Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection mimics Safe Mode


  • This topic is locked This topic is locked
43 replies to this topic

#1 Hotter Than July

Hotter Than July

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 19 July 2010 - 01:28 PM

I'm running Windows XP SP3. At the very beginning of July, I uninstalled avast! antivirus because it didn't remove anything, and I replaced it with McAfee (my older sister told me about how we used it back in the day to get rid of Mydoom). Anyway, spent about 3 days on the internet (not a great idea), then left my laptop alone for a while and got back on to see another user (Administrator) on the welcome screen as if I was in Safe Mode, except it was password protected. I logged onto my account and my computer only made a beep as if I had no sound drivers, I couldn't uninstall anything, and McAfee was disabled (as if I was in safe mode). Every time I log on I have to reinstall Windows Media Player. Also, when I run a System Internals scan on Spybot SD, I have over 150 errors, mostly the wrong app path, associated with Windows .NET framework v1.1. On startup a value for avast! antivirus is there and reappears every time I try to remove it. I ran GMER, DDS, and a HJT log (attached) from an older version, since when I try to install the new one, an error message stating "The administrator has set policies to prevent this installation" appears when I try to install the new one.

Please help, any assistance would be very greatly appreciated.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-19 12:42:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\kfxdrpob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Kickmatsuda at 11:56:48.82 on Mon 07/19/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.521 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\3g watcher\WaHelper.exe"
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kickma~1\applic~1\mozilla\firefox\profiles\tjcr7pst.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R1 SASDIFSV;SASDIFSV;c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-5-1 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-5-1 74480]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2006-10-12 20352]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-7-7 358736]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-7-7 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-7-7 605512]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-7 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-7 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-7-7 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-7-7 40488]
S3 SASENUM;SASENUM;\??\c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-1-12 102144]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-1-12 70656]

=============== Created Last 30 ================

2010-07-19 16:11:19 0 d-----w- C:\VundoFix Backups
2010-07-19 16:03:54 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-07-13 11:45:22 218 ----a-w- c:\documents and settings\kickmatsuda\.recently-used.xbel
2010-07-08 16:37:29 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-07-07 16:35:19 3115 ----a-w- c:\windows\system32\Config.MPF
2010-07-07 16:24:24 79240 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-07 16:24:24 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-07-07 16:24:24 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-07 16:24:17 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-07 16:23:00 0 d-----w- c:\program files\common files\McAfee
2010-07-07 16:22:56 0 d-----w- c:\program files\McAfee.com
2010-07-07 16:22:28 0 d-----w- c:\program files\McAfee
2010-07-07 16:21:41 34152 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-07-07 02:22:37 0 d-----w- c:\windows\SxsCaPendDel
2010-07-06 17:50:27 0 d-----w- c:\program files\Microsoft Virtual PC
2010-06-20 15:55:33 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-20 15:55:33 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-20 15:55:29 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-20 15:36:51 0 d-----w- c:\windows\system32\appmgmt
2010-06-20 11:27:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts
2010-06-20 11:26:38 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2010-06-20 11:26:36 0 d-----w- c:\program files\Microsoft WSE
2010-06-20 11:23:07 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-06-20 11:23:04 0 d-----w- c:\windows\Logs

==================== Find3M ====================

2010-06-14 23:11:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\_004661_.tmp.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 11:57:18.40 ===============

ALSO is Security Task Manager a legit program? it's getting ancy lately and says I have 73 drivers and 5 services that don't belong to my OS.

I tried going into Directory Services Restore Mode and Safe Mode and they both STOP on multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\ntoskrnl.exe . I have to reboot the computer

Attached Files


Edited by Hotter Than July, 19 July 2010 - 04:35 PM.

"Snake, you have to use the control panel."

BC AdBot (Login to Remove)

 


