Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Thousands of Compromised WordPress Sites Redirect to Tech Support Scams

Featured Deal: Get 96% off a Xamarin Cross Platform Development Bundle Deal

Photo

BSOD and Chrome tabs/search bar not responding

Started by zoeticreverie , Dec 08 2010 11:23 AM

  • This topic is locked This topic is locked
19 replies to this topic

#1 zoeticreverie

zoeticreverie

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 08 December 2010 - 11:23 AM

Last night McAfee alerted me that it had detected and successfully blocked a Trojan. In light of McAfee's recent history, I began to close my programs to immediately boot to safe and begin malware scans however a rogue was able to appear before I could cut the ethernet connection and shutdown.

In safe I checked where the rogue was located (an appdata/local of course dated with dec. 7 creation yet last modified july 2009). I opted to run MB rather than manually delete this files. I ran an updated Malwarebytes with a quick scan and here are the goodies I found:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsuxafotocedofi (Trojan.Hiloti) -> Value: Nsuxafotocedofi -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rAETnLIvsw.exe (Trojan.FakeAlert) -> Value: rAETnLIvsw.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1652378 (Trojan.SCTool.Gen) -> Value: 1652378 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qlomemulu (Trojan.Agent.U) -> Value: Qlomemulu -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Kim\AppData\Local\wantuiom.dll (Trojan.Hiloti) -> No action taken.
c:\Users\Kim\AppData\Local\Temp\raetnlivsw.exe (Trojan.FakeAlert) -> No action taken.
c:\Users\Kim\local settings\wantuiom.dll (Trojan.Hiloti) -> No action taken.
c:\Users\Kim\local settings\application data\wantuiom.dll (Trojan.Hiloti) -> No action taken.
c:\Users\Kim\AppData\Roaming\Adobe\plugs\kb1592193.exe (Trojan.Agent) -> No action taken.
c:\Users\Kim\AppData\Roaming\Adobe\plugs\kb1654421.exe (Trojan.Agent) -> No action taken.
c:\Users\Kim\AppData\Local\Temp\0.6439974289165903.exe (Trojan.Dropper) -> No action taken.
c:\Users\Kim\AppData\Local\ifugikewejoguxa.dll (Trojan.Agent.U) -> No action taken.

I removed them all and decided that it would be best to just perform a system restore to the previous day. Perhaps that would re-arrange all of my now malware infected windows files. The system restore took and I began to run CCleaner in normal, a task I frequently do. However, my machine gave a BSOD. I tried to boot into safe... yet all my admin rights were revoked in safe as well as my user profile. I undid the system restore back to just after I ran the MB scan.

I was able to boot to safe just fine and ran a full MB scan: Nothing. Emisoft scan in safe: nothing. I ran Hijackthis to see if anything looked strange and to my delight I didn't find anything. I double checked the log with the analysis site (hijackthis.de) and saw nothing to alert me. At this point I believed my machine to be clean... however google chrome was not functioning properly. At this time I cannot open new tabs and am unable to use the address/search bar.

Something is still on my machine and I feel a simple reinstall of Chrome will not fix the issue, so here I am at bleepingcomputer.

I saw the instructions on bleeping computer to run DDS, which I did, then I tried to run GMER. GMER caused another BSOD. Windows 7 made a log:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 83069EFE
BCP3: 90DB1A44
BCP4: 00000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\120810-22838-01.dmp
C:\Users\Kim\AppData\Local\Temp\WER-172864-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Each time I run GMER it's the same BSOD during the scan. Thus, I can't run it and provide the log.

Here is DDS LOG:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Kim at 10:29:46.90 on Wed 12/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1037 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
G:\OIT\Scans\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\regedit.exe
C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kim\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101106031836.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - /105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-8-27 386840]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-29 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-29 164840]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-7-3 93320]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-29 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-29 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-29 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-29 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-29 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-29 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-29 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-8-27 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-8-27 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-29 313288]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-29 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-8-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-8-27 40552]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-31 163328]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1343400]

=============== Created Last 30 ================

2010-12-08 03:39:08 709456 ----a-w- c:\windows\isRS-000.tmp
2010-12-08 03:33:25 0 ----a-w- c:\users\kim\appdata\local\Eqemegigusobogi.bin
2010-12-08 03:33:24 -------- d-----w- c:\users\kim\appdata\local\{506E5848-9938-489B-98A7-E34451C1EF12}
2010-12-08 03:30:56 46080 ---ha-w- c:\windows\system32\Dxpssync.dll
2010-12-02 16:40:40 -------- d-----w- c:\users\kim\.thumbnails
2010-12-02 16:38:04 -------- d-----w- c:\users\kim\.gimp-2.6
2010-12-02 16:37:16 -------- d-----w- c:\program files\GIMP-2.0
2010-11-25 02:13:29 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-11-02 19:19:02 720896 ----a-w- c:\windows\iun6002.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST9160821AS rev.3.CDD -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86211555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862177b0]; MOV EAX, [0x8621782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8303D458] -> \Device\Harddisk0\DR0[0x861EA030]
3 CLASSPNP[0x892AE59E] -> ntkrnlpa!IofCallDriver[0x8303D458] -> [0x863FEF08]
\Driver\atapi[0x861EDEF0] -> IRP_MJ_CREATE -> 0x86211555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskST9160821AS_____________________________3.CDD___#5&2b0df596&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 10:37:42.38 ===============

Before I ran the DDS and GMER I checked my registry for any different startup files and there is nothing that I did not intend on having there.

I understand that to receive help I can no longer run any diagnostic tools, which I will not. Any help is fully appreciated as it is finals weeks at my school and I enjoy using my machine to work (yes, my data is backed up).

BC AdBot (Login to Remove)

 

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 15 December 2010 - 06:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 20 December 2010 - 11:46 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 27 December 2010 - 09:34 AM

Reopened at request of OP.

Please follow the instructions above.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#5 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 27 December 2010 - 12:02 PM

I was working on other computers and noticed the same rogue that I had picked up and the Trojan.Hiloti. They however had the PUP of Whitesmoke which was very tricky to remove but I was able to research more about it which included the removal of a rootkit. I pulled my HDD and scanned it externally with Microsoft Security Essentials and it continuously picked up a rootkit that I could not repair. I used TDSS to fix the bluescreen (worked with several other computers) which removed the rootkit that was affecting the boot order, if that makes sense. SpyBot picked up more traces and MB picked up more as it updated.

McAfee is my current antivirus and I’m debating if I should uninstall it and use MSSE instead. It became corrupt and I had to go through the McAfee site to repair the software… I also uninstalled and attempted to delete all traces of google chrome (as it would not launch). I could not even import bookmarks into IE so I copied the two files associated with the bookmarks and set them aside.
Chrome now works but I have not yet replaced the bookmark files for fear that they will be corrupt.

Currently I've had my wireless connection tap out. It will run in safe and will work again on a reboot. Drivers are updated on my card and I’m fairly certain it’s not a hardware given the infection. I just want to be sure that ALL traces are removed. My computer is still slower than it should be.


Please let me know if I am not following your instructions correctly.

