Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects


  • This topic is locked This topic is locked
16 replies to this topic

#1 ali_infected

ali_infected

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 August 2010 - 05:54 PM

ok lets try again, GMER crashed my computer twice...

Hi,
First I want to say I LOVE bleeping computer, what you do I really great and I'm very greatful. Normally I just use the tutorials but this time I'm stuck.

This all started in the last 2 days.

First I had the 'security suite' virus but used a tutorial to remove it and that worked, at the end is said run tdds in case of google redirects which I did, it found 3 problems and after they were removed the problems started.

Now whenever I use a search engine I'm redirected to other websites, If I copy the link it works fine. This problem only surfaces the second time I load up my browser. If I log off and on again it works, close the browser and re open it starts. As I type google is NOT redirecting, if I closed the browser and re opened it would. I can repeat the logs with the problem enabled if it helps.

I also have the 'Antimalware Doctor' showing up in my programmes list but it doesnt appear to be doing much

I've tried using malwarebytes, ad aware etc.

Heres the DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by ALI2 at 22:02:23.17 on 17/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.286 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\ALI2\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [{1CBEFBA5-5E46-5DD1-B662-3ECFB35EDE59}] "c:\documents and settings\ali2\application data\enil\suoku.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Jjege] rundll32.exe "c:\windows\ucacolalocupuw.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\compro~2.lnk - c:\program files\common files\videomate\ComproRemote.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\compro~1.lnk - c:\program files\common files\videomate\ComproSchedulerDTV.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: o2.co.uk\*.broadband
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ali2\applic~1\mozilla\firefox\profiles\rgysj9q6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - HiddenExtension: XULRunner: {357250E9-A09E-49D8-B619-F9E2E6F88015} - c:\documents and settings\ali2\local settings\application data\{357250E9-A09E-49D8-B619-F9E2E6F88015}
FF - HiddenExtension: XULRunner: {2A90FA57-4590-4D7C-AA4A-3F5906495883} - c:\documents and settings\hg.60442e4d22f24c9\local settings\application data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}
FF - HiddenExtension: XULRunner: {67A443AA-E0FF-4FB4-844C-7C82B65D9DCA} - c:\documents and settings\ali2\local settings\application data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
FF - HiddenExtension: XULRunner: {58C2481F-D28A-4A3C-A1E4-59981FE94538} - c:\documents and settings\ali2\local settings\application data\{58c2481f-d28a-4a3c-a1e4-59981fe94538}\
FF - HiddenExtension: XULRunner: {D817765C-5CFC-48DC-8EF2-0C40EA8B5E69} - c:\documents and settings\ali2\local settings\application data\{d817765c-5cfc-48dc-8ef2-0c40ea8b5e69}\
FF - HiddenExtension: XULRunner: {9F855137-ED09-4092-BE0D-5E1F28B846CC} - c:\documents and settings\ali2\local settings\application data\{9f855137-ed09-4092-be0d-5e1f28b846cc}\
FF - HiddenExtension: XULRunner: {3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F} - c:\documents and settings\ali2\local settings\application data\{3aee616d-d7d3-4d8b-9433-a2cc2fa57b2f}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-19 214664]
R1 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-1-3 3768]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-21 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-19 144704]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-19 40552]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-1-3 23096]
R3 VMENgBas32;Compro VideoMate E700 Base Driver;c:\windows\system32\drivers\VMENgBas.sys [2009-1-2 74496]
R3 VMENgCap32;Compro VideoMate E700 Audio/Video Capture Driver;c:\windows\system32\drivers\VMENgCap.sys [2009-1-2 52224]
R3 VMENgTun32;Compro VideoMate E700 Tuner Driver;c:\windows\system32\drivers\VMENgTun.sys [2009-1-2 192512]
S0 apxwwoia;apxwwoia;c:\windows\system32\drivers\rdspthrf.sys --> c:\windows\system32\drivers\rdspthrf.sys [?]
S2 gupdate1c9a8cc16070b88;Google Update Service (gupdate1c9a8cc16070b88);c:\program files\google\update\GoogleUpdate.exe [2009-3-19 133104]
S3 EyelineService;Eyeline Service;c:\program files\nch software\eyeline\eyeline.exe [2009-4-18 425988]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-19 34248]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-5-31 14424]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-1-3 200704]
S4 Amdbdfas;Amdbdfas; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

=============== Created Last 30 ================

2010-08-17 20:05:27 0 ----a-w- c:\documents and settings\ali2\defogger_reenable
2010-08-15 16:01:50 0 d-----w- c:\docume~1\ali2\applic~1\DFBFEDDF87048ECCC726CB5B4418F73B
2010-08-05 22:32:05 0 d-----w- c:\program files\Rockstar Games
2010-08-03 11:17:34 0 d-----w- c:\program files\Livestation
2010-08-03 11:16:05 23360000 ----a-w- c:\documents and settings\ali2\Livestation-3.2.0.msi

==================== Find3M ====================

2010-08-15 18:54:14 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-08-03 11:17:41 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-08-03 11:17:41 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-15 14:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-15 20:15:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-14 10:41:35 80192 ----a-w- c:\windows\fonts\AdobeFnt09.lst
2010-06-03 00:03:10 37784 ---ha-w- c:\windows\system32\mlfcache.dat
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 22:04:47.84 ===============