#2 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 20 July 2010 - 05:46 PM

'allo again, bleeping computer. I booted up my computer on the Last Known Good Configuration, and everything worked, but on the next startup, it bluescreened after the acer screen (Acer Aspire 3680). I started it up again and everything worked fine. Now the only problem is updating McAfee. I'm assuming that the Administrator account isn't there anymore because I don't have a choice anymore. I installed the new HJT, and ran GMER, DDS, and HJT again.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-20 17:04:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\kfxdrpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9F1E9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9F1EA61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9F1E978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9F1E98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9F1EA75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9F1EAA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA9F1EB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA9F1EAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9F1EA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA9F1EB3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9F1EA4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9F1E950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9F1E964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9F1E9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA9F1EB77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA9F1EAE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA9F1EACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9F1EA8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA9F1EB63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA9F1EB4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9F1E9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9F1E9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9F1EAB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9F1EA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA9F1EB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9F1EA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9F1E9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP A9F1E9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP A9F1E9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP A9F1EA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP A9F1EA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP A9F1E9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP A9F1E954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP A9F1E968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP A9F1E9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP A9F1E990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP A9F1E97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP A9F1E9BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP A9F1EA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP A9F1EAD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP A9F1EABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 3 Bytes JMP A9F1EB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey + 4 80618BE4 3 Bytes [29, 90, 90]
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP A9F1EAE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP A9F1EA8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP A9F1EA65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP A9F1EA79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP A9F1EAA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP A9F1EB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP A9F1EAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP A9F1EA51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP A9F1EB7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP A9F1EB53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP A9F1EB67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP A9F1EB3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F4B
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F66
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F83
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F2E
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50076
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F02
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D5009B
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50EE7
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50F9E
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50065
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50014
.text C:\WINDOWS\system32\services.exe[496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F1D
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40FB2
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40F8D
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D4004A
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D4002F
.text C:\WINDOWS\system32\services.exe[496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40014
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D3005A
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30049
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D3002E
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FE3
.text C:\WINDOWS\system32\services.exe[496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3001D
.text C:\WINDOWS\system32\services.exe[496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F77
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F88
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00AE
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA009D
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00F5
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00DA
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0106
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F66
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\lsass.exe[508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00BF
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F6F
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F94
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FA5
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\lsass.exe[508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FB6
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FB2
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FCD
.text C:\WINDOWS\system32\lsass.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\lsass.exe[508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00F74
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00F85
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0005F
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B0004E
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FB6
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00097
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B0007A
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F19
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F2A
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B000CD
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B0003D
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F59
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00FD1
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00022
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B000A8
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0039
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0F7C
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0F97
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FA8
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0F8B
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0F9C
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0FC1
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0FE3
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0016
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FD2
.text C:\WINDOWS\system32\svchost.exe[660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB006E
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F79
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F8A
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0047
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FA5
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB007F
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F37
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00AB
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F1C
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB0F01
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F5E
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0090
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0057
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA0014
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0F90
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CA0FA1
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03388
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0FBC
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C9001E
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90F89
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90FAB
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90F9A
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FC6
.text C:\WINDOWS\system32\svchost.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C8000A
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026F0000
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026F0F63
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026F0058
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026F0F8A
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026F0047
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026F0FA5
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026F00AB
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026F008E
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026F00E1
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026F0F48
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026F0F2D
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026F0036
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026F0FE5
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026F007D
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026F0FC0
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026F001B
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026F00C6
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02430FCA
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0243005B
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02430FDB
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02430011
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02430FA8
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02430000
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02430040
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02430FB9
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02420069
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 02420044
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02420022
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02420FEF
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02420033
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02420FDE
.text C:\WINDOWS\System32\svchost.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02400000
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02410FD4
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02410FEF
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02410016
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02410FC3
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0066007F
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F8A
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660FA5
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660062
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006600BE
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006600AD
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F4A
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600D9
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006600FE
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660014
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00660090
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0066002F
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00660F5B
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650F91
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650058
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650FB6
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640040
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!system 77C293C7 5 Bytes JMP 0064002F
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC6
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FB5
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD7
.text C:\WINDOWS\system32\svchost.exe[828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0093
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0082
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0071
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0054
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C002F
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F72
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00AE
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C010B
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00F0
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C011C
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FA8
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FCD
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C001E
.text C:\WINDOWS\system32\svchost.exe[872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00D5
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0036
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F8D
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0025
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F9E
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0FC3
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FA5
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0029
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A003A
.text C:\WINDOWS\system32\svchost.exe[872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A000C
.text C:\WINDOWS\system32\svchost.exe[872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A4002F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F44
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A4001E
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40F6B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40F8D
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F1F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40067
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40EDF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40EF0
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40093
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A4004A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40F9E
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40078
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCD
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930065
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930054
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930039
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092004C
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01420FEF
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0142005D
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0142004C
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0142003B
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01420F72
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01420F94
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01420F21
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01420F32
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014200A9
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01420F06
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014200C4
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01420F83
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01420000
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01420F43
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01420FB9
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01420FCA
.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01420084
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01410FC0
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01410069
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01410FDB
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01410011
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01410058
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01410000
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0141003D
.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0141002C
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FAD
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0038
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0027
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF000C
.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FE0000
.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FE0011
.text C:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F7C
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0F8D
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0067
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0FA8
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD0036
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0F50
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0098
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD0F1A
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD00B3
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD00C4
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F61
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0F3F
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0062
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0FB6
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0FA6
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FC1
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FE3
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB000C
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0FD2
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB001D
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kickmatsuda at 16:11:09.92 on Tue 07/20/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.655 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\3g watcher\WaHelper.exe"
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kickma~1\applic~1\mozilla\firefox\profiles\tjcr7pst.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R1 SASDIFSV;SASDIFSV;c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-5-1 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-5-1 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-7-7 358736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-7-7 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-7-7 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-7 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-7 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-7-7 40488]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2006-10-12 20352]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-7-7 34152]
S3 SASENUM;SASENUM;\??\c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\kickma~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-1-12 102144]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-1-12 70656]