OTL Quickscan:

%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.sys /90
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU






GMER (no BSOD):


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-26 12:37:05
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST9160821AS rev.3.CDD
Running: gmer.exe; Driver: C:\Users\Kim\AppData\Local\Temp\pwldqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x890430B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x890430E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x890430CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x890430A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 83276148 5 Bytes JMP 890430A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8328E599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832B2F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[112] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 700D9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[112] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 700D9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[600] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00230FEF
.text C:\Windows\system32\services.exe[600] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00230025
.text C:\Windows\system32\services.exe[600] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00230000
.text C:\Windows\system32\services.exe[600] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 001C0079
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 001C00CA
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 001C00AF
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 001C0025
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 001C0068
.text C:\Windows\system32\services.exe[600] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 001C0F75
.text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 001C0F86
.text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 001C0F97
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\services.exe[600] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 001C00DB
.text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 001C0FB9
.text C:\Windows\system32\services.exe[600] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 001C0FA8
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 001C0000
.text C:\Windows\system32\services.exe[600] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 001C008A
.text C:\Windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 001C0FCA
.text C:\Windows\system32\services.exe[600] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 001C0F35
.text C:\Windows\system32\services.exe[600] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 001C0F64
.text C:\Windows\system32\services.exe[600] msvcrt.dll!_open 77057E48 5 Bytes JMP 00340000
.text C:\Windows\system32\services.exe[600] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00340F7C
.text C:\Windows\system32\services.exe[600] msvcrt.dll!system 7708B16F 5 Bytes JMP 00340FA1
.text C:\Windows\system32\services.exe[600] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00340FCD
.text C:\Windows\system32\services.exe[600] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00340FB2
.text C:\Windows\system32\services.exe[600] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00340011
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00320FEF
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 0032002C
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00320F9B
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 0032003D
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00320000
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00320058
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 1 Byte [E9]
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00320011
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00320FC0
.text C:\Windows\system32\services.exe[600] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00330000
.text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 000F0000
.text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 000F0022
.text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 000F0011
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 000E00CE
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 000E010B
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 000E0F80
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 000E002F
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 000E00BD
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 000E0091
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 000E0FAF
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 000E006C
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 000E0FE5
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 000E0F51
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 000E0040
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 000E0051
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 000E0000
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 000E00DF
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 000E0FD4
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 000E00FA
.text C:\Windows\system32\lsass.exe[644] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 000E00AC
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!_open 77057E48 5 Bytes JMP 00660FEF
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00660FB2
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!system 7708B16F 5 Bytes JMP 00660FC3
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00660029
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00660FD4
.text C:\Windows\system32\lsass.exe[644] msvcrt.dll!_wopen 77090570 5 Bytes JMP 0066000C
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00100000
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 0010003D
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00100FA5
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00100FC0
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00100011
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00100062
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 0010002C
.text C:\Windows\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00100FD1
.text C:\Windows\system32\lsass.exe[644] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00110000
.text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00460000
.text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00460FD1
.text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00460011
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 003600A2
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 003600DF
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 003600CE
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00360FCA
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00360091
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 0036005B
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00360F8D
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00360F9E
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00360FE5
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00360F39
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00360036
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00360FAF
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00360000
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00360F5E
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 0036001B
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 003600BD
.text C:\Windows\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 0036006C
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!_open 77057E48 5 Bytes JMP 00CB0FEF
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00CB0FC1
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!system 7708B16F 5 Bytes JMP 00CB0042
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00CB0027
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00CB0FD2
.text C:\Windows\system32\svchost.exe[776] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00CB000C
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 004B0FEF
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 004B001B
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 004B0F83
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 004B0F94
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 004B0000
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 004B0040
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 004B0FD4
.text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 004B0FAF
.text C:\Windows\system32\svchost.exe[776] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00BE0000
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 004E0000
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 004E001B
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 004E0FE5
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 00280062
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00280F03
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00280098
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00280FAF
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00280F43
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00280F6F
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00280047
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00280F8A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00280000
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00280EF2
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 0028001B
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 0028002C
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00280FE5
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00280F28
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00280FC0
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 0028007D
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00280F54
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_open 77057E48 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00980F9C
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!system 7708B16F 5 Bytes JMP 00980FC1
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00980016
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00980031
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00980FD2
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 007D0000
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 007D0FC7
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 007D0073
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 007D004E
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 007D0011
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 007D0084
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 007D002C
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 007D003D
.text C:\Windows\system32\svchost.exe[856] WS2_32.dll!socket 75E43F00 5 Bytes JMP 007E000A
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00B90000
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00B90022
.text C:\Windows\System32\svchost.exe[908] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00B90011
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 00B80079
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00B80EFF
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00B80094
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00B80FA8
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00B8005E
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00B80F50
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00B80028
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00B80F61
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00B80FD4
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00B80EEE
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00B80F97
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00B80F7C
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00B80FE5
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00B80F35
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00B80FB9
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00B80F1A
.text C:\Windows\System32\svchost.exe[908] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00B8004D
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!_open 77057E48 5 Bytes JMP 00C40000
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00C40047
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!system 7708B16F 5 Bytes JMP 00C4002C
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00C40011
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00C40FBC
.text C:\Windows\System32\svchost.exe[908] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00C40FE3
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00C20000
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00C20FB6
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00C20FA5
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00C20047
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00C20011
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00C20058
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00C20FE5
.text C:\Windows\System32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00C2002C
.text C:\Windows\System32\svchost.exe[908] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00C30000
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00A80FEF
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00A80014
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00A80FDE
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 00A70F7C
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00A70F50
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00A70F61
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00A70FCA
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00A70F8D
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00A70FA8
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00A70080
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00A70065
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00A7001B
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00A700F6
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00A70FB9
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00A7004A
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00A70000
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00A700C0