Heres the GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-17 23:32:53
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ALI2\LOCALS~1\Temp\ufldraog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766287E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7662BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED67078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED670738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED67074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED670837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED670863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED6708D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED6708BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED6707CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED6708FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED67080D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED670710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED670724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED67079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED670939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED6708A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED67088F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED67084D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xED670925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xED670911]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED670776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED670762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED6707F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED6708E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED6707E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED6707B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503FE8 7 Bytes JMP ED6707B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577ED2 5 Bytes JMP ED67078E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0A7C 7 Bytes JMP ED6707CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B188A 5 Bytes JMP ED6707E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6E60 7 Bytes JMP ED6707A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9D0C 5 Bytes JMP ED670714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C9F98 5 Bytes JMP ED670728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC756 5 Bytes JMP ED670766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA2C 7 Bytes JMP ED670750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFAE2 5 Bytes JMP ED67073C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D0004 5 Bytes JMP ED67077A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1234 5 Bytes JMP ED6707FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806201EA 7 Bytes JMP ED670893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80620538 5 Bytes JMP ED670915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620AB8 7 Bytes JMP ED6708EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806212FE 7 Bytes JMP ED6708A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621B56 7 Bytes JMP ED670851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 806225C0 7 Bytes JMP ED67083B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622790 7 Bytes JMP ED670867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622970 7 Bytes JMP ED6708D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80622BDA 7 Bytes JMP ED6708BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806234C6 5 Bytes JMP ED670811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 806237EA 7 Bytes JMP ED67093D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80623D10 5 Bytes JMP ED670929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80623E2A 5 Bytes JMP ED670901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[192] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[288] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 000AB8B5
.text C:\WINDOWS\system32\wuauclt.exe[288] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000ABA9B
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00210FEF
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00210075
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00210F8A
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00210F9B
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00210058
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00210036
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002100A1
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00210F65
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00210F12
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00210F2D
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002100C6
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00210047
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00210000
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 000ABB3D
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00210086
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00210FCA
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0021001B
.text C:\WINDOWS\system32\wuauclt.exe[288] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00210F3E
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002F0078
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!system 77C293C7 5 Bytes JMP 002F0FE3
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002F0038
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002F0000
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002F0049
.text C:\WINDOWS\system32\wuauclt.exe[288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002F001D
.text C:\WINDOWS\system32\wuauclt.exe[288] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 000B1E92
.text C:\WINDOWS\system32\wuauclt.exe[288] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 000B1FF9
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00300FDE
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00300FA8
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00300025
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00300014
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00300065
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00300FEF
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00300FC3
.text C:\WINDOWS\system32\wuauclt.exe[288] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0030004A
.text C:\WINDOWS\system32\wuauclt.exe[288] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 003B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[288] WS2_32.dll!send 71AB428A 5 Bytes JMP 000A32E5
.text C:\WINDOWS\system32\wuauclt.exe[288] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 000A3306
.text C:\WINDOWS\system32\wuauclt.exe[288] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 000A32AD
.text C:\WINDOWS\system32\wuauclt.exe[288] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 000A66C1
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 000A9737
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 000A982F
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 000A977A
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 000A9803
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 003D0000
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 000A95AB
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 003D0011
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 003D0022
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 000A95FF
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 000A9557
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 000A97B9
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 003D0047
.text C:\WINDOWS\system32\wuauclt.exe[288] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 000A969B
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00050095
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00050084
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00050069
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0005004E
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00050FC0
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000500B0
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00050F68
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00050F2B
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00050F3C
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000500DF
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0005003D
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00050F85
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00050FDB
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0005002C
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00050F57
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0004006C
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070069
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!system 77C293C7 5 Bytes JMP 0007004E
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070033
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0007000C
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[716] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CE0076
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CE0F8B
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CE0065
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CE0091
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CE0F55
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CE00D8
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CE00C7
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CE00E9
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CE004A
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CE0F66
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CE00AC
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00CD0039
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00CD0F7C
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00CD0F97
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00042
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00031
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FC8
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FB7
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FE3
.text C:\WINDOWS\system32\lsass.exe[728] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CF0000
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0014B8B5
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0014BA9B
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0014BB3D
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WS2_32.dll!send 71AB428A 5 Bytes JMP 001432E5
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00143306
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001432AD
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00151E92
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00151FF9
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001466C1
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00149737
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0014982F
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0014977A
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00149803
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001495AB
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 001495FF
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00149557
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 001497B9
.text C:\Program Files\Mozilla Firefox\firefox.exe[732] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0014969B
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E70056
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E70045
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E70F6B
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E70F7C
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E70F29
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E70071
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E70096
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E70EFD
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E700A7
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E70F8D
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E70F46
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E70014
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E70F0E
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E6002C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E60FAF
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E6006C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90053
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90042
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FD2
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90027
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A10F83
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A10F94
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A10FA5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A10FB6
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A10051
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A100B0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A10093
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A100D5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A10F3C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A100E6
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A10062
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A10F68
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A10F4D
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A0006C
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A0005B
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A00040
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A0002F
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A3004C
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30FB7
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30027
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FD2
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A0080
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A0065
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A0054
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A0FA1
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A002F
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0F5F
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A009B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A00DD
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A0F44
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008A0F1F
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008A0FB2
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008A0F70
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008A00C2
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00890FB9
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00890F7C
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00890FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0089002F
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00890F8D
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00890F9E
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00880044
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00880FC3
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00880029
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0088000C
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00880FD4
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00880FEF
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02C90000
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02C900AE
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02C90FB9
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02C90087
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02C9006C
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02C90051
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02C900DA
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02C90F94
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02C90F5C
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02C90F6D
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02C90F41
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02C90FCA
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02C9001B
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02C900BF
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02C90040
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02C90FE5
.text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02C900EB
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02C80040
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02C80F94
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02C80FE5
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02C8001B
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02C80FAF
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02C8000A
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02C80FC0
.text C:\WINDOWS\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02C80051
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C70053
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C70FC8
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C70027
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C70000
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C70038
.text C:\WINDOWS\System32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C70FEF
.text C:\WINDOWS\System32\svchost.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02910000
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02900000
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02900011
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02900FDB
.text C:\WINDOWS\System32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02900FCA
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00820FE5
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008200A9
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00820FB4
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0082008E
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00820073
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00820051
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00820F7C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008200C4
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00820F3C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00820F4D
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00820F21
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00820062
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00820F99
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0082002C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00820011
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008200D5
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00810062
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00810FA5
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00810FE5
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00810051
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00810036
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800F95
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800FA6
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0080000C
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FE3
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FB7
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FD2
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008B006E
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008B005D
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008B0F83
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008B0F94
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008B00B7
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008B00A6
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008B00E3
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008B0F4A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008B0F2F
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008B0036
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008B0089
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008B00C8
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 008A0F83
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 008A0FE5
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 008A0F9E
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 008A004A
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00890033
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00890022
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00890FCD
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00890FB2
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00890FDE
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00880000
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0024B8B5
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0024BA9B
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0024BB3D
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00251E92
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00251FF9
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WS2_32.dll!send 71AB428A 5 Bytes JMP 002432E5
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00243306
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 002432AD
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 002466C1
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00249737
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0024982F
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0024977A
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00249803
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 002495AB
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 002495FF
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00249557
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 002497B9
.text C:\Documents and Settings\ALI2\My Documents\Downloads\Defogger.exe[1420] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0024969B
.text C:\WINDOWS\Explorer.EXE[3196] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0237B8B5
.text C:\WINDOWS\Explorer.EXE[3196] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0237BA9B
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 026E0FEF
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 026E0F50
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 026E0F61
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 026E0F72
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 026E002F
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 026E0FA1
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026E006C
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 026E0F1A
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 026E0091
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 026E0EEE
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 026E00A2
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 026E001E
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 026E0FD4
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0237BB3D
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 00B2874A
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 026E0F35
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 026E0FB2
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 026E0FC3
.text C:\WINDOWS\Explorer.EXE[3196] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 026E0EFF
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02480F95
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!system 77C293C7 5 Bytes JMP 02480FA6
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02480FB7
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02480FEF
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02480016
.text C:\WINDOWS\Explorer.EXE[3196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02480FD2
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 026D0040
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 026D006C
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 026D0025
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 026D000A
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 026D0FAF
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 026D0FE5
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 026D0FCA
.text C:\WINDOWS\Explorer.EXE[3196] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 026D005B
.text C:\WINDOWS\Explorer.EXE[3196] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 02381E92
.text C:\WINDOWS\Explorer.EXE[3196] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 02381FF9
.text C:\WINDOWS\Explorer.EXE[3196] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 023766C1
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 02379737
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0237982F
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0237977A
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 02379803
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 014C0000
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 023795AB
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 014C0FDB
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 014C0011