=============== Created Last 30 ================

2010-07-19 16:11:19 0 d-----w- C:\VundoFix Backups
2010-07-13 11:45:22 218 ----a-w- c:\documents and settings\kickmatsuda\.recently-used.xbel
2010-07-08 16:37:29 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-07-07 16:35:19 3115 ----a-w- c:\windows\system32\Config.MPF
2010-07-07 16:24:24 79240 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-07 16:24:24 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-07-07 16:24:24 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-07 16:24:17 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-07 16:23:00 0 d-----w- c:\program files\common files\McAfee
2010-07-07 16:22:56 0 d-----w- c:\program files\McAfee.com
2010-07-07 16:22:28 0 d-----w- c:\program files\McAfee
2010-07-07 16:21:41 34152 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-07-07 02:22:37 0 d-----w- c:\windows\SxsCaPendDel
2010-07-06 17:50:27 0 d-----w- c:\program files\Microsoft Virtual PC

==================== Find3M ====================

2010-06-14 23:11:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\_004661_.tmp.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:11:58.54 ===============

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:42:09 PM, on 7/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 3341 bytes

"Snake, you have to use the control panel."

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 25 July 2010 - 01:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 25 July 2010 - 05:03 PM

I ran OTL, but yesterday I ran system restore to get McAfee and Virtual PC running again (McAfee wouldn't install). I have another topic for a problem I'm still having, and when I tried installing a program that told me I had no sound card installed. Here's OTL.txt:

OTL logfile created on: 7/25/2010 4:44:08 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Kickmatsuda\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 698.00 Mb Available Physical Memory | 69.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 59.61 Gb Free Space | 79.99% Space Free | Partition Type: NTFS
Drive D: | 378.51 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 3.74 Gb Total Space | 3.43 Gb Free Space | 91.82% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: KICKMATS-8884F5
Current User Name: Kickmatsuda
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/07/11 18:48:54 | 000,641,208 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/06/21 12:39:08 | 000,792,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/16 14:47:56 | 000,095,776 | ---- | M] (Sierra Wireless Inc.) -- C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
PRC - [2006/07/19 09:41:00 | 000,053,248 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
PRC - [2005/04/25 13:45:42 | 000,036,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE


========== Modules (SafeList) ==========

MOD - [2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2008/07/18 08:02:52 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/07/09 17:36:30 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2008/07/09 15:30:34 | 000,315,264 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\WINDOWS\Temp\0121651280006840mcinst.exe -- (0121651280006840mcinstcleanup) McAfee Application Installer Cleanup (0121651280006840)
SRV - [2008/07/09 14:49:10 | 000,358,736 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2008/07/09 14:35:34 | 000,025,416 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2008/06/21 12:39:08 | 000,792,184 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2008/06/20 13:10:22 | 000,361,800 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2008/06/20 05:41:04 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2008/06/20 05:01:18 | 000,605,512 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\swumx20.sys -- (SWUMX20) Sierra Wireless USB MUX Driver (UMTS20)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys -- (SASKUTIL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS -- (SASENUM)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS -- (SASDIFSV)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus)
DRV - [2008/06/27 06:08:40 | 000,207,656 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/06/27 06:08:40 | 000,079,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/06/27 06:08:40 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2008/06/27 06:08:40 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/06/20 05:41:38 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/06/02 14:55:42 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/02/12 03:42:38 | 000,232,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2008/02/05 01:50:44 | 000,059,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2007/01/12 13:26:42 | 000,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8u12.sys -- (SWNC8U12) Sierra Wireless MUX NDIS Driver (UMTS12)
DRV - [2007/01/12 10:29:32 | 000,070,656 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swumx12.sys -- (swumx12) Sierra Wireless USB MUX Driver (UMTS12)
DRV - [2006/10/12 09:49:28 | 000,020,352 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swivspnt.sys -- (swivsp)
DRV - [2006/07/19 09:42:00 | 004,304,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 17:37:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/14 18:53:54 | 000,000,000 | ---D | M]