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00A70FDB
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00A700DB
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00A7009B
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!_open 77057E48 5 Bytes JMP 00B30000
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00B3005D
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!system 7708B16F 5 Bytes JMP 00B30FC8
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00B30038
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00B30FD9
.text C:\Windows\System32\svchost.exe[960] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00B3001D
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00A90000
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00A90FB9
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00A90051
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00A90040
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00A90FE5
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00A90F94
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00A90025
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00A90FCA
.text C:\Windows\System32\svchost.exe[960] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00AE0FEF
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00B40000
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00B40022
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00B40011
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 00B30F8D
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00B30F46
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00B300DB
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00B30036
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00B30F9E
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00B30091
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00B30FAF
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00B3006C
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00B30FEF
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00B30F2B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00B30051
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00B30FCA
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00B30000
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00B30F7C
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00B3001B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00B30F6B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00B300AC
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_open 77057E48 5 Bytes JMP 00BF0000
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00BF0F81
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!system 7708B16F 5 Bytes JMP 00BF0F9C
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00BF0FD2
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00BF0FAD
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00BF0FEF
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00B50FEF
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00B50FC3
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00B50054
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00B50FB2
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00B50FDE
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00B50F8D
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00B50014
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00B5002F
.text C:\Windows\system32\svchost.exe[1004] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00BE0000
.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 0098000A
.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00980036
.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00980025
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 00930F2B
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00930EFF
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00930094
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00930FA5
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00930F3C
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00930F5E
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00930F6F
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 0093002C
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00930FCA
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 76071857 3 Bytes JMP 009300AF
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetProcAddress + 4 7607185B 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 76072884 3 Bytes JMP 00930F8A
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA + 4 76072888 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 760728D2 3 Bytes JMP 00930011
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW + 4 760728D6 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7607291C 3 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateFileA + 4 76072920 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 76077CD5 3 Bytes JMP 00930F1A
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW + 4 76077CD9 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00930000
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00930083
.text C:\Windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00930F4D
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_open 77057E48 5 Bytes JMP 009B0FEF
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 009B003D
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!system 7708B16F 5 Bytes JMP 009B0FA8
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 009B0018
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 009B0FB9
.text C:\Windows\system32\svchost.exe[1108] msvcrt.dll!_wopen 77090570 5 Bytes JMP 009B0FDE
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00990FEF
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00990036
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 0099006C
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00990051
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00990FAF
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 0099001B
.text C:\Windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00990FCA
.text C:\Windows\system32\svchost.exe[1108] WS2_32.dll!socket 75E43F00 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 002B0FEF
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 002B0FB9
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 002B0FD4
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 001A00C1
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 001A0101
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 001A0F6C
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 001A0FC0
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 001A00B0
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 001A007A
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 001A0069
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 001A0058
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 001A0011
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 001A0112
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 001A002C
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 001A0047
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 001A00DC
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 001A0FDB
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 001A0F7D
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 001A0095
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_open 77057E48 5 Bytes JMP 00310FE3
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00310047
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system 7708B16F 5 Bytes JMP 00310FBC
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 0031001B
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 0031002C
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00310000
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00190FCA
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00190062
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00190047
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00190011
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00190FAF
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00190FDB
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 0019002C
.text C:\Windows\system32\svchost.exe[1212] WS2_32.dll!socket 75E43F00 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00A10025
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00A10014
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 009C0F3C
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 009C00AC
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 009C009B
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 009C0FB9
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 009C0F4D
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 009C005B
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 009C004A
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 009C0F8D
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 009C0FEF
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 009C00C7
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 009C0F9E
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 009C0025
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 009C0000
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 009C0F2B
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 009C0FD4
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 009C0080
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 009C0F68
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_open 77057E48 5 Bytes JMP 00ED0000
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00ED0058
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!system 7708B16F 5 Bytes JMP 00ED0047
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00ED0FDE
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00ED0FCD
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00ED0FEF
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00930000
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 0093001B
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00930F8A
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 0093002C
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00930047
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00930FCA
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00930FAF
.text C:\Windows\system32\svchost.exe[1356] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00A2000A
.text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00880FEF
.text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00880FCD
.text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00880FDE
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 0087004A
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00870087
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00870076
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00870FB9
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00870039
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00870F46
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00870F6B
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00870F7C
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00870ED7
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00870FA8
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00870F8D
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00870FEF
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00870EFC
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00870FCA
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00870065
.text C:\Windows\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00870F35
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_open 77057E48 5 Bytes JMP 008E0FE3
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 008E0F84
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!system 7708B16F 5 Bytes JMP 008E0F95
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 008E0FC1
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 008E0FA6
.text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wopen 77090570 5 Bytes JMP 008E0FD2
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00860000
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00860FC0
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00860F9B
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00860047
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00860011
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00860058
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00860FDB
.text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 0086002C
.text C:\Windows\system32\svchost.exe[1512] WS2_32.dll!socket 75E43F00 5 Bytes JMP 00890000
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 00160000
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00160022
.text C:\Windows\System32\svchost.exe[1632] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00160011
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 001400C7
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00140111
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 001400F6
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00140FDB
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00140F9E
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00140FC0
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00140098
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00140087
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00140011
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00140F57
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00140047
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00140062
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00140000
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00140F8D
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00140022
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00140F7C
.text C:\Windows\System32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00140FAF
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_open 77057E48 5 Bytes JMP 00150000
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 00150033
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!system 7708B16F 5 Bytes JMP 00150022
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 00150FCD
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00150FBC
.text C:\Windows\System32\svchost.exe[1632] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00150011