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 023795FF
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 02379557
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 023797B9
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 014C002C
.text C:\WINDOWS\Explorer.EXE[3196] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0237969B
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02470000
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!send 71AB428A 3 Bytes JMP 023732E5
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!send + 4 71AB428E 1 Byte [90]
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!WSASend 71AB6233 3 Bytes JMP 02373306
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!WSASend + 4 71AB6237 1 Byte [90]
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!closesocket 71AB9639 3 Bytes JMP 023732AD
.text C:\WINDOWS\Explorer.EXE[3196] WS2_32.dll!closesocket + 4 71AB963D 1 Byte [90]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 023AB8B5
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 023ABA9B
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 023ABB3D
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] CRYPT32.dll!PFXImportCertStore 77AEF748 3 Bytes JMP 023A66C1
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] CRYPT32.dll!PFXImportCertStore + 4 77AEF74C 1 Byte [8A]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 023B1E92
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 023B1FF9
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 023A9737
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 023A982F
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 023A977A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 023A9803
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 023A95AB
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 023A95FF
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 023A9557
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 023A97B9
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 023A969B
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WS2_32.dll!send 71AB428A 5 Bytes JMP 023A32E5
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 023A3306
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[3244] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 023A32AD
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0014B8B5
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0014BA9B
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0014BB3D
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001466C1
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00151E92
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00151FF9
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00149737
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0014982F
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0014977A
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00149803
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001495AB
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 001495FF
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00149557
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 001497B9
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0014969B
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WS2_32.dll!send 71AB428A 5 Bytes JMP 001432E5
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00143306
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3376] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001432AD
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00AAB8B5
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00AABA9B
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00AABB3D
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00AB1E92
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00AB1FF9
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AA32E5
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00AA3306
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AA32AD
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00AA66C1
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00AA9737
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00AA982F
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00AA977A
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00AA9803
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00AA95AB
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00AA95FF
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00AA9557
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00AA97B9
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[3452] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00AA969B
.text C:\WINDOWS\stsystra.exe[3460] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00B4B8B5
.text C:\WINDOWS\stsystra.exe[3460] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B4BA9B
.text C:\WINDOWS\stsystra.exe[3460] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00B4BB3D
.text C:\WINDOWS\stsystra.exe[3460] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00B51E92
.text C:\WINDOWS\stsystra.exe[3460] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00B51FF9
.text C:\WINDOWS\stsystra.exe[3460] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00B466C1
.text C:\WINDOWS\stsystra.exe[3460] WS2_32.dll!send 71AB428A 5 Bytes JMP 00B432E5
.text C:\WINDOWS\stsystra.exe[3460] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00B43306
.text C:\WINDOWS\stsystra.exe[3460] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00B432AD
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00B49737
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00B4982F
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00B4977A
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00B49803
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00B495AB
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00B495FF
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00B49557
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00B497B9
.text C:\WINDOWS\stsystra.exe[3460] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00B4969B
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00E4B8B5
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00E4BA9B
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00E4BB3D
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00E51E92
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00E51FF9
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WS2_32.dll!send 71AB428A 5 Bytes JMP 00E432E5
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00E43306
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00E432AD
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00E49737
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00E4982F
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00E4977A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00E49803
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00E495AB
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00E495FF
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00E49557
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00E497B9
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00E4969B
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3472] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00E466C1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 003DB8B5
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003DBA9B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 003DBB3D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 003E1E92
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 003E1FF9
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 003D9737
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 003D982F
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 003D977A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 003D9803
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 003D95AB
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 003D95FF
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 003D9557
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 003D97B9
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 003D969B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WS2_32.dll!send 71AB428A 5 Bytes JMP 003D32E5
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 003D3306
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 003D32AD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3480] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 003D66C1
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00BCB8B5
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BCBA9B
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00BCBB3D
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00BD1E92
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00BD1FF9
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BC32E5
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00BC3306
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BC32AD
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00BC9737
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00BC982F
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00BC977A
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00BC9803
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00BC95AB
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00BC95FF
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00BC9557
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00BC97B9
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00BC969B
.text C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe[3504] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00BC66C1
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00A0B8B5
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A0BA9B
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00A0BB3D
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00A11E92
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00A11FF9
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A032E5
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00A03306
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A032AD
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00A066C1
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00A09737
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00A0982F
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00A0977A
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00A09803
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A095AB
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00A095FF
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A09557
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00A097B9
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3512] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00A0969B
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01E9B8B5
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 01E9BA9B
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 01E9BB3D
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 01EA1E92
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 01EA1FF9
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WS2_32.dll!send 71AB428A 5 Bytes JMP 01E932E5
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01E93306
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01E932AD
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!InternetCloseHandle 3D944261 5 Bytes JMP 01E99737
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!HttpQueryInfoA 3D947425 5 Bytes JMP 01E9982F
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!InternetReadFile 3D9513D4 5 Bytes JMP 01E9977A
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!InternetQueryDataAvailable 3D951615 5 Bytes JMP 01E99803
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!HttpSendRequestA 3D953558 5 Bytes JMP 01E995AB
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!HttpSendRequestExW 3D958C49 5 Bytes JMP 01E995FF
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01E99557
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!InternetReadFileExA 3D963384 5 Bytes JMP 01E997B9
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] WININET.DLL!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 01E9969B
.text C:\Program Files\O2\bin\sprtcmd.exe[3520] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01E966C1
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 012FB8B5
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 012FBA9B
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 012FBB3D
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 01301E92
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 01301FF9
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 012F9737
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 012F982F
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 012F977A
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 012F9803
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 012F95AB
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 012F95FF
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 012F9557
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 012F97B9
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 012F969B
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 012F66C1
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WS2_32.dll!send 71AB428A 5 Bytes JMP 012F32E5
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 012F3306
.text C:\Program Files\iTunes\iTunesHelper.exe[3568] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 012F32AD
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0114B8B5
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0114BA9B
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0114BB3D
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 01151E92
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 01151FF9
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 011466C1
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WS2_32.dll!send 71AB428A 5 Bytes JMP 011432E5
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01143306
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 011432AD
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 01149737
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0114982F
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0114977A
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 01149803
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 011495AB
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 011495FF
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01149557
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 011497B9
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3592] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0114969B
.text C:\WINDOWS\system32\ctfmon.exe[3604] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00AAB8B5
.text C:\WINDOWS\system32\ctfmon.exe[3604] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00AABA9B
.text C:\WINDOWS\system32\ctfmon.exe[3604] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00AABB3D
.text C:\WINDOWS\system32\ctfmon.exe[3604] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00AB1E92
.text C:\WINDOWS\system32\ctfmon.exe[3604] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00AB1FF9
.text C:\WINDOWS\system32\ctfmon.exe[3604] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AA32E5
.text C:\WINDOWS\system32\ctfmon.exe[3604] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00AA3306
.text C:\WINDOWS\system32\ctfmon.exe[3604] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AA32AD
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00AA9737
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00AA982F
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00AA977A
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00AA9803
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00AA95AB
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00AA95FF
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00AA9557
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00AA97B9
.text C:\WINDOWS\system32\ctfmon.exe[3604] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00AA969B
.text C:\WINDOWS\system32\ctfmon.exe[3604] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00AA66C1
.text C:\Program Files\Messenger\msmsgs.exe[3612] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00FCB8B5
.text C:\Program Files\Messenger\msmsgs.exe[3612] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00FCBA9B
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FB0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FB0075
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FB0F8A
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FB0058
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FB0F9B
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FB003D
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FB009A
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FB0F52
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FB00EB
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FB00C6
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FB0F37
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FB0FB6
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FB0000
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00FCBB3D
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FB0F6F
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FB002C
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FB001B
.text C:\Program Files\Messenger\msmsgs.exe[3612] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FB00AB
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50F8B
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50F9C
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FD2
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FC1
.text C:\Program Files\Messenger\msmsgs.exe[3612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F5000C
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00F6001B
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00F60F97
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00F6000A
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00F60FD4
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00F6004A
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00F60FEF
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00F60FA8
.text C:\Program Files\Messenger\msmsgs.exe[3612] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00F60FB9
.text C:\Program Files\Messenger\msmsgs.exe[3612] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00FD1E92
.text C:\Program Files\Messenger\msmsgs.exe[3612] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00FD1FF9
.text C:\Program Files\Messenger\msmsgs.exe[3612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F40FEF
.text C:\Program Files\Messenger\msmsgs.exe[3612] WS2_32.dll!send 71AB428A 5 Bytes JMP 00FC32E5
.text C:\Program Files\Messenger\msmsgs.exe[3612] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00FC3306
.text C:\Program Files\Messenger\msmsgs.exe[3612] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00FC32AD
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00FC9737
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00FC982F
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00FC977A
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00FC9803
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F30000
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00FC95AB
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F3001B
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F30FE5
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00FC95FF
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00FC9557
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00FC97B9
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F30FD4
.text C:\Program Files\Messenger\msmsgs.exe[3612] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00FC969B
.text C:\Program Files\Messenger\msmsgs.exe[3612] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00FC66C1
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0014B8B5
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0014BA9B
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0014BB3D
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00151E92
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00151FF9
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WS2_32.dll!send 71AB428A 5 Bytes JMP 001432E5
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00143306
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001432AD
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001466C1
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00149737
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0014982F
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0014977A
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00149803
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001495AB
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 001495FF
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00149557
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 001497B9
.text C:\Documents and Settings\ALI2\Desktop\gmer.exe[3784] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0014969B
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00C0B8B5
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C0BA9B
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00C0BB3D
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00C11E92
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00C11FF9
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00C066C1
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C032E5
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C03306
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C032AD
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00C09737
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00C0982F
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00C0977A
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00C09803
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00C095AB
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00C095FF
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00C09557
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00C097B9
.text C:\Program Files\Common Files\VideoMate\ComproRemote.exe[3856] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00C0969B
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0014B8B5
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0014BA9B
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0014BB3D
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00151E92
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00151FF9
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WS2_32.dll!send 71AB428A 5 Bytes JMP 001432E5
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00143306
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001432AD
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001466C1
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00149737
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0014982F
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0014977A
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00149803
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001495AB
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 001495FF
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00149557
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 001497B9
.text C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe[3908] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0014969B
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0015B8B5
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0015BA9B
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0015BB3D
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] USER32.dll!TranslateMessage 77D48BCE 5 Bytes JMP 00161E92
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] USER32.dll!GetClipboardData 77D6FCB2 5 Bytes JMP 00161FF9
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WS2_32.dll!send 71AB428A 5 Bytes JMP 001532E5
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00153306
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001532AD
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001566C1
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00159737
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0015982F
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0015977A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00159803
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001595AB
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 001595FF
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00159557
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 001597B9
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3972] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0015969B