[2010/06/15 17:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kickmatsuda\Application Data\Mozilla\Extensions
[2010/06/15 17:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kickmatsuda\Application Data\Mozilla\Firefox\Profiles\tjcr7pst.default\extensions
[2010/06/14 18:53:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/24 15:36:03 | 000,414,692 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 14320 more lines...
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O4 - HKLM..\Run: [AirCardEnabler] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WatcherHelper] C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe (Sierra Wireless Inc.)
O4 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-1425521274-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.117.214.10 199.2.252.10
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/14 18:15:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1996/06/18 03:49:34 | 000,000,147 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{27932441-77d8-11df-8719-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{27932441-77d8-11df-8719-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{27932441-77d8-11df-8719-806d6172696f}\Shell\AutoRun\command - "" = D:\MSBDinos\stpauto.exe @stpstub.ini -- File not found
O33 - MountPoints2\{27932441-77d8-11df-8719-806d6172696f}\Shell\help\command - "" = winhelp msbdinos.hlp
O33 - MountPoints2\{9ebfe77e-780e-11df-9b02-848533310611}\Shell - "" = AutoRun
O33 - MountPoints2\{9ebfe77e-780e-11df-9b02-848533310611}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9ebfe77e-780e-11df-9b02-848533310611}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2007/10/23 02:45:39 | 001,336,632 | R--- | M] ()
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell - "" = AutoRun
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\MSBDinos\stpauto.exe @stpstub.ini -- File not found
O33 - MountPoints2\D\Shell\help\command - "" = winhelp msbdinos.hlp
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2007/10/23 02:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {29E7D24F-BF30-45E7-8A40-AD27AFD8F5C6} - Microsoft .NET Framework 1.0 Hotfix (KB979904)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/07/25 16:41:44 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
[2010/07/24 17:44:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/07/24 17:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\PCHealth
[2010/07/24 17:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010/07/24 17:41:45 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/07/24 17:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2010/07/24 17:39:13 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/07/24 17:39:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/07/24 17:39:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Virtual PC
[2010/07/24 17:37:54 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/07/24 17:36:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood(2)
[2010/07/24 17:36:32 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/07/24 17:36:32 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2010/07/24 17:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/07/24 15:47:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\My Virtual Machines
[2010/07/24 15:25:24 | 000,209,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2010/07/24 14:57:22 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/07/24 14:56:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/07/24 14:29:40 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/24 13:48:33 | 002,918,856 | ---- | C] (COMODO) -- C:\Documents and Settings\Kickmatsuda\My Documents\cfw_installer.exe
[2010/07/24 13:48:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\Downloads
[2010/07/24 09:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Application Data\McAfee
[2010/07/23 23:13:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee(2)
[2010/07/23 23:13:43 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee(2).com
[2010/07/23 22:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\InstallShield Installation Information(2)
[2010/07/22 13:50:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/07/21 14:33:19 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/21 13:30:48 | 000,176,128 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrsky.lrc
[2010/07/21 13:30:48 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrslv.lrc
[2010/07/21 13:16:03 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager(2)
[2010/07/15 18:30:49 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/07/13 05:42:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\Identities
[2010/07/12 19:29:51 | 001,704,744 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Kickmatsuda\My Documents\SkypeSetup.exe
[2010/07/09 15:57:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\My Videos
[2010/07/08 11:37:29 | 000,512,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2010/07/07 11:24:24 | 000,079,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/07/07 11:24:24 | 000,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/07/07 11:24:24 | 000,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/07/07 11:24:17 | 000,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/07 11:22:28 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/07/07 11:21:41 | 000,034,152 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010/07/07 11:20:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/07/06 21:22:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[252 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/25 16:40:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
[2010/07/24 17:50:29 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\ntuser.dat
[2010/07/24 17:50:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Kickmatsuda\ntuser.ini
[2010/07/24 17:50:26 | 002,695,050 | -H-- | M] () -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\IconCache.db
[2010/07/24 17:46:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/24 16:49:18 | 000,004,585 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/07/24 16:49:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/24 16:25:58 | 000,449,424 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/24 16:25:58 | 000,388,574 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/24 16:25:58 | 000,056,868 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/24 15:36:03 | 000,414,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/24 15:27:39 | 000,002,459 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\HiJackThis.lnk
[2010/07/24 13:55:09 | 002,918,856 | ---- | M] (COMODO) -- C:\Documents and Settings\Kickmatsuda\My Documents\cfw_installer.exe
[2010/07/24 13:41:20 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/24 09:46:20 | 003,048,960 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\My Documents\mvt_en-us.msi
[2010/07/23 23:14:10 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/07/23 23:14:08 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/07/22 13:59:08 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/22 09:02:58 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.zip
[2010/07/21 09:44:02 | 000,414,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100724-153603.backup
[2010/07/19 13:06:30 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\My Documents\HiJackThis.msi
[2010/07/19 11:52:30 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr
[2010/07/15 19:19:10 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/14 16:49:20 | 000,411,890 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100721-094402.backup
[2010/07/14 16:41:32 | 000,014,664 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/13 06:45:22 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\.recently-used.xbel
[2010/07/12 20:38:19 | 000,411,890 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100714-164920.backup
[2010/07/12 19:45:54 | 001,704,744 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Kickmatsuda\My Documents\SkypeSetup.exe
[2010/07/06 16:38:16 | 000,408,427 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100712-203819.backup
[2010/07/06 12:50:34 | 000,001,630 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Microsoft Virtual PC.lnk
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[252 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/24 09:46:20 | 003,048,960 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\My Documents\mvt_en-us.msi
[2010/07/23 23:14:10 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/07/23 23:14:08 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/07/23 23:09:24 | 000,004,585 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2010/07/22 09:05:03 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.zip
[2010/07/21 13:16:06 | 000,000,822 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Security Task Manager.lnk
[2010/07/20 21:58:49 | 006,815,744 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\ntuser.dat
[2010/07/19 13:20:14 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\My Documents\HiJackThis.msi
[2010/07/19 11:59:27 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.exe
[2010/07/19 11:55:56 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr
[2010/07/13 06:45:22 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\.recently-used.xbel
[2010/07/12 17:04:33 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2010/07/09 15:57:35 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/06 12:50:34 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Microsoft Virtual PC.lnk
[2010/06/14 18:58:27 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 06:00:00 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_004701_.tmp.dll
[2004/08/10 06:00:00 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_004669_.tmp.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/06/17 18:59:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/06/17 18:59:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/06/17 18:59:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/06/17 18:59:11 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/10 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/05/11 11:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2004/08/10 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/03/16 19:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: NVRAID.SYS >
[2006/03/16 19:51:38 | 000,081,536 | ---- | M] (NVIDIA Corporation) MD5=4BC863E8FB65EBCFDDE04822CF875E76 -- C:\WINDOWS\dell\nvraid\nvraid.sys

