CC537DE72EAA7B6


#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 17 July 2010 - 09:28 PM

Hello, pyle1999.
Looks good smile.gif

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

NEXT:

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/330836/infected-with-hiloti-trojan/

    Collect::
    c:\windows\Onolo.bin
    c:\windows\Cbutebevami.dat
    c:\documents and settings\Sue H Coffman\Local Settings\Application Data\ifkjstclm
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • TDSSKiller.txt
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 18 July 2010 - 12:16 AM

TDSS Killer:

23:49:17:218 3544 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
23:49:17:218 3544 ================================================================================
23:49:17:218 3544 SystemInfo:

23:49:17:218 3544 OS Version: 5.1.2600 ServicePack: 2.0
23:49:17:218 3544 Product type: Workstation
23:49:17:218 3544 ComputerName: SUESHOMEWORK
23:49:17:218 3544 UserName: Sue H Coffman
23:49:17:218 3544 Windows directory: C:\WINDOWS
23:49:17:218 3544 System windows directory: C:\WINDOWS
23:49:17:218 3544 Processor architecture: Intel x86
23:49:17:218 3544 Number of processors: 2
23:49:17:218 3544 Page size: 0x1000
23:49:17:218 3544 Boot type: Normal boot
23:49:17:218 3544 ================================================================================
23:49:17:500 3544 Initialize success
23:49:17:500 3544
23:49:17:500 3544 Scanning Services ...
23:49:17:546 3544 Raw services enum returned 364 services
23:49:17:546 3544
23:49:17:546 3544 Scanning Drivers ...
23:49:17:890 3544 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:49:17:968 3544 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:49:18:031 3544 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:49:18:093 3544 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
23:49:18:156 3544 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:49:18:234 3544 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
23:49:18:312 3544 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
23:49:18:421 3544 AgereSoftModem (c41a5740468d0b9cb46e6390a0e15ce3) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
23:49:18:468 3544 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:49:18:484 3544 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:49:18:500 3544 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:49:18:531 3544 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:49:18:562 3544 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:49:18:625 3544 aksfridge (45f65f2f7ae28e5e56ab64e3ac61bd52) C:\WINDOWS\system32\drivers\aksfridge.sys
23:49:19:765 3544 akshasp (64fc197d24a2b240598f29ce0a6660c0) C:\WINDOWS\system32\DRIVERS\akshasp.sys
23:49:19:828 3544 aksusb (cce6c56f18d214de8d66f3f2a774cd5b) C:\WINDOWS\system32\DRIVERS\aksusb.sys
23:49:19:875 3544 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:49:19:906 3544 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:49:19:906 3544 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:49:19:921 3544 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:49:19:953 3544 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:49:19:984 3544 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:49:20:046 3544 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:49:20:093 3544 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
23:49:20:140 3544 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:49:20:171 3544 atapi (40caace7f2e7668148a1d45cf91e1131) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:49:20:187 3544 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:49:20:203 3544 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:49:20:218 3544 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:49:20:218 3544 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:49:20:234 3544 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:49:20:250 3544 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:49:20:281 3544 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:49:20:296 3544 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
23:49:20:312 3544 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:49:20:343 3544 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:49:20:359 3544 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
23:49:20:375 3544 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:49:20:390 3544 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:49:20:406 3544 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:49:20:437 3544 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
23:49:20:468 3544 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
23:49:20:515 3544 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
23:49:20:562 3544 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
23:49:20:593 3544 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
23:49:20:609 3544 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
23:49:20:640 3544 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
23:49:20:687 3544 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
23:49:20:718 3544 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
23:49:20:750 3544 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
23:49:20:796 3544 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
23:49:20:890 3544 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
23:49:20:937 3544 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
23:49:20:953 3544 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:49:21:000 3544 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
23:49:21:000 3544 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:49:21:015 3544 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
23:49:21:031 3544 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
23:49:21:062 3544 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
23:49:21:109 3544 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:49:21:171 3544 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
23:49:21:203 3544 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
23:49:21:218 3544 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:49:21:234 3544 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
23:49:21:250 3544 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:49:21:281 3544 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
23:49:21:281 3544 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:49:21:296 3544 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:49:21:312 3544 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:49:21:359 3544 hardlock (995178a443b07fa9eeaea041d7b4b5ca) C:\WINDOWS\system32\drivers\hardlock.sys
23:49:23:843 3544 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:49:23:921 3544 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
23:49:24:015 3544 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
23:49:24:046 3544 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:49:24:078 3544 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:49:24:140 3544 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
23:49:24:187 3544 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
23:49:24:234 3544 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
23:49:24:281 3544 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
23:49:24:312 3544 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:49:24:328 3544 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:49:24:375 3544 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:49:24:546 3544 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
23:49:24:750 3544 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys
23:49:24:781 3544 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:49:24:828 3544 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:49:24:859 3544 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:49:24:890 3544 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:49:24:906 3544 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
23:49:24:921 3544 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:49:24:953 3544 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:49:24:984 3544 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:49:25:000 3544 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:49:25:015 3544 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:49:25:015 3544 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:49:25:031 3544 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:49:25:062 3544 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:49:25:109 3544 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
23:49:25:156 3544 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