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

---- EOF - GMER 1.0.15 ----


alright I think that's everything you need, I appreciate any help I get on this one I really need to sort it out.

Thanks
Ali

Attached Files

  • Attached File  ark.log   136.86KB   8 downloads

Edited by ali_infected, 17 August 2010 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 18 August 2010 - 07:11 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 August 2010 - 01:43 PM

Hi Gringo,

Thankyou so much for taking the time to help me.
Since my first post a new problem is that when I start up my computer it hangs and beeps on loading untill I press enter.

I ran combofix as instructed in the guide and during scanning it restarted my computer twice (not sure if this is usual).

The redirecting issue does not seem to be fixed entirely, sometimes when I follow a google link I'm taken to another website, given a '404 not found' error, or after a long time loading either taken to the correct page or firefox crashes.

And just in general the internet and computer feels a bit slow and buggy.

However after running combofix the 'antimalware doctor' programme (which appeared to be doing nothing) in my programmes list has gone.

That's all the changes I can think of, if you can think of any more ways I can be helpful let me know
thanks ali

Here's the combofix log:
ComboFix 10-08-20.01 - ALI2 21/08/2010 18:49:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.556 [GMT 1:00]
Running from: c:\documents and settings\ALI2\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ALI2\Application Data\DFBFEDDF87048ECCC726CB5B4418F73B
c:\documents and settings\ALI2\Application Data\DFBFEDDF87048ECCC726CB5B4418F73B\enemies-names.txt
c:\documents and settings\ALI2\Application Data\DFBFEDDF87048ECCC726CB5B4418F73B\local.ini
c:\documents and settings\ALI2\Application Data\Enil
c:\documents and settings\ALI2\Application Data\Enil\suoku.exe
c:\documents and settings\ALI2\Local Settings\Application Data\Windows Server
c:\documents and settings\ALI2\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\ALI2\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\ALI2\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\ALI2\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\ALI2\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\ALI2\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\Cache
c:\windows\ucacolalocupuw.dll