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00110FE5
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 00110036
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00110F9E
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00110FAF
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00110000
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 0011005B
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00110011
.text C:\Windows\System32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00110FC0
.text C:\Windows\System32\svchost.exe[1632] WS2_32.dll!socket 75E43F00 5 Bytes JMP 0013000A
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtCreateFile + 6 77484A36 4 Bytes [28, 00, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtCreateFile + B 77484A3B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtMapViewOfSection + 6 77485096 1 Byte [28]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtMapViewOfSection + 6 77485096 4 Bytes [28, 03, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtMapViewOfSection + B 7748509B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenFile + 6 77485146 4 Bytes [68, 00, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenFile + B 7748514B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcess + 6 774851F6 4 Bytes [A8, 01, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcess + B 774851FB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcessToken + 6 77485206 4 Bytes CALL 7648590C C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcessToken + B 7748520B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcessTokenEx + 6 77485216 4 Bytes [A8, 02, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenProcessTokenEx + B 7748521B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThread + 6 77485276 4 Bytes [68, 01, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThread + B 7748527B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThreadToken + 6 77485286 4 Bytes [68, 02, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThreadToken + B 7748528B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThreadTokenEx + 6 77485296 4 Bytes CALL 7648599D C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtOpenThreadTokenEx + B 7748529B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtQueryAttributesFile + 6 774853A6 4 Bytes [A8, 00, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtQueryAttributesFile + B 774853AB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtQueryFullAttributesFile + 6 77485456 4 Bytes CALL 76485B5B C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtQueryFullAttributesFile + B 7748545B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtSetInformationFile + 6 77485AA6 4 Bytes [28, 01, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtSetInformationFile + B 77485AAB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtSetInformationThread + 6 77485B06 4 Bytes [28, 02, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtSetInformationThread + B 77485B0B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtUnmapViewOfSection + 6 77485E26 1 Byte [68]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtUnmapViewOfSection + 6 77485E26 4 Bytes [68, 03, 07, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[1880] ntdll.dll!NtUnmapViewOfSection + B 77485E2B 1 Byte [E2]
.text C:\Windows\system32\svchost.exe[2020] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[2020] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 001A0025
.text C:\Windows\system32\svchost.exe[2020] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 001400A2
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 00140F1E
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 001400B3
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00140FC3
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 00140091
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 0014005B
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 0014004A
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00140039
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00140FD4
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 001400CE
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00140FA8
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00140F97
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00140FEF
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 00140F54
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 00140F43
.text C:\Windows\system32\svchost.exe[2020] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00140076
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!_open 77057E48 5 Bytes JMP 00150FEF
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 0015003B
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!system 7708B16F 5 Bytes JMP 00150FB0
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 0015000C
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 00150FC1
.text C:\Windows\system32\svchost.exe[2020] msvcrt.dll!_wopen 77090570 5 Bytes JMP 00150FD2
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 00130000
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 0013004A
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 00130FA8
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 00130FC3
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 00130FE5
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 00130065
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 00130025
.text C:\Windows\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 00130FD4
.text C:\Windows\system32\svchost.exe[2204] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[2204] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00340FD4
.text C:\Windows\system32\svchost.exe[2204] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00340FE5
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 002E0F43
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 002E00B3
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 002E0F28
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 002E0FCA
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 002E0F54
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 002E0F80
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 002E0062
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 002E0051
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 002E0FE5
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 002E00CE
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 002E0036
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 002E0FA5
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 002E0087
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 002E001B
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 002E0098
.text C:\Windows\system32\svchost.exe[2204] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 002E0F65
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!_open 77057E48 5 Bytes JMP 002F0FEF
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 002F0042
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!system 7708B16F 5 Bytes JMP 002F0027
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 002F0FC1
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 002F0016
.text C:\Windows\system32\svchost.exe[2204] msvcrt.dll!_wopen 77090570 5 Bytes JMP 002F0FD2
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 000E0FC3
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 000E0065
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 000E004A
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 000E000A
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 000E0076
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 000E0FD4
.text C:\Windows\system32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 000E0025
.text C:\Windows\system32\svchost.exe[2204] WS2_32.dll!socket 75E43F00 5 Bytes JMP 002D0000
.text C:\Windows\Explorer.EXE[3136] ntdll.dll!NtCreateFile 77484A30 5 Bytes JMP 0004000A
.text C:\Windows\Explorer.EXE[3136] ntdll.dll!NtCreateProcess 77484B00 5 Bytes JMP 00040025
.text C:\Windows\Explorer.EXE[3136] ntdll.dll!NtProtectVirtualMemory 77485380 5 Bytes JMP 00040FEF
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!GetStartupInfoA 76021DF0 5 Bytes JMP 000100B0
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateProcessW 7602202D 5 Bytes JMP 000100F7
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateProcessA 76022062 5 Bytes JMP 00010F62
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateNamedPipeW 76051FD6 5 Bytes JMP 00010025
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreatePipe 76054A8B 5 Bytes JMP 0001009F
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!VirtualProtect 760650AB 5 Bytes JMP 00010069
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!LoadLibraryExW 7606B6BF 5 Bytes JMP 00010058
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!LoadLibraryExA 7606BC8B 5 Bytes JMP 00010047
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateFileW 76070B7D 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!GetProcAddress 76071857 5 Bytes JMP 00010112
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!LoadLibraryA 76072884 5 Bytes JMP 00010036
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!LoadLibraryW 760728D2 5 Bytes JMP 00010FA5
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateFileA 7607291C 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!GetStartupInfoW 76077CD5 5 Bytes JMP 000100CB
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!CreateNamedPipeA 760AD5BF 5 Bytes JMP 00010FCA
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!WinExec 760AE76D 5 Bytes JMP 000100DC
.text C:\Windows\Explorer.EXE[3136] kernel32.dll!VirtualProtectEx 760AF729 5 Bytes JMP 00010084
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegOpenKeyA 75BDD2ED 5 Bytes JMP 000E0000
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegCreateKeyA 75BDD3C1 5 Bytes JMP 000E0036
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegCreateKeyExA 75BE1B71 5 Bytes JMP 000E0FA5
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegCreateKeyW 75BE1CC0 5 Bytes JMP 000E0047
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegOpenKeyW 75BE3129 5 Bytes JMP 000E0FE5
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegCreateKeyExW 75BEB946 5 Bytes JMP 000E0058
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 1 Byte [E9]
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegOpenKeyExA 75BEBC0D 5 Bytes JMP 000E0011
.text C:\Windows\Explorer.EXE[3136] ADVAPI32.dll!RegOpenKeyExW 75BEBEC4 5 Bytes JMP 000E0FC0
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!_open 77057E48 5 Bytes JMP 000F0000
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!_wsystem 7708B04F 5 Bytes JMP 000F0047
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!system 7708B16F 5 Bytes JMP 000F0FC6
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!_creat 7708ED29 5 Bytes JMP 000F0FD7
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!_wcreat 7709038E 5 Bytes JMP 000F002C
.text C:\Windows\Explorer.EXE[3136] msvcrt.dll!_wopen 77090570 5 Bytes JMP 000F0011
.text C:\Windows\Explorer.EXE[3136] WININET.dll!InternetOpenA 75977DE4 5 Bytes JMP 00610FEF
.text C:\Windows\Explorer.EXE[3136] WININET.dll!InternetOpenW 75979D60 5 Bytes JMP 00610000
.text C:\Windows\Explorer.EXE[3136] WININET.dll!InternetOpenUrlA 7597DBD8 5 Bytes JMP 0061001B
.text C:\Windows\Explorer.EXE[3136] WININET.dll!InternetOpenUrlW 759CDD6C 5 Bytes JMP 00610FCA
.text C:\Windows\Explorer.EXE[3136] WS2_32.dll!socket 75E43F00 5 Bytes JMP 03DD0000
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtCreateFile + 6 77484A36 4 Bytes [28, 00, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtCreateFile + B 77484A3B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtMapViewOfSection + 6 77485096 1 Byte [28]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtMapViewOfSection + 6 77485096 4 Bytes [28, 03, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtMapViewOfSection + B 7748509B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenFile + 6 77485146 4 Bytes [68, 00, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenFile + B 7748514B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcess + 6 774851F6 4 Bytes [A8, 01, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcess + B 774851FB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcessToken + 6 77485206 4 Bytes CALL 7648690C C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcessToken + B 7748520B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcessTokenEx + 6 77485216 4 Bytes [A8, 02, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenProcessTokenEx + B 7748521B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThread + 6 77485276 4 Bytes [68, 01, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThread + B 7748527B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThreadToken + 6 77485286 4 Bytes [68, 02, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThreadToken + B 7748528B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThreadTokenEx + 6 77485296 4 Bytes CALL 7648699D C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtOpenThreadTokenEx + B 7748529B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtQueryAttributesFile + 6 774853A6 4 Bytes [A8, 00, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtQueryAttributesFile + B 774853AB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtQueryFullAttributesFile + 6 77485456 4 Bytes CALL 76486B5B C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtQueryFullAttributesFile + B 7748545B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtSetInformationFile + 6 77485AA6 4 Bytes [28, 01, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtSetInformationFile + B 77485AAB 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtSetInformationThread + 6 77485B06 4 Bytes [28, 02, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtSetInformationThread + B 77485B0B 1 Byte [E2]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtUnmapViewOfSection + 6 77485E26 1 Byte [68]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtUnmapViewOfSection + 6 77485E26 4 Bytes [68, 03, 17, 00]
.text C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe[4080] ntdll.dll!NtUnmapViewOfSection + B 77485E2B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 28 December 2010 - 07:08 AM