< MD5 for: SCECLI.DLL >
[2004/08/10 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2005/11/17 13:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\dell\symmpi\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[252 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/06/14 12:58:55 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/06/14 12:58:55 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/06/14 12:58:55 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
< End of report >

and Extras.txt:

OTL Extras logfile created on: 7/25/2010 4:44:08 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Kickmatsuda\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 698.00 Mb Available Physical Memory | 69.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 59.61 Gb Free Space | 79.99% Space Free | Partition Type: NTFS
Drive D: | 378.51 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 3.74 Gb Total Space | 3.43 Gb Free Space | 91.82% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: KICKMATS-8884F5
Current User Name: Kickmatsuda
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_USERS\S-1-5-21-1409082233-1425521274-839522115-1003\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"" =
"C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe" = C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe:*:Enabled:SwiApiMux -- (Sierra Wireless, Inc.)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22BAA100-F022-483C-80E4-EBAB5A767B20}" = Sierra Wireless 3G Watcher
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{AD483998-2E9A-4405-83FF-6E503AF49CBB}" = Microsoft Virtual PC 2007 SP1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee SecurityCenter
"Security Task Manager" = Security Task Manager 1.7h
"VLC media player" = VLC media player 1.0.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/24/2010 11:35:27 AM | Computer Name = KICKMATS-8884F5 | Source = NativeWrapper | ID = 5000
Description =

Error - 7/24/2010 2:24:32 PM | Computer Name = KICKMATS-8884F5 | Source = McLogEvent | ID = 5046
Description = The McShield scanning service cannot find any configuration in the
registry

Error - 7/24/2010 2:42:50 PM | Computer Name = KICKMATS-8884F5 | Source = McLogEvent | ID = 5046
Description = The McShield scanning service cannot find any configuration in the
registry

Error - 7/24/2010 2:56:04 PM | Computer Name = KICKMATS-8884F5 | Source = NativeWrapper | ID = 5000
Description =

Error - 7/24/2010 3:09:19 PM | Computer Name = KICKMATS-8884F5 | Source = McLogEvent | ID = 5046
Description = The McShield scanning service cannot find any configuration in the
registry

Error - 7/24/2010 3:13:23 PM | Computer Name = KICKMATS-8884F5 | Source = McLogEvent | ID = 5046
Description = The McShield scanning service cannot find any configuration in the
registry

Error - 7/24/2010 4:02:08 PM | Computer Name = KICKMATS-8884F5 | Source = NativeWrapper | ID = 5000
Description =

Error - 7/24/2010 5:37:51 PM | Computer Name = KICKMATS-8884F5 | Source = NativeWrapper | ID = 5000
Description =

Error - 7/25/2010 5:45:02 PM | Computer Name = KICKMATS-8884F5 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/25/2010 5:45:02 PM | Computer Name = KICKMATS-8884F5 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

[ System Events ]
Error - 7/25/2010 5:41:01 PM | Computer Name = KICKMATS-8884F5 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 7/25/2010 5:41:01 PM | Computer Name = KICKMATS-8884F5 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Sierra Wireless
Inc\3G Watcher\MFC80U.DLL. Reference error message: The operation completed successfully.
.