----- BITS: Possible infected sites -----

hxxp://sync.broadband.o2.co.uk:8080
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-19 07:06 . 2010-08-19 07:06 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}
2010-08-18 22:22 . 2010-08-18 22:22 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}
2010-08-17 22:47 . 2010-08-17 22:47 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}
2010-08-17 20:55 . 2010-08-17 20:55 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}
2010-08-16 15:37 . 2010-08-16 15:37 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}
2010-08-16 15:14 . 2010-08-16 15:14 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}
2010-08-15 22:25 . 2010-08-15 22:25 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}
2010-08-15 16:03 . 2010-08-15 18:40 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\slvnbnbbj
2010-08-09 09:09 . 2010-08-09 09:09 -------- d-----w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}
2010-08-06 11:40 . 2010-08-06 11:40 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
2010-08-05 22:32 . 2010-08-05 22:32 -------- d-----w- c:\program files\Rockstar Games
2010-08-03 11:17 . 2010-08-03 11:17 -------- d-----w- c:\program files\Livestation
2010-08-03 11:16 . 2010-08-03 11:16 23360000 ----a-w- c:\documents and settings\ALI2\Livestation-3.2.0.msi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 17:23 . 2010-03-19 20:40 0 ----a-w- c:\windows\Eqahetofi.dat
2010-08-21 15:51 . 2010-06-07 19:37 -------- d-----w- c:\documents and settings\ALI2\Application Data\vlc
2010-08-21 12:17 . 2009-03-11 20:59 -------- d-----w- c:\documents and settings\ALI2\Application Data\Azureus
2010-08-21 11:54 . 2009-10-13 09:04 -------- d-----w- c:\documents and settings\ALI2\Application Data\Utax
2010-08-17 19:36 . 2010-03-02 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 18:54 . 2004-08-04 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-08-09 09:09 . 2010-03-22 11:13 0 ----a-w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Eqahetofi.dat
2010-08-05 22:32 . 2007-06-23 12:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 11:17 . 2009-01-10 18:02 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-08-03 11:17 . 2009-01-10 18:02 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-24 10:01 . 2009-04-19 10:31 -------- d-----w- c:\program files\McAfee
2010-07-20 01:05 . 2009-03-10 16:03 -------- d-----w- c:\program files\Vuze
2010-07-20 00:52 . 2007-06-23 16:27 -------- d-----w- c:\program files\Google
2010-07-18 08:03 . 2010-03-22 11:13 0 ----a-w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Efuvokuzoxu.bin
2010-07-15 14:18 . 2009-04-19 10:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-09 10:20 . 2010-03-19 20:40 0 ----a-w- c:\windows\Efuvokuzoxu.bin
2010-06-22 18:26 . 2010-05-26 12:46 -------- d-----w- c:\documents and settings\ALI2\Application Data\Canon
2010-06-15 20:15 . 2010-03-03 01:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-04 20:15 . 2010-03-02 21:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 00:03 . 2009-10-12 20:18 37784 ---ha-w- c:\windows\system32\mlfcache.dat
2006-05-03 10:06 . 2009-04-18 08:58 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-04-18 08:58 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-18 08:58 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2004-08-04 . 9D236217C3E08F936349FD08AC241EA6 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2004-08-04 . E980381D1EED00B7150E280DC772C4C3 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-17 188416]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-1-31 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-31 110592]
ComproRemote.lnk - c:\program files\Common Files\VideoMate\ComproRemote.exe [2007-6-23 167936]
ComproSchedulerDTV.lnk - c:\program files\Common Files\VideoMate\ComproSchedulerDTV.exe [2007-6-23 90112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\ALI2\\Desktop\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:torrent
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/03/2010 22:15 64288]
R1 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [03/01/2009 01:14 3768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [03/01/2009 01:14 23096]
R3 VMENgBas32;Compro VideoMate E700 Base Driver;c:\windows\system32\drivers\VMENgBas.sys [02/01/2009 16:15 74496]
R3 VMENgCap32;Compro VideoMate E700 Audio/Video Capture Driver;c:\windows\system32\drivers\VMENgCap.sys [02/01/2009 16:15 52224]
R3 VMENgTun32;Compro VideoMate E700 Tuner Driver;c:\windows\system32\drivers\VMENgTun.sys [02/01/2009 16:15 192512]
S0 apxwwoia;apxwwoia;c:\windows\system32\drivers\rdspthrf.sys --> c:\windows\system32\drivers\rdspthrf.sys [?]
S2 gupdate1c9a8cc16070b88;Google Update Service (gupdate1c9a8cc16070b88);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 20:51 133104]
S3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [18/04/2009 11:19 425988]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [31/05/2010 13:02 14424]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [03/01/2009 01:14 200704]
S4 Amdbdfas;Amdbdfas; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:15]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-06-13 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2009-04-18 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\documents and settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: XULRunner: {357250E9-A09E-49D8-B619-F9E2E6F88015} - c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}
FF - HiddenExtension: XULRunner: {2A90FA57-4590-4D7C-AA4A-3F5906495883} - c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}
FF - HiddenExtension: XULRunner: {67A443AA-E0FF-4FB4-844C-7C82B65D9DCA} - c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
FF - HiddenExtension: XULRunner: {58C2481F-D28A-4A3C-A1E4-59981FE94538} - c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\
FF - HiddenExtension: XULRunner: {D817765C-5CFC-48DC-8EF2-0C40EA8B5E69} - c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\
FF - HiddenExtension: XULRunner: {9F855137-ED09-4092-BE0D-5E1F28B846CC} - c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\
FF - HiddenExtension: XULRunner: {3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F} - c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\
FF - HiddenExtension: XULRunner: {F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F} - c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\
FF - HiddenExtension: XULRunner: {6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587} - c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\
FF - HiddenExtension: XULRunner: {6E415B85-AA8B-4DF4-8CE6-168C0D08C987} - c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-{1CBEFBA5-5E46-5DD1-B662-3ECFB35EDE59} - c:\documents and settings\ALI2\Application Data\Enil\suoku.exe
HKLM-Run-Jjege - c:\windows\ucacolalocupuw.dll
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-21 19:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-308236825-1801674531-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:eb,c9,39,41,ff,f4,a0,81,fe,69,a2,8f,ef,ee,6c,d1,cc,69,60,e9,de,d1,40,
66,a5,f8,ba,ac,c7,aa,49,a2,1f,e2,4d,56,68,6a,90,9e,d6,e6,37,41,20,2d,bb,67,\
"??"=hex:1f,77,56,79,82,ff,ed,5f,04,1a,f9,64,bf,c9,87,29
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1256)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-21 19:19:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-21 18:18

Pre-Run: 5,884,432,384 bytes free
Post-Run: 9,220,038,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C602460B649C8840DAC0C2267B7D0643


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 21 August 2010 - 01:51 PM

b]Download and run OTL:[/b]

Download OTL by Old Timer and save it to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in
      netsvcs
      /md5start
      winlogon.exe
      explorer.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\system32\*.wt
      %systemroot%\system32\*.ruy
      %systemroot%\Fonts\*.com
      %systemroot%\Fonts\*.dll
      %systemroot%\Fonts\*.ini
      %systemroot%\Fonts\*.ini2
      %systemroot%\system32\spool\prtprocs\w32x86\*.*
      %systemroot%\REPAIR\*.bak1
      %systemroot%\REPAIR\*.ini
      %systemroot%\system32\*.jpg
      %systemroot%\*.scr
      %systemroot%\*._sy
      %APPDATA%\Adobe\Update\*.*
      %ALLUSERSPROFILE%\Favorites\*.*
      %APPDATA%\Microsoft\*.*
      %PROGRAMFILES%\*.*
      %APPDATA%\Update\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\user32.dll /md5
      %systemroot%\system32\ws2_32.dll /md5
      %systemroot%\system32\ws2help.dll /md5
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt only send the OTL.txt
  • Please copy (Edit->Select All, Edit->Copy) the contents of OTL.txt

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 August 2010 - 02:24 PM

ran the otl

one more thing, safari seems to work ok but firefox doesnt.

heres the otl log:

OTL logfile created on: 21/08/2010 20:04:05 - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\ALI2\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 428.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 8.50 Gb Free Space | 1.83% Space Free | Partition Type: NTFS
Drive D: | 178.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 60442E4D22F24C9
Current User Name: ALI2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/21 20:01:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ALI2\Desktop\OTL.exe
PRC - [2010/06/29 21:15:42 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/06/15 21:15:34 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/02/18 11:43:20 | 000,490,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/20 11:51:52 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2007/06/07 17:19:40 | 000,202,280 | R--- | M] (SupportSoft, Inc.) -- C:\Program Files\O2\bin\sprtsvc.exe
PRC - [2007/05/03 13:17:52 | 000,167,936 | ---- | M] (Compro Technology, Inc.) -- C:\Program Files\Common Files\VideoMate\ComproRemote.exe
PRC - [2007/04/12 11:54:56 | 000,090,112 | ---- | M] (Compro Technology, Inc.) -- C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
PRC - [2005/11/07 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/03/22 17:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2004/12/14 03:12:02 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2004/12/13 05:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2004/08/04 13:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/03/25 12:35:26 | 001,732,608 | ---- | M] (Adobe Systems) -- C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
PRC - [2002/12/17 23:25:31 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe


========== Modules (SafeList) ==========

MOD - [2010/08/21 20:01:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ALI2\Desktop\OTL.exe
MOD - [2004/08/04 13:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 13:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- -- (Amdbdfas)
SRV - [2010/06/29 21:15:42 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/08/05 23:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/20 11:51:52 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/04/18 11:19:29 | 000,425,988 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\NCH Software\Eyeline\eyeline.exe -- (EyelineService)
SRV - [2008/11/14 12:47:50 | 000,200,704 | ---- | M] (SoundMovieServer) [On_Demand | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SoundMovieServer)
SRV - [2007/07/27 06:39:32 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2007/06/07 17:19:40 | 000,202,280 | R--- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\O2\bin\sprtsvc.exe -- (sprtsvc_O2) SupportSoft Sprocket Service (O2)
SRV - [2004/12/13 05:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2004/03/25 12:35:26 | 000,061,440 | ---- | M] (Adobe Sytems) [On_Demand | Stopped] -- C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe -- (AdobeVersionCue)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\rdspthrf.sys -- (apxwwoia)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/06/04 21:15:43 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/09/28 02:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/11/14 12:58:12 | 000,003,768 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SndTVideo.sys -- (SndTVideo)
DRV - [2008/11/14 12:58:08 | 000,023,096 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTAudio.sys -- (SndTAudio)
DRV - [2007/03/07 17:10:02 | 000,074,496 | ---- | M] (Compro Tech.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMENgBas.sys -- (VMENgBas32)
DRV - [2007/03/07 17:10:02 | 000,052,224 | ---- | M] (Compro Tech.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMENgCap.sys -- (VMENgCap32)
DRV - [2007/03/03 13:21:34 | 000,192,512 | ---- | M] (Compro Tech.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMENgTun.sys -- (VMENgTun32)
DRV - [2006/02/09 20:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/11/18 13:02:50 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/11/18 13:02:10 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/11/16 15:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/11/07 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/11/07 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/11/07 06:20:00 | 000,086,652 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/11/07 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/11/07 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/11/07 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/11/07 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2004/08/12 18:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/11 11:27:52 | 000,027,232 | ---- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp)
DRV - [2004/08/04 00:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2004/08/04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/04 00:00:14 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2004/08/03 23:59:34 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.47.4
FF - prefs.js..extensions.enabledItems: brief@mozdev.org:1.2.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:3.1
FF - prefs.js..extensions.enabledItems: {357250E9-A09E-49D8-B619-F9E2E6F88015}:1.9.1
FF - prefs.js..extensions.enabledItems: {2A90FA57-4590-4D7C-AA4A-3F5906495883}:1.9.1
FF - prefs.js..extensions.enabledItems: {67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}:1.9.1
FF - prefs.js..extensions.enabledItems: {58C2481F-D28A-4A3C-A1E4-59981FE94538}:1.9.1
FF - prefs.js..extensions.enabledItems: {3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}:1.9.1
FF - prefs.js..extensions.enabledItems: {F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}:1.9.1
FF - prefs.js..extensions.enabledItems: {6E415B85-AA8B-4DF4-8CE6-168C0D08C987}:1.9.1