Hello, zoeticreverie.

TDSS Killer removes backdoor rootkits, so please note the warning below.

The OTL log is the custom scan I asked you to run, it doesn't look like it copied the log that results. Please re-run OTL according to the instructions and we can get started.

Thanks!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#7 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 28 December 2010 - 09:40 AM

I understand the backdoor. I haven't been using any accounts linked to my bank or credit cards since it became infected. It's just going to be a bit of a **** to reload.

I hope this worked.

OTL Quickscan:


OTL logfile created on: 12/28/2010 9:28:48 AM - Run 2
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Kim\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.44 Gb Total Space | 48.65 Gb Free Space | 35.66% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.20 Gb Free Space | 62.02% Space Free | Partition Type: NTFS

Computer Name: KIM-PC | User Name: Kim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
PRC - [2010/12/08 18:28:23 | 000,991,800 | ---- | M] (Google Inc.) -- C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/09/30 12:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/03/26 10:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/21 09:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2007/07/20 18:13:26 | 001,180,952 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/06/25 00:17:04 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/06/25 00:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe


========== Modules (SafeList) ==========

MOD - [2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2010/04/01 08:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2007/07/20 18:13:32 | 000,103,704 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/03/26 10:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/02/28 10:37:43 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/06/25 00:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/03/19 12:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\vitskyw.sys -- (wuat)
DRV - [2010/10/13 21:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 21:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 21:28:54 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/10/13 21:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 21:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 21:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 21:28:54 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/10/13 21:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 21:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/09/23 18:18:14 | 004,808,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2007/06/25 00:17:04 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/04/27 19:35:56 | 000,182,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/27 02:48:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/27 02:48:44 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/27 02:48:44 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/02 21:43:30 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 21:42:18 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/11/02 21:42:08 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/04 19:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2005/01/31 10:13:22 | 000,163,328 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV532AV.SYS -- (PID_0920) Logitech QuickCam Express(PID_0920)
DRV - [2005/01/31 10:12:46 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/12/17 19:17:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{506E5848-9938-489B-98A7-E34451C1EF12}: C:\Users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}\ [2010/12/08 15:17:26 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101106031836.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Users\Kim\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kim\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{1550bd0d-09ba-11df-8eb5-001c23910f2d}\Shell - "" = AutoRun
O33 - MountPoints2\{1550bd0d-09ba-11df-8eb5-001c23910f2d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{336efb7a-b06c-11df-9687-001c23910f2d}\Shell - "" = AutoRun
O33 - MountPoints2\{336efb7a-b06c-11df-9687-001c23910f2d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{5500d802-8db8-11dd-bf5b-001c23910f2d}\Shell - "" = AutoRun
O33 - MountPoints2\{5500d802-8db8-11dd-bf5b-001c23910f2d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: krnldmin - (C:\Windows\system32\Dxpssync.dll) - C:\Windows\System32\Dxpssync.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe - (Avanquest Software )
MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk - C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSASScheduler.exe - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: BCSSync - hkey= - key= - C:\Program Files\Microsoft Office\Office14\BCSSync.exe File not found
MsConfig - StartUpReg: DellSupportCenter - hkey= - key= - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
MsConfig - StartUpReg: dscactivate - hkey= - key= - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - State: "startup" - 2

Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: VIDC.IYUV - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)


========== Files/Folders - Created Within 30 Days ==========

[2010/12/26 11:32:16 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
[2010/12/20 00:04:26 | 000,000,000 | ---D | C] -- C:\Users\Kim\Desktop\Desktop
[2010/12/17 19:40:47 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Deployment
[2010/12/12 16:08:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/12 16:08:23 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/09 11:02:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Roaming\McAfee
[2010/12/09 09:21:28 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Adobe
[2010/12/09 08:39:27 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Apple Computer
[2010/12/08 23:33:36 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/12/07 22:33:24 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}
[2010/12/02 11:40:44 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Roaming\gtk-2.0
[2010/12/02 11:40:40 | 000,000,000 | ---D | C] -- C:\Users\Kim\.thumbnails
[2010/12/02 11:38:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\Documents\gegl-0.0
[2010/12/02 11:38:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\.gimp-2.6
[2010/12/02 11:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0

========== Files - Modified Within 30 Days ==========

[2010/12/28 09:24:22 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/28 09:24:22 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/28 09:17:05 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/12/28 09:16:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/28 09:16:43 | 1602,781,184 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/26 11:46:01 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
[2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
[2010/12/26 00:43:24 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
[2010/12/20 00:06:26 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/20 00:06:26 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/18 08:34:06 | 000,465,768 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/12 16:08:31 | 000,001,242 | ---- | M] () -- C:\Users\Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/12 16:08:31 | 000,001,218 | ---- | M] () -- C:\Users\Kim\Desktop\Spybot - Search & Destroy.lnk
[2010/12/12 15:27:09 | 000,001,318 | ---- | M] () -- C:\Users\Kim\Desktop\Fall 10.lnk
[2010/12/12 15:13:28 | 000,001,432 | ---- | M] () -- C:\Users\Kim\Desktop\mbam.exe - Shortcut.lnk
[2010/12/09 11:05:04 | 000,000,398 | ---- | M] () -- C:\Windows\tasks\vtscheduletask.job
[2010/12/07 22:33:25 | 000,000,120 | ---- | M] () -- C:\Users\Kim\AppData\Local\Mgido.dat
[2010/12/07 22:33:25 | 000,000,000 | ---- | M] () -- C:\Users\Kim\AppData\Local\Eqemegigusobogi.bin
[2010/12/07 14:44:12 | 000,004,946 | ---- | M] () -- C:\Users\Kim\.recently-used.xbel
[2010/12/02 11:37:48 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\GIMP 2.lnk
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/12/17 19:41:12 | 000,000,900 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
[2010/12/17 19:41:11 | 000,000,848 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
[2010/12/12 16:08:31 | 000,001,242 | ---- | C] () -- C:\Users\Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/12 16:08:31 | 000,001,218 | ---- | C] () -- C:\Users\Kim\Desktop\Spybot - Search & Destroy.lnk
[2010/12/12 15:13:28 | 000,001,432 | ---- | C] () -- C:\Users\Kim\Desktop\mbam.exe - Shortcut.lnk
[2010/12/09 11:02:01 | 000,000,398 | ---- | C] () -- C:\Windows\tasks\vtscheduletask.job
[2010/12/07 22:33:25 | 000,000,120 | ---- | C] () -- C:\Users\Kim\AppData\Local\Mgido.dat
[2010/12/07 22:33:25 | 000,000,000 | ---- | C] () -- C:\Users\Kim\AppData\Local\Eqemegigusobogi.bin
[2010/12/07 14:44:12 | 000,004,946 | ---- | C] () -- C:\Users\Kim\.recently-used.xbel
[2010/12/02 11:37:48 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\GIMP 2.lnk
[2010/06/07 22:11:51 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010/05/19 00:39:17 | 000,000,767 | ---- | C] () -- C:\Windows\entpack.ini
[2009/11/25 20:30:49 | 000,007,602 | ---- | C] () -- C:\Users\Kim\AppData\Local\Resmon.ResmonCfg
[2009/10/22 19:04:22 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/09/02 18:52:47 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/09/19 23:42:22 | 000,000,000 | ---- | C] () -- C:\Users\Kim\AppData\Roaming\wklnhst.dat
[2007/08/27 16:13:11 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/08/27 16:13:01 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/07 14:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2005/01/31 10:13:22 | 000,163,328 | ---- | C] () -- C:\Windows\System32\drivers\LV532AV.SYS
[2005/01/31 08:37:58 | 000,009,255 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2002/05/04 05:04:45 | 000,094,636 | ---- | C] () -- C:\Windows\dropcpyr.dll