23:49:25:156 3544 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
23:49:25:203 3544 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
23:49:25:234 3544 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
23:49:25:296 3544 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
23:49:25:375 3544 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
23:49:25:421 3544 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
23:49:25:453 3544 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:49:25:484 3544 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
23:49:25:484 3544 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:49:25:500 3544 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:49:25:515 3544 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
23:49:25:546 3544 MPFP (85113838a2e9ba7d2fcbfd27df2bfa70) C:\WINDOWS\system32\Drivers\Mpfp.sys
23:49:25:546 3544 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\Mpfp.sys. Real md5: 85113838a2e9ba7d2fcbfd27df2bfa70, Fake md5: 136157e79849b9e5316ba4008d6075a8
23:49:25:546 3544 File "C:\WINDOWS\system32\Drivers\Mpfp.sys" infected by TDSS rootkit ... 23:49:25:656 3544 Backup copy found, using it..
23:49:25:656 3544 will be cured on next reboot
23:49:25:718 3544 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:49:25:796 3544 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:49:25:859 3544 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:49:25:875 3544 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
23:49:25:921 3544 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:49:25:953 3544 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:49:26:000 3544 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
23:49:26:062 3544 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:49:26:062 3544 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
23:49:26:078 3544 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
23:49:26:109 3544 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:49:26:125 3544 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:49:26:156 3544 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:49:26:171 3544 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
23:49:26:171 3544 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:49:26:187 3544 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:49:26:203 3544 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
23:49:26:234 3544 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
23:49:26:234 3544 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:49:26:296 3544 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:49:26:343 3544 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
23:49:26:406 3544 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:49:26:421 3544 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:49:26:437 3544 NWUSBCDFIL (1fde5b2d61d97d803594df4b3bc28c4b) C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
23:49:26:515 3544 NWUSBModem (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
23:49:26:546 3544 NWUSBPort (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
23:49:26:578 3544 NWUSBPort2 (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
23:49:26:625 3544 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
23:49:26:687 3544 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
23:49:26:734 3544 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:49:26:750 3544 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
23:49:26:750 3544 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:49:26:781 3544 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:49:26:812 3544 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:49:26:859 3544 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:49:26:890 3544 pmxmouse (fab495f1defeb596c44b9752a25e2a60) C:\WINDOWS\system32\DRIVERS\pmxmouse.sys
23:49:26:968 3544 pmxusblf (1971e853b598bf9baabff2b652e5cd4d) C:\WINDOWS\system32\DRIVERS\pmxusblf.sys
23:49:27:015 3544 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:49:27:015 3544 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
23:49:27:031 3544 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:49:27:062 3544 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:49:27:109 3544 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:49:27:109 3544 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:49:27:125 3544 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:49:27:156 3544 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:49:27:171 3544 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:49:27:203 3544 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:49:27:218 3544 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:49:27:234 3544 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:49:27:250 3544 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:49:27:281 3544 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:49:27:296 3544 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:49:27:296 3544 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:49:27:343 3544 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
23:49:27:359 3544 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:49:27:390 3544 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:49:27:421 3544 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
23:49:27:437 3544 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:49:27:453 3544 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
23:49:27:468 3544 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:49:27:484 3544 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:49:27:562 3544 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
23:49:27:640 3544 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:49:27:703 3544 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
23:49:27:734 3544 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
23:49:27:781 3544 Srv (7a0111577d8046633d5162a3ce15e9e1) C:\WINDOWS\system32\DRIVERS\srv.sys
23:49:27:828 3544 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:49:27:859 3544 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
23:49:27:906 3544 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:49:27:953 3544 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:49:28:000 3544 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:49:28:015 3544 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:49:28:046 3544 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
23:49:28:093 3544 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:49:28:109 3544 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:49:28:125 3544 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
23:49:28:140 3544 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:49:28:171 3544 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:49:28:187 3544 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
23:49:28:203 3544 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:49:28:265 3544 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
23:49:28:328 3544 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:49:28:328 3544 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:49:28:375 3544 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:49:28:406 3544 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:49:28:437 3544 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:49:28:468 3544 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:49:28:484 3544 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:49:28:531 3544 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
23:49:28:546 3544 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:49:28:562 3544 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:49:28:593 3544 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
23:49:28:609 3544 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:49:28:640 3544 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
23:49:28:703 3544 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
23:49:28:734 3544 WpdUsb (d4162c1d8fe1de8f1e6ef9ba4323d520) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
23:49:28:812 3544 WudfPf (443f0a35cb3be5d176053da39157a898) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:49:28:843 3544 WudfRd (e12d4c486d7eb4e0961c27558dc25af7) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:49:28:906 3544 Reboot required for cure complete..
23:49:29:000 3544 Cure on reboot scheduled successfully
23:49:29:000 3544
23:49:29:000 3544 Completed
23:49:29:000 3544
23:49:29:000 3544 Results:
23:49:29:000 3544 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:49:29:000 3544 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:49:29:000 3544
23:49:29:015 3544 KLMD(ARK) unloaded successfully