FF - HKLM\software\mozilla\Firefox\Extensions\\{357250E9-A09E-49D8-B619-F9E2E6F88015}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015} [2010/03/19 21:40:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2A90FA57-4590-4D7C-AA4A-3F5906495883}: C:\Documents and Settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883} [2010/05/12 11:01:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA} [2010/08/06 12:40:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{58C2481F-D28A-4A3C-A1E4-59981FE94538}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\ [2010/08/15 23:25:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\ [2010/08/16 16:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9F855137-ED09-4092-BE0D-5E1F28B846CC}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\ [2010/08/16 16:37:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\ [2010/08/17 21:55:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\ [2010/08/17 23:47:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\ [2010/08/18 23:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}: C:\Documents and Settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\ [2010/08/19 08:06:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 01:15:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/23 19:05:05 | 000,000,000 | ---D | M]

[2009/10/06 16:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Extensions
[2009/03/21 19:13:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/08/21 18:07:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\extensions
[2010/05/19 13:41:44 | 000,000,000 | ---D | M] (RSS Ticker) -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}
[2010/04/15 17:33:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/04/23 10:44:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\extensions\brief@mozdev.org
[2010/08/21 18:07:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/03/22 04:27:56 | 000,098,304 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
[2010/07/23 19:04:51 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/23 19:04:51 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/23 19:04:52 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/23 19:04:53 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/08/21 19:07:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe (Adobe Systems)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe (Compro Technology, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe (Compro Technology, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] http in Trusted sites)
O15 - HKCU\..Trusted Domains: o2.co.uk ([*.broadband] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/02 00:28:48 | 000,000,057 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/05/11 17:29:14 | 000,000,070 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/21 20:01:45 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ALI2\Desktop\OTL.exe
[2010/08/21 19:57:42 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
[2010/08/21 18:38:12 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/21 18:28:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/21 18:28:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/21 18:28:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/21 18:28:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/21 18:28:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/21 18:26:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/19 08:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}
[2010/08/18 23:22:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}
[2010/08/17 23:47:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}
[2010/08/17 21:55:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}
[2010/08/16 16:37:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}
[2010/08/16 16:14:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}
[2010/08/16 12:01:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\ALI2\Recent
[2010/08/15 23:25:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}
[2010/08/15 17:03:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\slvnbnbbj
[2010/08/06 12:40:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
[2010/08/05 23:42:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\GTA Vice City User Files
[2010/08/05 23:32:05 | 000,000,000 | ---D | C] -- C:\Program Files\Rockstar Games
[2010/08/03 12:17:34 | 000,000,000 | ---D | C] -- C:\Program Files\Livestation
[2010/06/26 17:52:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\physics 5
[2010/06/22 19:12:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\2010-06-22
[2010/06/16 20:19:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9 Installer
[2010/06/16 20:19:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/06/16 20:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NOS
[2010/06/16 10:47:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\physics 4
[2010/06/14 11:34:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Desktop\New Folder
[2010/06/07 20:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Application Data\vlc
[2010/06/06 12:25:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\physics unit 2 questions
[2010/05/31 22:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Application Data\Mchid
[2010/05/31 13:02:04 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2010/05/26 23:03:16 | 000,000,000 | ---D | C] -- C:\Program Files\Free WMA to MP3 Converter
[2010/05/26 22:42:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/05/26 22:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\LitexMedia
[2010/05/26 14:06:16 | 000,000,000 | ---D | C] -- C:\Program Files\A-PDF Merger
[2010/05/26 14:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\riley help
[2010/05/26 13:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\My Documents\2010-05-26
[2010/05/26 13:46:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ALI2\Application Data\Canon
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/21 20:01:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ALI2\Desktop\OTL.exe
[2010/08/21 19:59:07 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\ALI2\NTUSER.DAT
[2010/08/21 19:59:03 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2010/08/21 19:59:03 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/08/21 19:46:01 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/21 19:21:44 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/21 19:07:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/21 19:07:35 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/08/21 19:07:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/21 19:07:10 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/21 19:06:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/21 19:06:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/21 18:48:40 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/21 18:46:06 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\ALI2\ntuser.ini
[2010/08/21 18:38:19 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/21 18:23:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Eqahetofi.dat
[2010/08/21 18:18:51 | 003,820,278 | R--- | M] () -- C:\Documents and Settings\ALI2\Desktop\ComboFix.exe
[2010/08/21 14:36:51 | 000,086,528 | ---- | M] () -- C:\Documents and Settings\ALI2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/19 02:25:32 | 005,425,128 | -H-- | M] () -- C:\Documents and Settings\ALI2\Local Settings\Application Data\IconCache.db
[2010/08/15 01:00:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/08/06 12:24:41 | 000,001,715 | ---- | M] () -- C:\Documents and Settings\ALI2\Desktop\Play GTA Vice City.lnk
[2010/08/03 12:17:41 | 000,413,696 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010/08/03 12:17:41 | 000,110,592 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010/08/03 12:17:38 | 000,001,600 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Livestation.lnk
[2010/08/03 12:16:33 | 023,360,000 | ---- | M] () -- C:\Documents and Settings\ALI2\Livestation-3.2.0.msi
[2010/08/01 01:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/07/22 22:10:09 | 001,046,552 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH015_0722_2210.mpg
[2010/07/22 18:13:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH000_0722_1813.mpg
[2010/07/20 02:05:27 | 000,001,505 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Vuze.lnk
[2010/07/20 02:05:27 | 000,001,505 | ---- | M] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/15 14:19:58 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\ALI2\Desktop\Microsoft Office Word 2003.lnk
[2010/07/14 03:08:09 | 1604,778,008 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\maradonna.mpg
[2010/07/09 11:20:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Efuvokuzoxu.bin
[2010/06/22 19:27:33 | 000,762,742 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\french essay2.pdf
[2010/06/22 19:25:43 | 000,849,920 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\french essay1.pdf
[2010/06/22 19:21:05 | 000,018,073 | ---- | M] () -- C:\WINDOWS\CSTBox.INI
[2010/06/18 06:31:09 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Acrobat 7.0 Professional.lnk
[2010/06/18 06:23:46 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9.lnk
[2010/06/16 20:19:29 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Acrobat_com.lnk
[2010/06/15 21:15:44 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/14 15:35:41 | 007,534,616 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.mpg
[2010/06/14 15:35:41 | 000,752,792 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.cst
[2010/06/14 15:35:41 | 000,000,588 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.csb
[2010/06/13 13:07:02 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[2010/06/12 22:38:34 | 000,636,181 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\_Unit 4 ms.rtf
[2010/06/12 22:37:07 | 035,923,555 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\_Unit 4.rtf
[2010/06/11 17:05:35 | 1855,846,423 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\CH001_0611_1314.mpg
[2010/06/11 01:51:55 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/06/11 01:51:55 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Yahoo! Messenger.lnk
[2010/06/10 17:34:28 | 000,433,310 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 17:34:28 | 000,068,090 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 17:34:27 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 12:24:22 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Switch Sound File Converter.lnk
[2010/06/07 20:36:27 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\VLC media player.lnk
[2010/06/07 17:59:05 | 018,499,623 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\vlc-1.0.5-win32.exe
[2010/06/04 21:15:43 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/03 01:03:10 | 000,037,784 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/31 22:11:31 | 022,691,328 | ---- | M] () -- C:\Documents and Settings\ALI2\Desktop\Livestation-3.1.0.msi
[2010/05/31 13:02:07 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\ALI2\Desktop\PeerBlock.lnk
[2010/05/26 23:03:17 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\ALI2\Desktop\Jodix Free WMA to MP3 Converter.lnk
[2010/05/24 10:01:14 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\ALI2\My Documents\I have served as a parent governor representative for one term and with your support.doc
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/21 19:59:03 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2010/08/21 19:59:03 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/08/21 18:38:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/21 18:38:14 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/21 18:28:45 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/21 18:28:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/21 18:28:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/21 18:28:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/21 18:28:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/21 18:18:44 | 003,820,278 | R--- | C] () -- C:\Documents and Settings\ALI2\Desktop\ComboFix.exe
[2010/08/17 21:17:30 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\ALI2\Desktop\gmer.exe
[2010/08/06 12:24:41 | 000,001,715 | ---- | C] () -- C:\Documents and Settings\ALI2\Desktop\Play GTA Vice City.lnk
[2010/08/03 12:17:37 | 000,001,600 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Livestation.lnk
[2010/08/03 12:16:05 | 023,360,000 | ---- | C] () -- C:\Documents and Settings\ALI2\Livestation-3.2.0.msi
[2010/07/22 22:10:04 | 001,046,552 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH015_0722_2210.mpg
[2010/07/22 18:13:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH000_0722_1813.mpg
[2010/07/20 02:05:27 | 000,001,505 | ---- | C] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk
[2010/07/14 01:49:04 | 1604,778,008 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\maradonna.mpg
[2010/07/08 22:36:51 | 001,426,224 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\Umberto Eco - The Name Of The Rose.pdf
[2010/06/22 19:27:33 | 000,762,742 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\french essay2.pdf
[2010/06/22 19:25:43 | 000,849,920 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\french essay1.pdf
[2010/06/22 19:21:05 | 000,018,073 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2010/06/16 20:20:56 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9.lnk
[2010/06/16 20:19:29 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Acrobat_com.lnk
[2010/06/14 15:35:21 | 000,752,792 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.cst
[2010/06/14 15:35:21 | 000,000,588 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.csb
[2010/06/14 15:35:12 | 007,534,616 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH005_0614_1535.mpg
[2010/06/12 22:38:34 | 000,636,181 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\_Unit 4 ms.rtf
[2010/06/12 22:37:03 | 035,923,555 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\_Unit 4.rtf
[2010/06/11 13:14:41 | 1855,846,423 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\CH001_0611_1314.mpg
[2010/06/11 01:51:55 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\ALI2\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/06/11 01:51:55 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Yahoo! Messenger.lnk
[2010/06/10 13:07:21 | 000,000,276 | ---- | C] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[2010/06/07 20:36:27 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\VLC media player.lnk
[2010/06/07 17:57:28 | 018,499,623 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\vlc-1.0.5-win32.exe
[2010/05/31 22:11:03 | 022,691,328 | ---- | C] () -- C:\Documents and Settings\ALI2\Desktop\Livestation-3.1.0.msi
[2010/05/31 13:02:07 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\ALI2\Desktop\PeerBlock.lnk
[2010/05/26 23:03:17 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\ALI2\Desktop\Jodix Free WMA to MP3 Converter.lnk
[2010/05/24 10:01:14 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\ALI2\My Documents\I have served as a parent governor representative for one term and with your support.doc
[2010/04/19 16:13:48 | 000,013,296 | -HS- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\01g5Ear3B8kU5
[2010/04/19 16:13:48 | 000,013,296 | -HS- | C] () -- C:\Documents and Settings\ALI2\Local Settings\Application Data\01g5Ear3B8kU5
[2010/03/02 00:27:05 | 000,001,076 | -HS- | C] () -- C:\Documents and Settings\ALI2\Local Settings\Application Data\26x8
[2010/01/30 02:29:33 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\ALI2\Application Data\winscp.rnd
[2009/10/27 14:54:57 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/10/27 14:54:57 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\ALI2\Application Data\PnkBstrK.sys
[2009/05/09 12:29:53 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/04/25 10:27:30 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/12 18:43:35 | 000,086,528 | ---- | C] () -- C:\Documents and Settings\ALI2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/10 16:49:12 | 000,000,728 | ---- | C] () -- C:\WINDOWS\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
[2009/01/03 03:28:56 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/01/02 16:45:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/02 16:15:29 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/01/02 16:08:15 | 000,000,179 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/01/02 15:59:12 | 000,010,430 | ---- | C] () -- C:\WINDOWS\hpdj6127.ini
[2008/11/06 17:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 17:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 17:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 17:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2004/08/04 13:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/04/18 11:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\4Media Software Studio
[2009/09/20 23:08:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Amazon
[2010/08/21 13:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Azureus
[2010/06/22 19:26:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Canon
[2009/04/10 23:36:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\LimeWire
[2009/05/11 22:22:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Livestation
[2010/05/31 22:13:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Mchid
[2009/04/18 11:19:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\NCH Swift Sound
[2010/04/24 15:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\NesterSoft
[2009/09/13 21:24:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Red Kawa
[2009/03/22 14:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\River Past G5
[2010/01/26 18:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Spotify
[2009/10/24 23:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\SystemRequirementsLab
[2010/08/21 12:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\Utax
[2009/10/20 20:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ALI2\Application Data\uTorrent
[2010/04/19 16:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avG
[2009/01/19 21:14:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
[2009/09/23 17:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Driving Test Success
[2010/06/10 12:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NCH Swift Sound
[2009/03/22 14:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\River Past G5
[2009/03/10 16:49:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SupportSoft
[2010/05/26 22:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/02/15 23:36:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
[2010/03/02 22:13:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/09/27 16:25:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/08/21 19:21:44 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/08/15 01:00:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/08/01 01:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/06/13 13:07:02 | 000,000,276 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2004/08/04 13:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=E980381D1EED00B7150E280DC772C4C3 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 13:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=9D236217C3E08F936349FD08AC241EA6 -- C:\WINDOWS\system32\winlogon.exe
[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2010/08/21 19:06:35 | 000,028,260 | ---- | M] () -- C:\aaw7boot.log
[2010/03/02 00:28:48 | 000,000,057 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/01/02 15:04:42 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/21 18:38:19 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/21 19:19:11 | 000,021,949 | ---- | M] () -- C:\ComboFix.txt
[2007/06/23 09:44:15 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/16 16:25:23 | 000,001,233 | ---- | M] () -- C:\Cucu_Video_log.txt
[2007/02/26 00:26:10 | 010,782,861 | ---- | M] () -- C:\GoldenEye 007.zip
[2007/06/23 09:44:15 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2004/03/28 09:25:20 | 012,582,912 | ---- | M] () -- C:\Mario Kart 64.z64
[1996/11/06 06:01:38 | 016,777,216 | ---- | M] () -- C:\Mario Tennis.z64
[2006/05/07 00:05:06 | 000,004,850 | ---- | M] () -- C:\mouse.com
[2007/06/23 09:44:15 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 13:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/08/21 19:06:35 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2005/09/09 20:12:30 | 000,996,760 | ---- | M] () -- C:\pj64_1_5.exe
[2007/02/28 15:44:16 | 000,000,811 | ---- | M] () -- C:\Project64.lnk
[2010/08/16 16:11:32 | 000,000,367 | ---- | M] () -- C:\rkill.log
[2008/04/26 16:50:03 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/05/01 18:54:22 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/05/19 16:26:35 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/05/24 20:36:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/05/27 08:08:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/06/09 19:53:26 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/06/22 00:32:18 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/07/26 23:09:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/08/10 21:10:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/08/17 15:30:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/08/19 13:03:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/10/05 21:06:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/10/05 22:02:43 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/10/06 00:20:42 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/10/20 11:56:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/04/20 00:46:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/04/20 13:58:30 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2008/04/22 07:15:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008/04/22 07:20:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008/04/22 22:56:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/04/26 16:50:03 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/05/01 18:54:22 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/05/19 16:26:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/05/24 20:36:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/05/27 08:08:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/06/09 19:53:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/06/22 00:32:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/07/26 23:09:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/08/10 21:10:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/08/17 15:30:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/08/19 13:03:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/10/05 21:06:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/10/05 22:02:43 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/10/06 00:20:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/10/20 11:56:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/04/20 00:46:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/04/20 13:58:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/04/22 07:15:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008/04/22 07:20:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008/04/22 22:56:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/08/15 19:53:35 | 000,041,656 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_15.08.2010_19.52.14_log.txt
[2010/08/15 19:58:15 | 000,040,016 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_15.08.2010_19.57.48_log.txt
[2010/08/15 23:18:04 | 000,040,252 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_15.08.2010_23.17.45_log.txt
[2010/08/16 11:57:58 | 000,040,016 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_16.08.2010_11.57.34_log.txt
[2010/08/16 16:12:08 | 000,032,640 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_16.08.2010_16.11.54_log.txt
[2008/04/12 14:31:14 | 000,001,254 | ---- | M] () -- C:\test.mp3

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/01/02 15:10:06 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 11:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/02 14:50:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/02 14:50:38 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/02 14:50:38 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2004/08/04 13:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\system32\user32.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >
[2004/08/04 13:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2help.dll /md5 >
[2004/08/04 13:00:00 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9BEACB911CA61E5881102188AB7FB431 -- C:\WINDOWS\system32\ws2help.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-05-12 10:01:56
< End of report >


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 21 August 2010 - 02:38 PM

Run Batch File
    Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
CODE
@echo off
copy /y C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe c:\
copy /y C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe c:\
del %0
    Save this as copy.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
    It should look like this: <--vista
    It should look like this: <--XP
    Double-click on copy.bat to run it. This batchfile will delete itself when complete.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
CODE
:filefind
explorer.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 August 2010 - 03:02 PM

system look log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:52 on 21/08/2010 by ALI2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\explorer.exe --a--- 1033728 bytes [19:52 21/08/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a--- 1032192 bytes [12:00 04/08/2004] [12:00 04/08/2004] E980381D1EED00B7150E280DC772C4C3
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --a--- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "winlogon.exe"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --a--- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [12:00 04/08/2004] [12:00 04/08/2004] 9D236217C3E08F936349FD08AC241EA6
C:\winlogon.exe --a--- 507904 bytes [19:52 21/08/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-=End Of File=-