Error - 7/25/2010 5:41:05 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 7/25/2010 5:41:05 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 7/25/2010 5:41:19 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/25/2010 5:42:13 PM | Computer Name = KICKMATS-8884F5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 7/25/2010 5:42:53 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 7/25/2010 5:43:00 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 7/25/2010 5:45:02 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/25/2010 5:45:02 PM | Computer Name = KICKMATS-8884F5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

"Snake, you have to use the control panel."

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 26 July 2010 - 02:43 AM

Hi,

Please only have one topic per PC, if you follow multiple advice at the same time this will only create a lot of confusion.

The Anti virus programs and sound are items that traditionally aren't loaded in safe mode. So as a first step we need to address this issue.
  • Download & extract this file to it's own folder: Registry Search
  • Launch Registry Search
  • In the search box, enter (on separate lines)
    CODE
    OptionValue
    SAFEBOOT_OPTION
  • Under "Search", make sure only the "Value" box is checked in the first row of checkboxes.
    All other checkboxes should be checked as well.
  • click "Ok"
  • Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.

regards myrti

Edited by myrti, 26 July 2010 - 02:45 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 26 July 2010 - 08:11 AM

I ran it with no problem, here's the log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 7/26/2010 8:02:45 AM for strings:
; 'optionvalue'
; 'safeboot_option'
; Strings excluded from search:
; (None)
; Search in:
; Registry Values
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment]
"SAFEBOOT_OPTION"="MINIMAL"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Session Manager\Environment]
"SAFEBOOT_OPTION"="MINIMAL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"SAFEBOOT_OPTION"="MINIMAL"

; End Of The Log...
"Snake, you have to use the control panel."

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 26 July 2010 - 08:55 AM

Hi,

This should fix the safeboot issue:
  • Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).
  • Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

    CODE
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
    "SAFEBOOT_OPTION"=-

  • It should look like this ->
  • Doubleclick fix.reg, when a window pops up and ask if this information should be merged, press Yes and ok.
Reboot and post a fresh set of logs from RSIT.
Please tell me how your PC is doing after the reboot.

I have a couple of further remarks:
  • First of all please do not deactivate system restore. Restore points can be very useful if something goes wrong.
    Combofix itself tries to set a System Restore point the first time it is run, so do many other of the powerful tools.
  • The process that is eating up your CPU is a legitimate file from HP, it might be annoying but it is not dangerous. We will try and see what is causing this problem after getting your PC back into normal mode. smile.gif
  • Please try to use the F8-method when booting into safe mode.
    If your safe mode got corrupted and you modify the boot.ini with msconfig to boot into it, you will be stuck in an endless reboot-loop where windows tries to force the boot into safe mode.
    If you used F8, Windows will try to boot into safe mode once, fail, and afterwards boot into normal mode again. Giving you the possibility to troubleshoot the problem.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 26 July 2010 - 01:14 PM

Thank you for helping me this far, the passworded Administrator is gone, and McAfee is working just fine again, it just needs to be updated. For some reason it doesn't want to Stand By. Also, when I boot into Safe Mode, Administrator still has a password. I have a new process running (In process Explorer, it's DWTRIG20.EXE ; Watson Subscriber for SENS Network Notifications). It had a process under it for a little while (I think it was DWT20.EXE). Sorry to slow this process down a bit, but just to be clear, what am I supposed to be running?

Edited by Hotter Than July, 26 July 2010 - 03:22 PM.

"Snake, you have to use the control panel."

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 26 July 2010 - 04:26 PM

Hi,

sorry I must have mistaken the thread. I thought you had a file using up most of your CPU. Please ignore that comment.

The new process you mention belongs to Microsoft and is for example used by Windows Live. Do you use this program?

Please post new logs from OTL.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 26 July 2010 - 04:58 PM

Ok that explains a lot.

I don't use Windows Live but I had pidgin a while ago and I uninstalled it because it installed other things with it that I didn't use.