========== LOP Check ==========

[2009/10/22 17:13:00 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\.purple
[2010/09/05 15:38:48 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\Aim
[2010/05/08 19:01:38 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/06 19:58:23 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\Facebook
[2009/10/22 17:13:12 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\GetRightToGo
[2010/12/08 15:17:26 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\gtk-2.0
[2009/10/22 17:13:36 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\Sierra Wireless
[2009/10/22 17:13:37 | 000,000,000 | ---D | M] -- C:\Users\Kim\AppData\Roaming\Template
[2010/12/09 11:04:03 | 000,032,614 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/12/09 11:05:04 | 000,000,398 | ---- | M] () -- C:\Windows\Tasks\vtscheduletask.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 20:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/07/13 20:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2009/07/13 20:15:21 | 000,462,848 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\FirewallAPI.dll

< %systemroot%\system32\*.sys /90 >
[2010/10/19 22:00:24 | 002,327,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2009/06/10 16:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2010/08/25 14:01:01 | 000,001,001 | ---- | M] () -- C:\BnetLog.txt
[2009/07/13 20:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009/10/22 20:46:07 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2009/06/10 16:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/08/27 16:13:30 | 000,004,991 | RH-- | M] () -- C:\dell.sdr
[2010/12/28 09:16:43 | 1602,781,184 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/19 00:39:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/11 14:49:44 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2010/05/19 00:39:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/12/28 09:16:47 | 2137,042,944 | -HS- | M] () -- C:\pagefile.sys
[2007/08/27 08:37:41 | 000,001,998 | ---- | M] () -- C:\SetWiFiBT.txt
[2010/12/12 15:10:00 | 000,065,612 | ---- | M] () -- C:\TDSSKiller.2.4.11.0_12.12.2010_15.08.32_log.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/01/19 02:34:30 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2009/07/13 20:15:26 | 000,280,064 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpzppw71.dll
[2009/07/13 20:15:26 | 000,090,624 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPWN7.DLL
[2009/07/13 20:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
[2009/07/13 20:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< End of report >


I would like to continue to clean my machine, thank you for your help. I do have a question about reloading... do you think it's possible to create an image of a recovery partition? I don't want you to take the time to explain how I would just like to know if it's possible. :)

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 29 December 2010 - 02:56 PM

Hello, zoeticreverie.

Yes, that worked. Thanks! I do see some leftovers. Whitesmoke is also fairly prolific so we'll run Combofix next to clean it out. There is also a security hole in Java we'll fix after ensuring your computer is clean.

In regards to the image of a recovery partition, yes, it should be possible. I have never done it since I have never had a computer with a recovery partition, but it should be possible.





Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#9 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 29 December 2010 - 07:43 PM

Thank you, as soon as I get a peripheral I'll make an image if this OS is unable to be repaired. The recovery partition has the full graphic interface diagnostics utility that Dell provides...

How can you tell that there is a hold in my Java Security? (I just want to learn, sorry!)

Also... OTL scan's files that I believe associated with the infection:
[2010/12/07 22:33:25 | 000,000,120 | ---- | C] () -- C:\Users\Kim\AppData\Local\Mgido.dat
[2010/12/07 22:33:25 | 000,000,000 | ---- | C] () -- C:\Users\Kim\AppData\Local\Eqemegigusobogi.bin
[2010/12/07 22:33:24 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}


December 7 at this time was when my machine was infected.

--> I don't remember changing the settings for hidden files and extensions. I had them visible before but now they are hidden... I just changed it back.



ComboFix Log:


ComboFix 10-12-29.01 - Kim 12/29/2010 18:52:38.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1237 [GMT -5:00]
Running from: c:\users\Kim\Desktop\etavaresCF.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}
c:\users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}\chrome.manifest
c:\users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}\chrome\content\_cfg.js
c:\users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}\chrome\content\overlay.xul
c:\users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}\install.rdf
c:\users\Kim\AppData\Roaming\Adobe\AdobeUpdate .exe
c:\users\Kim\AppData\Roaming\Adobe\plugs
c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Plus
c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Plus\HDD Plus.lnk
c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Plus\Uninstall HDD Plus.lnk
c:\windows\dropcpyr.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-18 00:40 . 2010-12-18 00:41 -------- d-----w- c:\users\Kim\AppData\Local\Deployment
2010-12-17 21:33 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-17 21:31 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-17 21:31 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-17 21:31 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-12 21:08 . 2010-12-12 22:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-12 21:08 . 2010-12-12 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-09 16:02 . 2010-12-09 16:02 -------- d-----w- c:\users\Kim\AppData\Roaming\McAfee
2010-12-09 14:21 . 2010-12-09 14:21 -------- d-----w- c:\users\Kim\AppData\Local\Adobe
2010-12-09 13:39 . 2010-12-20 03:21 -------- d-----w- c:\users\Kim\AppData\Local\Apple Computer
2010-12-09 04:33 . 2010-12-09 04:33 -------- d-----w- C:\$AVG
2010-12-08 03:33 . 2010-12-08 03:33 0 ----a-w- c:\users\Kim\AppData\Local\Eqemegigusobogi.bin
2010-12-02 16:40 . 2010-12-08 20:17 -------- d-----w- c:\users\Kim\AppData\Roaming\gtk-2.0
2010-12-02 16:40 . 2010-12-02 16:40 -------- d-----w- c:\users\Kim\.thumbnails
2010-12-02 16:38 . 2010-12-07 19:44 -------- d-----w- c:\users\Kim\.gimp-2.6
2010-12-02 16:37 . 2010-12-08 20:17 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-06-29 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-06-29 19:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-02 19:19 . 2010-11-02 19:19 720896 ----a-w- c:\windows\iun6002.exe
2010-10-14 02:28 . 2010-08-29 15:09 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-14 02:28 . 2010-08-29 15:09 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 02:28 . 2010-08-29 15:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-14 02:28 . 2010-08-29 15:09 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-14 02:28 . 2010-08-29 15:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-14 02:28 . 2010-08-29 15:09 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-14 02:28 . 2010-08-29 15:09 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-14 02:28 . 2007-08-27 13:42 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-14 02:28 . 2007-08-27 13:42 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-10-14 02:28 . 2007-08-27 13:42 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"Google Update"="c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-12-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

[HKLM\~\startupfolder\C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-24 19:54 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

R0 wuat;wuat;c:\windows\System32\drivers\vitskyw.sys [x]
R2 0173961293665207mcinstcleanup;McAfee Application Installer Cleanup (0173961293665207);c:\windows\TEMP\017396~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 84264]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2005-01-31 163328]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-14 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-14 164840]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-14 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 313288]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
*Deregistered* - MPFP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
- c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-18 00:41]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
- c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-18 00:41]

2010-12-09 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2010-12-09 19:25]
.
.
------- Supplementary Scan -------
.
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-BCSSync - c:\program files\Microsoft Office\Office14\BCSSync.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-29 19:11:03
ComboFix-quarantined-files.txt 2010-12-30 00:11

Pre-Run: 51,539,378,176 bytes free
Post-Run: 51,449,040,896 bytes free

- - End Of File - - 2F94E08A12878C36C28BD39F30CC2262


These files are still in their folders:

-- C:\Users\Kim\AppData\Local\Mgido.dat -- C:\Users\Kim\AppData\Local\Eqemegigusobogi.bin
Should I remove them?

I can sort of read what the program deleted. I'm sorry if it's bothering you but I'm trying to learn about where my computer was hit and how I can protect and clean this in the future.

Thank you as always for your help!

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 30 December 2010 - 04:46 PM

Hello, zoeticreverie.