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 21 August 2010 - 03:27 PM

Greetings

I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
KillAll::

FCopy::
C:\explorer.exe | C:\WINDOWS\explorer.exe
C:\winlogon.exe | C:\WINDOWS\system32\winlogon.exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 August 2010 - 05:03 PM

still redirecting half the time, if I get to my destination it takes a long time. Safari running normally.
Log:

ComboFix 10-08-20.01 - ALI2 21/08/2010 22:19:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.561 [GMT 1:00]
Running from: c:\documents and settings\ALI2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ALI2\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
c:\windows\TEMP\explorer.dat
C:\winlogon.exe

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\explorer.exe --> c:\WINDOWS\explorer.exe
c:\winlogon.exe --> c:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-21 18:57 . 2010-08-21 18:59 -------- d-----w- c:\program files\Safari
2010-08-19 07:06 . 2010-08-19 07:06 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}
2010-08-18 22:22 . 2010-08-18 22:22 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}
2010-08-17 22:47 . 2010-08-17 22:47 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}
2010-08-17 20:55 . 2010-08-17 20:55 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}
2010-08-16 15:37 . 2010-08-16 15:37 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}
2010-08-16 15:14 . 2010-08-16 15:14 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}
2010-08-15 22:25 . 2010-08-15 22:25 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}
2010-08-15 16:03 . 2010-08-15 18:40 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\slvnbnbbj
2010-08-09 09:09 . 2010-08-09 09:09 -------- d-----w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}
2010-08-06 11:40 . 2010-08-06 11:40 -------- d-----w- c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
2010-08-05 22:32 . 2010-08-05 22:32 -------- d-----w- c:\program files\Rockstar Games
2010-08-03 11:17 . 2010-08-03 11:17 -------- d-----w- c:\program files\Livestation
2010-08-03 11:16 . 2010-08-03 11:16 23360000 ----a-w- c:\documents and settings\ALI2\Livestation-3.2.0.msi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 18:59 . 2009-03-14 12:08 -------- d-----w- c:\documents and settings\ALI2\Application Data\Apple Computer
2010-08-21 17:23 . 2010-03-19 20:40 0 ----a-w- c:\windows\Eqahetofi.dat
2010-08-21 15:51 . 2010-06-07 19:37 -------- d-----w- c:\documents and settings\ALI2\Application Data\vlc
2010-08-21 12:17 . 2009-03-11 20:59 -------- d-----w- c:\documents and settings\ALI2\Application Data\Azureus
2010-08-21 11:54 . 2009-10-13 09:04 -------- d-----w- c:\documents and settings\ALI2\Application Data\Utax
2010-08-17 19:36 . 2010-03-02 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 18:54 . 2004-08-04 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-08-09 09:09 . 2010-03-22 11:13 0 ----a-w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Eqahetofi.dat
2010-08-05 22:32 . 2007-06-23 12:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 11:17 . 2009-01-10 18:02 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-08-03 11:17 . 2009-01-10 18:02 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-24 10:01 . 2009-04-19 10:31 -------- d-----w- c:\program files\McAfee
2010-07-20 01:05 . 2009-03-10 16:03 -------- d-----w- c:\program files\Vuze
2010-07-20 00:52 . 2007-06-23 16:27 -------- d-----w- c:\program files\Google
2010-07-18 08:03 . 2010-03-22 11:13 0 ----a-w- c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Efuvokuzoxu.bin
2010-07-15 14:18 . 2009-04-19 10:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-09 10:20 . 2010-03-19 20:40 0 ----a-w- c:\windows\Efuvokuzoxu.bin
2010-06-15 20:15 . 2010-03-03 01:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-04 20:15 . 2010-03-02 21:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 00:03 . 2009-10-12 20:18 37784 ---ha-w- c:\windows\system32\mlfcache.dat
2006-05-03 10:06 . 2009-04-18 08:58 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-04-18 08:58 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-18 08:58 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2008-04-14 . D8C503EFADCDF12F4532D736054EF234 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 3A594F1464226D21647398846C800076 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-08-21_18.07.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-21 21:36 . 2010-08-21 21:36 16384 c:\windows\Temp\Perflib_Perfdata_714.dat
+ 2009-01-02 14:14 . 2010-08-21 19:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-02 14:14 . 2010-08-21 14:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-21 18:56 . 2010-08-21 19:00 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-02 14:14 . 2010-08-21 14:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-08-21 18:56 . 2010-08-21 18:56 807936 c:\windows\Installer\2c78cb.msi
+ 2010-08-21 18:59 . 2010-08-21 18:59 897024 c:\windows\Installer\{EAFEF30E-3789-49C7-A6D9-77C12E005BAC}\SafariIco.exe
+ 2010-08-21 18:59 . 2010-08-21 18:59 3140608 c:\windows\Installer\2c78e7.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-17 188416]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-1-31 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-31 110592]
ComproRemote.lnk - c:\program files\Common Files\VideoMate\ComproRemote.exe [2007-6-23 167936]
ComproSchedulerDTV.lnk - c:\program files\Common Files\VideoMate\ComproSchedulerDTV.exe [2007-6-23 90112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\ALI2\\Desktop\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:torrent
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/03/2010 22:15 64288]
R1 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [03/01/2009 01:14 3768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [03/01/2009 01:14 23096]
R3 VMENgBas32;Compro VideoMate E700 Base Driver;c:\windows\system32\drivers\VMENgBas.sys [02/01/2009 16:15 74496]
R3 VMENgCap32;Compro VideoMate E700 Audio/Video Capture Driver;c:\windows\system32\drivers\VMENgCap.sys [02/01/2009 16:15 52224]
R3 VMENgTun32;Compro VideoMate E700 Tuner Driver;c:\windows\system32\drivers\VMENgTun.sys [02/01/2009 16:15 192512]
S0 apxwwoia;apxwwoia;c:\windows\system32\drivers\rdspthrf.sys --> c:\windows\system32\drivers\rdspthrf.sys [?]
S2 gupdate1c9a8cc16070b88;Google Update Service (gupdate1c9a8cc16070b88);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 20:51 133104]
S3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [18/04/2009 11:19 425988]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [31/05/2010 13:02 14424]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [03/01/2009 01:14 200704]
S4 Amdbdfas;Amdbdfas; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:15]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-06-13 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2009-04-18 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\documents and settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: XULRunner: {357250E9-A09E-49D8-B619-F9E2E6F88015} - c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}
FF - HiddenExtension: XULRunner: {2A90FA57-4590-4D7C-AA4A-3F5906495883} - c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}
FF - HiddenExtension: XULRunner: {67A443AA-E0FF-4FB4-844C-7C82B65D9DCA} - c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
FF - HiddenExtension: XULRunner: {58C2481F-D28A-4A3C-A1E4-59981FE94538} - c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\
FF - HiddenExtension: XULRunner: {D817765C-5CFC-48DC-8EF2-0C40EA8B5E69} - c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\
FF - HiddenExtension: XULRunner: {9F855137-ED09-4092-BE0D-5E1F28B846CC} - c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\
FF - HiddenExtension: XULRunner: {3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F} - c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\
FF - HiddenExtension: XULRunner: {F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F} - c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\
FF - HiddenExtension: XULRunner: {6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587} - c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\
FF - HiddenExtension: XULRunner: {6E415B85-AA8B-4DF4-8CE6-168C0D08C987} - c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-21 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-308236825-1801674531-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:eb,c9,39,41,ff,f4,a0,81,fe,69,a2,8f,ef,ee,6c,d1,cc,69,60,e9,de,d1,40,
66,a5,f8,ba,ac,c7,aa,49,a2,1f,e2,4d,56,68,6a,90,9e,d6,e6,37,41,20,2d,bb,67,\
"??"=hex:1f,77,56,79,82,ff,ed,5f,04,1a,f9,64,bf,c9,87,29
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3776)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-21 22:47:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-21 21:47
ComboFix2.txt 2010-08-21 18:19

Pre-Run: 9,026,285,568 bytes free
Post-Run: 9,015,390,208 bytes free

- - End Of File - - 57E2783A1336B4348D9561ACF09A3360


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 21 August 2010 - 10:38 PM

Hello

Run Batch File
    Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
CODE
@echo off
copy /y C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe c:\
copy /y C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe c:\
del %0
    Save this as copy.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
    It should look like this: <--vista
    It should look like this: <--XP
    Double-click on copy.bat to run it. This batchfile will delete itself when complete.

Print out these instructions to use while in the Recovery Console: (This is for XP only)
    1.Restart your computer.
    2.Before Windows loads, you will be prompted to choose which Operating System to start.
    3.Use the up and down arrow key to select Microsoft Windows Recovery Console
    4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter' after each line (note the spaces):
      cd C:\WINDOWS
      ren explorer.exe explorer.old
      copy c:\explorer.exe C:\WINDOWS
      cd c:\windows\system32
      ren winlogon.exe winlogon.old
      copy c:\winlogon.exe c:\windows\system32
      exit

If you are unsure where the spaces are check this
    cd[SPACE]C:\WINDOWS
    ren[SPACE]explorer.exe[SPACE]explorer.old
    copy[SPACE]c:\explorer.exe[SPACE]C:\WINDOWS
    cd[SPACE]c:\windows\system32
    ren[SPACE]winlogon.exe[SPACE]winlogon.old
    copy[SPACE]c:\winlogon.exe[SPACE]c:\windows\system32
    exit

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Ignore::
C:\explorer.exe
C:\winlogon.exe

Folder::
c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}
c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}
c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}
c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}
c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}
c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}
c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}
c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}
c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}
c:\documents and settings\ALI2\Local Settings\Application Data\slvnbnbbj
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}
c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}

File::
c:\windows\Eqahetofi.dat
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Eqahetofi.dat
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Efuvokuzoxu.bin
c:\windows\Efuvokuzoxu.bin

Driver::
apxwwoia
Amdbdfas

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 August 2010 - 11:01 AM

Hi again Gringo,
Sorry I couldnt reply yesterday.