I ran OTL no problem, but it didn't make an Extras.txt file. Here's OTL.txt:

OTL logfile created on: 7/26/2010 4:39:56 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Kickmatsuda\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 611.00 Mb Available Physical Memory | 60.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 60.02 Gb Free Space | 80.54% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 3.74 Gb Total Space | 3.15 Gb Free Space | 84.30% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: KICKMATS-8884F5
Current User Name: Kickmatsuda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/07/18 08:02:52 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/07/11 18:48:54 | 000,641,208 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/07/09 17:36:30 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2008/07/09 14:49:10 | 000,358,736 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2008/07/09 14:35:34 | 000,025,416 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2008/06/21 12:39:08 | 000,792,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/06/20 05:41:04 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/16 14:47:56 | 000,095,776 | ---- | M] (Sierra Wireless Inc.) -- C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
PRC - [2006/07/19 09:41:00 | 000,053,248 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
PRC - [2005/04/25 13:45:42 | 000,036,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE


========== Modules (SafeList) ==========

MOD - [2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2008/07/18 08:02:52 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/07/09 17:36:30 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2008/07/09 14:49:10 | 000,358,736 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2008/07/09 14:35:34 | 000,025,416 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2008/06/21 12:39:08 | 000,792,184 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2008/06/20 13:10:22 | 000,361,800 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2008/06/20 05:41:04 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2008/06/20 05:01:18 | 000,605,512 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\swumx20.sys -- (SWUMX20) Sierra Wireless USB MUX Driver (UMTS20)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys -- (SASKUTIL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS -- (SASENUM)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\KICKMA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS -- (SASDIFSV)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus)
DRV - [2008/06/27 06:08:40 | 000,207,656 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/06/27 06:08:40 | 000,079,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/06/27 06:08:40 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2008/06/27 06:08:40 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/06/20 05:41:38 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/06/02 14:55:42 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/02/12 03:42:38 | 000,232,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2008/02/05 01:50:44 | 000,059,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2007/01/12 13:26:42 | 000,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8u12.sys -- (SWNC8U12) Sierra Wireless MUX NDIS Driver (UMTS12)
DRV - [2007/01/12 10:29:32 | 000,070,656 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swumx12.sys -- (swumx12) Sierra Wireless USB MUX Driver (UMTS12)
DRV - [2006/10/12 09:49:28 | 000,020,352 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swivspnt.sys -- (swivsp)
DRV - [2006/07/19 09:42:00 | 004,304,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 17:37:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/14 18:53:54 | 000,000,000 | ---D | M]