Combofix:


ComboFix 10-07-15.05 - Sue H Coffman 07/18/2010 0:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2005.1461 [GMT -4:00]
Running from: c:\documents and settings\Sue H Coffman\My Documents\downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Sue H Coffman\My Documents\downloads\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\Cbutebevami.dat
file zipped: c:\windows\Onolo.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Cbutebevami.dat
c:\windows\Onolo.bin

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-18 03:59 . 2010-07-18 03:59 -------- d-----w- C:\CombFix
2010-07-16 13:56 . 2010-07-16 13:56 -------- d-----w- c:\program files\trend micro
2010-07-16 13:56 . 2010-07-16 13:56 -------- d-----w- C:\rsit
2010-07-13 23:05 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 23:05 . 2010-07-15 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 23:05 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 16:11 . 2010-07-09 16:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-03 09:12 . 2010-07-03 09:43 -------- d-----w- c:\windows\system32\msapps
2010-06-30 05:00 . 2010-07-09 00:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 05:00 . 2010-06-30 05:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-30 04:59 . 2010-07-14 11:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-29 22:40 . 2010-06-30 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-29 22:40 . 2010-06-29 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-28 19:00 . 2010-06-28 19:00 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-28 00:12 . 2010-06-28 00:12 -------- d-----w- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\ifkjstclm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 03:50 . 2009-02-01 20:20 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-08 03:56 . 2010-06-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-06-21 14:37 . 2009-02-01 20:20 -------- d-----w- c:\program files\McAfee
2010-06-14 14:08 . 2010-06-14 06:02 -------- d-----w- c:\documents and settings\Sue H Coffman\Application Data\ImgBurn
2010-06-14 05:48 . 2010-06-14 05:48 -------- d-----w- c:\program files\ImgBurn
2010-06-14 05:10 . 2010-06-14 05:10 -------- d-----w- c:\program files\Rosetta Stone
2010-05-21 03:08 . 2009-10-18 22:41 -------- d-----w- c:\program files\Soulseek
.