I ran everything like you said and tentatively I THINK that the google redirect issue appears to be fixed, YESS!

I'm not sure if the beeping and not loading til I press enter at start up is fixed, ill check that and get back to you.

Thanks
Ali

Heres the log:

ComboFix 10-08-20.01 - ALI2 23/08/2010 16:28:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.576 [GMT 1:00]
Running from: c:\documents and settings\ALI2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ALI2\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FILE ::
"c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Efuvokuzoxu.bin"
"c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Eqahetofi.dat"
"c:\windows\Efuvokuzoxu.bin"
"c:\windows\Eqahetofi.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}
c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{357250E9-A09E-49D8-B619-F9E2E6F88015}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}
c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{3AEE616D-D7D3-4D8B-9433-A2CC2FA57B2F}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}
c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{58C2481F-D28A-4A3C-A1E4-59981FE94538}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}
c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{67A443AA-E0FF-4FB4-844C-7C82B65D9DCA}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}
c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{6E415B85-AA8B-4DF4-8CE6-168C0D08C987}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}
c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{6F2243C0-AEA4-45B5-AB1F-A69DAAEE7587}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}
c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{9F855137-ED09-4092-BE0D-5E1F28B846CC}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}
c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{D817765C-5CFC-48DC-8EF2-0C40EA8B5E69}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}
c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\chrome.manifest
c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\chrome\content\overlay.xul
c:\documents and settings\ALI2\Local Settings\Application Data\{F1FC3908-8B50-4CB2-A5F7-4D4FFBFA8A2F}\install.rdf
c:\documents and settings\ALI2\Local Settings\Application Data\slvnbnbbj
c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}
c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}\chrome.manifest
c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}\chrome\content\overlay.xul
c:\documents and settings\HG.60442E4D22F24C9\Local Settings\Application Data\{2A90FA57-4590-4D7C-AA4A-3F5906495883}\install.rdf
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}\chrome.manifest
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}\chrome\content\overlay.xul
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\{8FF25BA9-B7E4-4E9D-88AA-242E9D4C4BB3}\install.rdf
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Efuvokuzoxu.bin
c:\documents and settings\SAMAR.60442E4D22F24C9\Local Settings\Application Data\Eqahetofi.dat
c:\windows\Efuvokuzoxu.bin
c:\windows\Eqahetofi.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Amdbdfas
-------\Service_apxwwoia


((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-23 15:10 . 2008-04-14 00:12 507904 ----a-w- C:\winlogon.exe
2010-08-23 15:10 . 2008-04-14 00:12 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-08-23 15:10 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2010-08-23 15:10 . 2008-04-14 00:12 1033728 ----a-w- C:\explorer.exe
2010-08-21 18:57 . 2010-08-21 18:59 -------- d-----w- c:\program files\Safari
2010-08-05 22:32 . 2010-08-05 22:32 -------- d-----w- c:\program files\Rockstar Games
2010-08-03 11:17 . 2010-08-03 11:17 -------- d-----w- c:\program files\Livestation
2010-08-03 11:16 . 2010-08-03 11:16 23360000 ----a-w- c:\documents and settings\ALI2\Livestation-3.2.0.msi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 13:31 . 2010-06-07 19:37 -------- d-----w- c:\documents and settings\ALI2\Application Data\vlc
2010-08-23 02:05 . 2009-03-11 20:59 -------- d-----w- c:\documents and settings\ALI2\Application Data\Azureus
2010-08-21 18:59 . 2009-03-14 12:08 -------- d-----w- c:\documents and settings\ALI2\Application Data\Apple Computer
2010-08-21 11:54 . 2009-10-13 09:04 -------- d-----w- c:\documents and settings\ALI2\Application Data\Utax
2010-08-17 19:36 . 2010-03-02 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 18:54 . 2004-08-04 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-08-05 22:32 . 2007-06-23 12:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 11:17 . 2009-01-10 18:02 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-08-03 11:17 . 2009-01-10 18:02 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-24 10:01 . 2009-04-19 10:31 -------- d-----w- c:\program files\McAfee
2010-07-20 01:05 . 2009-03-10 16:03 -------- d-----w- c:\program files\Vuze
2010-07-20 00:52 . 2007-06-23 16:27 -------- d-----w- c:\program files\Google
2010-07-15 14:18 . 2009-04-19 10:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-15 20:15 . 2010-03-03 01:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-04 20:15 . 2010-03-02 21:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 00:03 . 2009-10-12 20:18 37784 ---ha-w- c:\windows\system32\mlfcache.dat
2006-05-03 10:06 . 2009-04-18 08:58 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-04-18 08:58 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-18 08:58 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-08-21_18.07.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-23 15:43 . 2010-08-23 15:43 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
+ 2009-01-02 14:14 . 2010-08-23 11:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-02 14:14 . 2010-08-21 14:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-21 23:56 . 2010-08-23 11:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-02 14:14 . 2010-08-21 14:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-08-21 18:56 . 2010-08-21 18:56 807936 c:\windows\Installer\2c78cb.msi
+ 2010-08-21 18:59 . 2010-08-21 18:59 897024 c:\windows\Installer\{EAFEF30E-3789-49C7-A6D9-77C12E005BAC}\SafariIco.exe
+ 2010-08-21 18:59 . 2010-08-21 18:59 3140608 c:\windows\Installer\2c78e7.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-17 188416]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-1-31 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-31 110592]
ComproRemote.lnk - c:\program files\Common Files\VideoMate\ComproRemote.exe [2007-6-23 167936]
ComproSchedulerDTV.lnk - c:\program files\Common Files\VideoMate\ComproSchedulerDTV.exe [2007-6-23 90112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\ALI2\\Desktop\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:torrent
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/03/2010 22:15 64288]
R1 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [03/01/2009 01:14 3768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [03/01/2009 01:14 23096]
R3 VMENgBas32;Compro VideoMate E700 Base Driver;c:\windows\system32\drivers\VMENgBas.sys [02/01/2009 16:15 74496]
R3 VMENgCap32;Compro VideoMate E700 Audio/Video Capture Driver;c:\windows\system32\drivers\VMENgCap.sys [02/01/2009 16:15 52224]
R3 VMENgTun32;Compro VideoMate E700 Tuner Driver;c:\windows\system32\drivers\VMENgTun.sys [02/01/2009 16:15 192512]
S2 gupdate1c9a8cc16070b88;Google Update Service (gupdate1c9a8cc16070b88);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 20:51 133104]
S3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [18/04/2009 11:19 425988]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [31/05/2010 13:02 14424]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [03/01/2009 01:14 200704]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:15]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:50]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-19 11:22]

2010-06-13 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2009-04-18 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\documents and settings\ALI2\Application Data\Mozilla\Firefox\Profiles\rgysj9q6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 16:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-308236825-1801674531-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:eb,c9,39,41,ff,f4,a0,81,fe,69,a2,8f,ef,ee,6c,d1,cc,69,60,e9,de,d1,40,
66,a5,f8,ba,ac,c7,aa,49,a2,1f,e2,4d,56,68,6a,90,9e,d6,e6,37,41,20,2d,bb,67,\
"??"=hex:1f,77,56,79,82,ff,ed,5f,04,1a,f9,64,bf,c9,87,29
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3864)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-23 16:53:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 15:53
ComboFix2.txt 2010-08-21 21:47
ComboFix3.txt 2010-08-21 18:19

Pre-Run: 10,531,581,952 bytes free
Post-Run: 10,521,481,216 bytes free

- - End Of File - - DBA070B78128E0BBB1BF7E7F17AEAA7E




#12 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 August 2010 - 11:11 AM

yeah my computer still beeps and hangs on the first loading screen unless I press enter. Don't know why.
This problem started after I was infected.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 23 August 2010 - 01:50 PM

yeah my computer still beeps and hangs on the first loading screen unless I press enter. Don't know why.
This problem started after I was infected.


please tell me as much as what is going on as possible so I can See what is going on.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 ali_infected

ali_infected
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 25 August 2010 - 05:51 PM

sorry I didnt reply sooner.

It's a little hard to describe. On the first loading screen of my computer start up when the loading bar gets to around 95% the computer starts to making beeping sounds and will not load unless I press enter. After I press enter it starts up fine.

Otherwise my computer seems to be doing fine after the fixes you helped me with, THANKS!

ali

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 PM

Posted 25 August 2010 - 06:18 PM

update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

:Run CFScript:
    Open Notepad and copy/paste the text in the box into the window:

    CODE
    Driver::
    iteraid
    Si3112r
    viasraid


    Save it to your desktop as CFScript.txt

    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    This will let ComboFix run again.
    Restart if you have to.
    Save the produced logfile to your desktop.

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    "information and logs"
      In your next post I need the following

      [list=1]
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users