[2010/06/15 17:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kickmatsuda\Application Data\Mozilla\Extensions
[2010/06/15 17:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kickmatsuda\Application Data\Mozilla\Firefox\Profiles\tjcr7pst.default\extensions
[2010/06/14 18:53:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/24 15:36:03 | 000,414,692 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 14320 more lines...
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O4 - HKLM..\Run: [AirCardEnabler] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WatcherHelper] C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe (Sierra Wireless Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.117.214.10 199.2.252.10
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/14 18:15:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell - "" = AutoRun
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cfcd53e4-85fa-11df-9b12-8e82d9840a17}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\MSBDinos\stpauto.exe @stpstub.ini -- File not found
O33 - MountPoints2\D\Shell\help\command - "" = winhelp msbdinos.hlp
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2007/10/23 02:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/26 12:48:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/26 12:47:50 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/26 12:47:12 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Kickmatsuda\My Documents\erunt-setup.exe
[2010/07/26 08:00:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\BC
[2010/07/25 16:41:44 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
[2010/07/24 17:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\PCHealth
[2010/07/24 17:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010/07/24 17:41:45 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/07/24 17:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2010/07/24 17:39:13 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/07/24 17:39:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/07/24 17:39:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Virtual PC
[2010/07/24 17:37:54 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/07/24 17:36:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood(2)
[2010/07/24 17:36:32 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/07/24 17:36:32 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2010/07/24 17:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/07/24 15:47:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\My Virtual Machines
[2010/07/24 15:25:24 | 000,209,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2010/07/24 14:57:22 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/07/24 14:56:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/07/24 14:29:40 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/24 13:48:33 | 002,918,856 | ---- | C] (COMODO) -- C:\Documents and Settings\Kickmatsuda\My Documents\cfw_installer.exe
[2010/07/24 13:48:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\Downloads
[2010/07/24 09:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Application Data\McAfee
[2010/07/23 23:13:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee(2)
[2010/07/23 23:13:43 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee(2).com
[2010/07/23 22:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\InstallShield Installation Information(2)
[2010/07/22 13:50:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/07/21 14:33:19 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/21 13:30:48 | 000,176,128 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrsky.lrc
[2010/07/21 13:30:48 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrslv.lrc
[2010/07/21 13:16:03 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager(2)
[2010/07/15 18:30:49 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/07/13 05:42:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\Identities
[2010/07/12 19:29:51 | 001,704,744 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Kickmatsuda\My Documents\SkypeSetup.exe
[2010/07/09 15:57:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kickmatsuda\My Documents\My Videos
[2010/07/08 11:37:29 | 000,512,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2010/07/07 11:24:24 | 000,079,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/07/07 11:24:24 | 000,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/07/07 11:24:24 | 000,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/07/07 11:24:17 | 000,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/07 11:22:28 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/07/07 11:21:41 | 000,034,152 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010/07/07 11:20:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/07/06 21:22:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[252 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/26 16:39:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/26 16:39:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/26 16:07:21 | 000,004,585 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/07/26 16:07:19 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\ntuser.dat
[2010/07/26 16:07:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Kickmatsuda\ntuser.ini
[2010/07/26 15:25:33 | 003,225,010 | -H-- | M] () -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\IconCache.db
[2010/07/26 15:19:07 | 000,449,424 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/26 15:19:07 | 000,388,574 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/26 15:19:07 | 000,056,868 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/26 12:53:04 | 000,000,188 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\fix.reg
[2010/07/26 12:47:50 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\ERUNT.lnk
[2010/07/26 12:45:14 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Kickmatsuda\My Documents\erunt-setup.exe
[2010/07/25 16:39:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kickmatsuda\Desktop\OTL.exe
[2010/07/24 17:46:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/24 15:36:03 | 000,414,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/24 15:27:39 | 000,002,459 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\HiJackThis.lnk
[2010/07/24 13:55:09 | 002,918,856 | ---- | M] (COMODO) -- C:\Documents and Settings\Kickmatsuda\My Documents\cfw_installer.exe
[2010/07/24 13:41:20 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/24 09:46:20 | 003,048,960 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\My Documents\mvt_en-us.msi
[2010/07/23 23:14:10 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/07/23 23:14:08 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/07/22 13:59:08 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/22 09:02:58 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.zip
[2010/07/21 09:44:02 | 000,414,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100724-153603.backup
[2010/07/19 13:06:30 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\My Documents\HiJackThis.msi
[2010/07/19 11:52:30 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr
[2010/07/15 19:19:10 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/14 16:49:20 | 000,411,890 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100721-094402.backup
[2010/07/14 16:41:32 | 000,014,664 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/13 06:45:22 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\.recently-used.xbel
[2010/07/12 20:38:19 | 000,411,890 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100714-164920.backup
[2010/07/12 19:45:54 | 001,704,744 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Kickmatsuda\My Documents\SkypeSetup.exe
[2010/07/06 16:38:16 | 000,408,427 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100712-203819.backup
[2010/07/06 12:50:34 | 000,001,630 | ---- | M] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Microsoft Virtual PC.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[252 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/26 12:54:03 | 000,000,188 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\fix.reg
[2010/07/26 12:47:50 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\ERUNT.lnk
[2010/07/24 09:46:20 | 003,048,960 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\My Documents\mvt_en-us.msi
[2010/07/23 23:14:10 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/07/23 23:14:08 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/07/23 23:09:24 | 000,004,585 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2010/07/22 09:05:03 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.zip
[2010/07/21 13:16:06 | 000,000,822 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Security Task Manager.lnk
[2010/07/20 21:58:49 | 006,815,744 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\ntuser.dat
[2010/07/19 13:20:14 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\My Documents\HiJackThis.msi
[2010/07/19 11:59:27 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\gmer.exe
[2010/07/19 11:55:56 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\dds.scr
[2010/07/13 06:45:22 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\.recently-used.xbel
[2010/07/12 17:04:33 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2010/07/09 15:57:35 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/06 12:50:34 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\Kickmatsuda\Desktop\Microsoft Virtual PC.lnk
[2010/06/14 18:58:27 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 06:00:00 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_004701_.tmp.dll
[2004/08/10 06:00:00 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_004669_.tmp.dll
< End of report >

"Snake, you have to use the control panel."

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 26 July 2010 - 05:19 PM

Hi,

this is looking good. To make sure nothing was overlooked please run a scan with Malwarebytes and Eset:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 27 July 2010 - 06:19 PM

Sorry I took longer this time, I've been having issues with the internet on my laptop. I couldn't run ESET Online scanner since every time I downloaded the virus definitions it came up saying "Unknown Error 2002".
Here's the MBAM log (I did remove them):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4359

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2180

7/27/2010 3:42:54 PM
mbam-log-2010-07-27 (15-42-54).txt

Scan type: Quick scan
Objects scanned: 122499
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

"Snake, you have to use the control panel."

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 28 July 2010 - 01:32 AM

Hi,

please try to run Kaspersky instead:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Hotter Than July

Hotter Than July
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Louisiana
  • Local time:05:30 AM

Posted 28 July 2010 - 07:42 PM

I tried running Kapersky but it can't download properly because it keeps getting interrupted, and my internet is too slow.
"Snake, you have to use the control panel."

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:30 PM

Posted 29 July 2010 - 01:06 AM

Hi,

then please run a full scan with your installed anti virus program.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users