((((((((((((((((((((((((((((( SnapShot@2010-06-30_04.03.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-24 00:40 . 2010-07-18 01:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-24 00:40 . 2010-06-30 02:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]
"Google Update"="c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-22 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-16 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-07-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-24 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216861828\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 4:58 AM 133968]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [7/23/2008 8:40 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [7/23/2008 8:40 PM 14336]
S1 H86T5D2;H86T5D2;c:\windows\system32\drivers\H86T5D2.sys --> c:\windows\system32\drivers\H86T5D2.sys [?]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 8:10 PM 135664]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 00:10]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005Core.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602280188-278375194-739775447-1005UA.job
- c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-22 17:16]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-01 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14986&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ftp.newaol.com/aoltoolbar/download.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sue H Coffman\Application Data\Mozilla\Firefox\Profiles\r29mfc8c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Sue H Coffman\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-18 00:24:30
ComboFix-quarantined-files.txt 2010-07-18 04:24
ComboFix2.txt 2010-07-18 02:18
ComboFix3.txt 2010-06-30 04:04

Pre-Run: 115,934,871,552 bytes free
Post-Run: 115,922,477,056 bytes free

- - End Of File - - ACC187CB50E47181517575BAB49DF6EE




I was also prompted to submit the follow to BleepingComputer and was instructed to inform you:

[4]-Submit_2010-07-18_00.17.26



#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 18 July 2010 - 12:40 AM

Hello, pyle1999.
Looks good! smile.gif

QUOTE
I was also prompted to submit the follow to BleepingComputer and was instructed to inform you:

[4]-Submit_2010-07-18_00.17.26

Yes, that's fine. This will go directly to the developer so that he can improve on combofix.

How's your computer doing? Are you experiencing any other problems? If not, please proceed with the below.
We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 21 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "< button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 18 July 2010 - 01:15 PM

I can already notice that everything is running a lot more smoothly and efficiently. Also there are no more pop ups and the google search bar is functioning correctly again.

I updated Java and ran ESET. Here is the requested log:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Sue H Coffman\Application Data\Sun\Java\Deployment\cache\6.0\29\47c98add-416c57c2 multiple threats deleted - quarantined
C:\Documents and Settings\Sue H Coffman\Application Data\Sun\Java\Deployment\cache\6.0\38\2eeefb66-47a7153d probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Sue H Coffman\Application Data\Sun\Java\Deployment\cache\6.0\46\77b0d7ae-2d2ea978 multiple threats deleted - quarantined
C:\Documents and Settings\Sue H Coffman\Application Data\Sun\Java\Deployment\cache\6.0\63\4808573f-2ac792ab multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Sue H Coffman\Local Settings\Application Data\{EEB473B2-7361-445C-A365-0156C490FF6D}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 18 July 2010 - 01:21 PM

Hello, pyle1999.
Glad to hear. Looks like Eset got whatever was left over. It's time to clean up smile.gif

We need to uninstall Combofix
  1. Click on your Start Menu, then Run....
  2. Now type combofix /uninstall in the runbox and click OK. Notice the space between the "x" and "/".

NEXT:

We need to clear the TeaTimer cache
  1. Download ResetTeaTimer.exe to your desktop.
  2. Double-click ResetTeaTimer.exe and let it run.

NEXT:

We need to clear the Java cache
  1. Click Start > Control Panel
  2. Double-click the Java icon in the control panel
  3. Click Settings under Temporary Internet Files.
  4. Click Delete Files
  5. Check all the boxes
  6. Click Ok

NEXT:

We need to enable TeaTimer
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Check the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy




Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif

There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Make Firefox more secure
    Firefox is a relatively safe browser compared to Internet Explorer. However, if you'd still like to enhance security, consider some of these extensions:
    • NoScript: Add-on which automatically blocks Javascript and Java from running on sites.
    • Firekeeper: Add-on which aims to protect your from malicious websites which may exploit browser and code security flaws.
    • KeyScrambler: Add-on that protects your passwords from being detected by keyloggers.
  4. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  5. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  6. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 pyle1999

pyle1999
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 18 July 2010 - 04:11 PM

I have now installed (or uninstalled) most all of your suggested software and plan on monitoring my online activity with more diligence. I don't want to have to go through this again...


Everything seems to be functioning as pre-trojan normal - I can't thank you enough!


#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:00 PM

Posted 18 July 2010 - 04:47 PM

Glad to be of help smile.gif

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users