There is a hole in your Java as it is about 22 updates old. :) Java updates all the time to close security holes as they are found. Starting with the 16th update or so, they check for updates automatically, but your versions doesn't have that. Since the old versions have known exploits, various webpages could exploit those well-known holes until you update. We'll do that next, but first, we need to clean up a bit more. You did notice the files which I'm scripting out here...that is part of the infection.


Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Folder::
C:\Users\Kim\AppData\Local\{506E5848-9938-489B-98A7-E34451C1EF12}
File::
C:\Users\Kim\AppData\Local\Mgido.dat
C:\Users\Kim\AppData\Local\Eqemegigusobogi.bin
c:\windows\System32\drivers\vitskyw.sys
Driver::
wuat
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#11 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 31 December 2010 - 09:50 AM

Executables will not launch.


"Illegal operation attempted on a registry key that has been marked for deletion"

... I'm lucky I have another machine readily available. McAfee was disabled... it enabled itself on the reboot. Could I do a system restore and retry this?

I hate this antivirus.




ComboFix 10-12-29.01 - Kim 12/31/2010 9:23.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1345 [GMT -5:00]
Running from: c:\users\Kim\Desktop\etavaresCF.exe
Command switches used :: c:\users\Kim\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Kim\AppData\Local\Eqemegigusobogi.bin"
"c:\users\Kim\AppData\Local\Mgido.dat"
"c:\windows\System32\drivers\vitskyw.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kim\AppData\Local\Eqemegigusobogi.bin
c:\users\Kim\AppData\Local\Mgido.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_wuat


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-31 14:31 . 2010-12-31 14:35 -------- d-----w- c:\users\Kim\AppData\Local\temp
2010-12-31 14:31 . 2010-12-31 14:31 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-12-18 00:40 . 2010-12-18 00:41 -------- d-----w- c:\users\Kim\AppData\Local\Deployment
2010-12-17 21:33 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-17 21:31 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-17 21:31 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-17 21:31 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-12 21:08 . 2010-12-12 22:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-12 21:08 . 2010-12-12 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-09 16:02 . 2010-12-09 16:02 -------- d-----w- c:\users\Kim\AppData\Roaming\McAfee
2010-12-09 14:21 . 2010-12-09 14:21 -------- d-----w- c:\users\Kim\AppData\Local\Adobe
2010-12-09 13:39 . 2010-12-20 03:21 -------- d-----w- c:\users\Kim\AppData\Local\Apple Computer
2010-12-09 04:33 . 2010-12-09 04:33 -------- d-----w- C:\$AVG
2010-12-02 16:40 . 2010-12-08 20:17 -------- d-----w- c:\users\Kim\AppData\Roaming\gtk-2.0
2010-12-02 16:40 . 2010-12-02 16:40 -------- d-----w- c:\users\Kim\.thumbnails
2010-12-02 16:38 . 2010-12-07 19:44 -------- d-----w- c:\users\Kim\.gimp-2.6
2010-12-02 16:37 . 2010-12-08 20:17 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-06-29 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-06-29 19:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-02 19:19 . 2010-11-02 19:19 720896 ----a-w- c:\windows\iun6002.exe
2010-10-14 02:28 . 2010-08-29 15:09 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-14 02:28 . 2010-08-29 15:09 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 02:28 . 2010-08-29 15:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-14 02:28 . 2010-08-29 15:09 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-14 02:28 . 2010-08-29 15:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-14 02:28 . 2010-08-29 15:09 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-14 02:28 . 2010-08-29 15:09 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-14 02:28 . 2007-08-27 13:42 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-14 02:28 . 2007-08-27 13:42 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-10-14 02:28 . 2007-08-27 13:42 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"Google Update"="c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-12-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

[HKLM\~\startupfolder\C:^Users^Kim^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Kim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-24 19:54 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

R2 0173961293665207mcinstcleanup;McAfee Application Installer Cleanup (0173961293665207);c:\windows\TEMP\017396~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 84264]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2005-01-31 163328]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-14 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-14 164840]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-14 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 313288]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
*Deregistered* - MPFP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
- c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-18 00:41]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
- c:\users\Kim\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-18 00:41]

2010-12-09 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2010-12-09 19:25]
.
.
------- Supplementary Scan -------
.
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2152)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-12-31 09:39:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-31 14:39
ComboFix2.txt 2010-12-30 00:11

Pre-Run: 50,806,247,424 bytes free
Post-Run: 50,598,371,328 bytes free

- - End Of File - - 3E723B56F51650FA79B378C709361C78

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 31 December 2010 - 12:47 PM

Manually reboot and that error should go away. Did that help?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#13 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 31 December 2010 - 03:23 PM

Yup, a reboot helped.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:41 AM

Posted 01 January 2011 - 07:41 AM

Hello, zoeticreverie.

OK, let's move on. Please let me know how your computer is running after this.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 23 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 1.6
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.




Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\vitskyw.sys -- (wuat)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O36 - AppCertDlls: krnldmin - (C:\Windows\system32\Dxpssync.dll) - C:\Windows\System32\Dxpssync.dll File not found
:Commands
[EmptyTemp]
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#15 zoeticreverie

zoeticreverie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:01:41 AM

Posted 01 January 2011 - 03:03 PM

Java:

Java uninstalled. Reboot. jdk-6u23-windows-i586 run, installed, rebooted. Manually checked for updates, up-to-date, reduced java disk space to 500MB.


OTL Custom Scan:

All processes killed
========== OTL ==========
Error: No service named wuat was found to stop!
Service\Driver key wuat not found.
File C:\Windows\System32\drivers\vitskyw.sys not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ not found.
Registry key HKEY_USERS\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_USERS\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1091 bytes
->FireFox cache emptied: 7041955 bytes
->Flash cache emptied: 589 bytes

User: Kim
->Temp folder emptied: 36721 bytes
->Temporary Internet Files folder emptied: 1200948 bytes
->Java cache emptied: 205566 bytes
->Google Chrome cache emptied: 356441183 bytes
->Flash cache emptied: 24575 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2432 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 348.00 mb


OTL by OldTimer - Version 3.2.18.0 log created on 01012011_112154

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

_______

Machine rebooted again.

OTL Scan:

OTL logfile created on: 1/1/2011 11:28:49 AM - Run 3
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Kim\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.44 Gb Total Space | 45.83 Gb Free Space | 33.59% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.20 Gb Free Space | 62.02% Space Free | Partition Type: NTFS

Computer Name: KIM-PC | User Name: Kim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
PRC - [2010/12/08 18:28:23 | 000,991,800 | ---- | M] (Google Inc.) -- C:\Users\Kim\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/09/30 12:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/03/26 10:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/21 09:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2007/07/20 18:13:26 | 001,180,952 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/06/25 00:17:04 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/06/25 00:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe


========== Modules (SafeList) ==========

MOD - [2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2010/04/01 08:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Windows\TEMP\017396~1.EXE -- (0173961293665207mcinstcleanup) McAfee Application Installer Cleanup (0173961293665207)
SRV - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/03/26 10:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/02/28 10:37:43 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/06/25 00:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/03/19 12:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Kim\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010/10/13 21:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 21:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 21:28:54 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/10/13 21:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 21:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 21:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 21:28:54 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/10/13 21:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 21:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/09/23 18:18:14 | 004,808,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2007/06/25 00:17:04 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/04/27 19:35:56 | 000,182,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/27 02:48:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/27 02:48:44 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/27 02:48:44 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/02 21:43:30 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 21:42:18 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/11/02 21:42:08 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/04 19:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2005/01/31 10:13:22 | 000,163,328 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV532AV.SYS -- (PID_0920) Logitech QuickCam Express(PID_0920)
DRV - [2005/01/31 10:12:46 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 69 93 19 BB A7 CB 01 [binary data]
IE - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/12/17 19:17:40 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/12/31 09:34:14 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101106031836.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3149470142-215556204-1523186525-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Kim\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kim\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/01 11:21:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/01/01 11:15:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/01/01 11:12:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/01/01 11:12:31 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2011/01/01 11:12:18 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/01/01 11:12:18 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/01/01 11:12:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/01/01 11:12:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/12/31 09:39:55 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/12/31 09:34:29 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/12/31 09:31:45 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\temp
[2010/12/31 09:16:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/12/29 18:49:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/12/29 18:49:32 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/12/29 18:49:32 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/12/29 18:49:28 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/29 18:49:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/26 11:32:16 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
[2010/12/20 00:04:26 | 000,000,000 | ---D | C] -- C:\Users\Kim\Desktop\Desktop
[2010/12/17 19:40:47 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Deployment
[2010/12/17 16:32:52 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/12/17 16:32:20 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/17 16:32:17 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/17 16:32:17 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/17 16:32:17 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/17 16:32:17 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/17 16:32:17 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/17 16:32:16 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/17 16:32:16 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/17 16:32:16 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/12/17 16:32:16 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/17 16:32:16 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/17 16:32:06 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll
[2010/12/17 16:32:06 | 000,351,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll
[2010/12/17 16:32:06 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll
[2010/12/17 16:32:06 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
[2010/12/17 16:32:03 | 000,101,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2010/12/17 16:32:01 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webio.dll
[2010/12/17 16:31:58 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/12/17 16:31:58 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/12/17 16:31:55 | 002,327,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/12 16:08:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/12 16:08:23 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/09 11:02:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Roaming\McAfee
[2010/12/09 09:21:28 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Adobe
[2010/12/09 08:39:27 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Local\Apple Computer
[2010/12/08 23:33:36 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/12/02 11:40:44 | 000,000,000 | ---D | C] -- C:\Users\Kim\AppData\Roaming\gtk-2.0
[2010/12/02 11:40:40 | 000,000,000 | ---D | C] -- C:\Users\Kim\.thumbnails
[2010/12/02 11:38:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\Documents\gegl-0.0
[2010/12/02 11:38:04 | 000,000,000 | ---D | C] -- C:\Users\Kim\.gimp-2.6
[2010/12/02 11:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0

========== Files - Modified Within 30 Days ==========

[2011/01/01 11:26:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/01 11:26:20 | 1602,781,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/01 11:11:55 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/01/01 11:11:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/01/01 11:11:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/01/01 11:11:54 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/01/01 11:09:18 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/01 11:09:18 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/01 10:54:52 | 080,029,464 | ---- | M] () -- C:\Users\Kim\Desktop\jdk-6u23-windows-i586.exe
[2011/01/01 10:46:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
[2010/12/31 15:19:10 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/12/31 09:45:39 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/31 09:45:39 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/31 09:34:14 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/12/29 19:46:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
[2010/12/29 18:39:15 | 003,999,590 | R--- | M] () -- C:\Users\Kim\Desktop\etavaresCF.exe
[2010/12/26 11:32:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Kim\Desktop\OTL.exe
[2010/12/18 08:34:06 | 000,465,768 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/12 16:08:31 | 000,001,242 | ---- | M] () -- C:\Users\Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/12 16:08:31 | 000,001,218 | ---- | M] () -- C:\Users\Kim\Desktop\Spybot - Search & Destroy.lnk
[2010/12/12 15:27:09 | 000,001,318 | ---- | M] () -- C:\Users\Kim\Desktop\Fall 10.lnk
[2010/12/12 15:13:28 | 000,001,432 | ---- | M] () -- C:\Users\Kim\Desktop\mbam.exe - Shortcut.lnk
[2010/12/09 11:05:04 | 000,000,398 | ---- | M] () -- C:\Windows\tasks\vtscheduletask.job
[2010/12/07 14:44:12 | 000,004,946 | ---- | M] () -- C:\Users\Kim\.recently-used.xbel
[2010/12/02 11:37:48 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\GIMP 2.lnk

========== Files Created - No Company Name ==========

[2011/01/01 10:54:15 | 080,029,464 | ---- | C] () -- C:\Users\Kim\Desktop\jdk-6u23-windows-i586.exe
[2010/12/29 18:49:33 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/12/29 18:49:33 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2010/12/29 18:49:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/12/29 18:49:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/12/29 18:49:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/12/29 18:39:23 | 003,999,590 | R--- | C] () -- C:\Users\Kim\Desktop\etavaresCF.exe
[2010/12/17 19:41:12 | 000,000,900 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000UA.job
[2010/12/17 19:41:11 | 000,000,848 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3149470142-215556204-1523186525-1000Core.job
[2010/12/12 16:08:31 | 000,001,242 | ---- | C] () -- C:\Users\Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/12 16:08:31 | 000,001,218 | ---- | C] () -- C:\Users\Kim\Desktop\Spybot - Search & Destroy.lnk
[2010/12/12 15:13:28 | 000,001,432 | ---- | C] () -- C:\Users\Kim\Desktop\mbam.exe - Shortcut.lnk
[2010/12/09 11:02:01 | 000,000,398 | ---- | C] () -- C:\Windows\tasks\vtscheduletask.job
[2010/12/07 14:44:12 | 000,004,946 | ---- | C] () -- C:\Users\Kim\.recently-used.xbel
[2010/12/02 11:37:48 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\GIMP 2.lnk
[2010/06/07 22:11:51 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010/05/19 00:39:17 | 000,000,767 | ---- | C] () -- C:\Windows\entpack.ini
[2009/11/25 20:30:49 | 000,007,602 | ---- | C] () -- C:\Users\Kim\AppData\Local\Resmon.ResmonCfg
[2009/10/22 19:04:22 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/09/02 18:52:47 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/09/19 23:42:22 | 000,000,000 | ---- | C] () -- C:\Users\Kim\AppData\Roaming\wklnhst.dat
[2007/08/27 16:13:11 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/08/27 16:13:01 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/07 14:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2005/01/31 10:13:22 | 000,163,328 | ---- | C] () -- C:\Windows\System32\drivers\LV532AV.SYS
[2005/01/31 08:37:58 | 000,009,255 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini

< End of report >


_____

Machine rebooted.

MBAM quick, dv5437 -- 0 threats detected:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5437

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/1/2011 11:44:10 AM
mbam-log-2011-01-01 (11-44-10).txt

Scan type: Quick scan
Objects scanned: 165300
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

____

Machine rebooted.


ESET OnlineScan:

No threats detected. No log option available – see attached jpeg.

Running a bit slow...

___

Cold boot to diagnostics -- HDD short for fun. Pass :)

Reboot -- Running well.

Attached Files


Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·