Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Malware.... logs


  • This topic is locked This topic is locked
59 replies to this topic

#1 agoh

agoh

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 08 June 2011 - 01:22 PM

I have attached the DDS log as well as the GMER log. If somebody can please look over this for me that would be great. I previously had the Windows 7 Repair Malware, but from the looks of it, my computer looks like it is in good shape now; but a "google synaptics" or "google analytics" browser pops up occasionally. I downloaded Malwarebytes Antivirus and currently have McAfee SiteAdvisor.

Thanks in advanced!

Somebody please help me.

DDS


DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Ashley at 13:11:31 on 2011-06-08
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.151 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\lxeccoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\windows\system32\mfevtps.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
C:\windows\SYSTEM32\Rezip.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\igfxext.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\Explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft.Search.HRSToolBar.InitToolbarBHO: {1d970ed5-3eda-438d-bffd-715931e2775d} - mscoree.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110418222225.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
uRun: [yjmUjuesNXqx] c:\programdata\yjmUjuesNXqx.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [APLangApp] "c:\program files\anypc client\APLangApp.exe"
mRun: [fsi] c:\program files\phoenix technologies ltd\failsafe\FailSafeLauncher.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ashley\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\0303030313 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\1303139366 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\2757375636572756 : DhcpNameServer = 137.45.26.19 137.45.28.4 137.45.24.5
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\275777962756C6563737 : DhcpNameServer = 137.45.26.19 137.45.28.4 137.45.24.5
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\75C414E4 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\7756374756C6C693739393 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6E5F226B-BF13-4CF5-B8D0-A0DECB1F116A}\C696E6B6379737 : DhcpNameServer = 209.55.5.10 209.55.5.11
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ashley\appdata\roaming\mozilla\firefox\profiles\fd1clhv3.default\
FF - prefs.js: browser.startup.homepage - hxxps://myru.radford.edu/cp/home/displaylogin\r
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-4-18 386840]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-4-18 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-4-18 164840]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-12-14 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-18 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-18 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-18 313288]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-18 55840]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-8-13 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-18 84264]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
.
=============== Created Last 30 ================
.
2011-06-08 17:04:53 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f874dd12-7d58-4887-800c-0616e93fa8e5}\mpengine.dll
2011-06-06 03:45:55 388096 ----a-r- c:\users\ashley\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-06 03:45:55 -------- d-----w- c:\program files\Trend Micro
2011-06-06 03:06:18 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-06 02:45:47 -------- d-----w- C:\ComboFix
2011-06-06 02:17:33 -------- d-----w- c:\users\ashley\appdata\local\temp
2011-06-06 02:13:39 -------- d-----w- c:\users\ashley\appdata\roaming\Malwarebytes
2011-06-06 02:13:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 02:13:29 -------- d-----w- c:\programdata\Malwarebytes
2011-06-06 02:13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-06 01:59:14 518144 ----a-w- c:\windows\SWREG.exe
2011-06-06 01:59:14 256512 ----a-w- c:\windows\PEV.exe
2011-06-06 01:59:14 208896 ----a-w- c:\windows\MBR.exe
2011-06-06 01:59:13 98816 ----a-w- c:\windows\sed.exe
2011-05-30 07:05:49 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-05-28 00:45:53 -------- d-----w- c:\program files\oDesk
2011-05-28 00:44:16 -------- d-----w- c:\users\ashley\appdata\local\oDesk
2011-05-26 20:50:54 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-20 00:43:33 -------- d-----w- c:\users\ashley\appdata\local\Deployment
2011-05-20 00:43:33 -------- d-----w- c:\users\ashley\appdata\local\Apps
2011-05-13 22:33:07 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 18:22:49 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 18:22:49 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 18:22:48 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 18:22:48 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 18:22:47 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 18:22:47 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 18:22:47 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 18:22:38 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 18:22:38 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:52:25 1210752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
.
============= FINISH: 13:13:55.80 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows 7 Starter
Boot Device: \Device\HarddiskVolume2
Install Date: 8/13/2010 4:17:53 AM
System Uptime: 6/7/2011 11:36:06 PM (14 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | N150/N210/N220
Processor: Intel® Atom™ CPU N450 @ 1.66GHz | CPU 1 | 1667/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 67 GiB total, 23.094 GiB free.
D: is FIXED (NTFS) - 67 GiB total, 66.887 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Palm Handheld
Device ID: USB\VID_0830&PID_0061\PALMSN12345678
Manufacturer:
Name: Palm Handheld
PNP Device ID: USB\VID_0830&PID_0061\PALMSN12345678
Service:
.
==== System Restore Points ===================
.
RP130: 5/15/2011 6:50:47 PM - Windows Update
RP131: 5/19/2011 9:22:59 PM - Removed Bing HRS Toolbar
RP132: 5/30/2011 12:04:39 AM - Windows Update
RP134: 5/30/2011 3:04:09 AM - Installed PC Inspector smart recovery
RP136: 5/30/2011 3:10:46 AM - Installed PC Inspector smart recovery
RP138: 5/30/2011 3:14:21 AM - Removed PC Inspector smart recovery
RP139: 6/5/2011 11:38:25 PM - Installed HiJackThis
RP140: 6/5/2011 11:45:03 PM - Installed HiJackThis
RP141: 6/6/2011 6:52:28 PM - Windows Update
RP142: 6/8/2011 1:04:15 PM - Windows Update
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
AIM 7
Alice Greenfingers
AnyPC Client
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Client Installation Program
BatteryLifeExtender
Bing HRS Toolbar
Bonjour
ChargeableUSB
Cisco NAC Agent
Compatibility Pack for the 2007 Office system
CyberLink YouCam
DivX Setup
Download Updater (AOL LLC)
Easy Display Manager
Easy Network Manager
Easy Resolution Manager
Easy SpeedUp Manager
EasyBatteryManager
Express Scribe
Farm Frenzy 2
FrostWire 4.21.1
Game Pack
Go-Go Gourmet
Google Update Helper
HiJackThis
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java™ 6 Update 24
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.0.1200
Marvell Miniport Driver
McAfee SecurityCenter
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.6.17)
MSVCRT
oDesk Team
PokerStars
QuickTime
Realtek High Definition Audio Driver
REALTEK Wireless LAN Software
Samsung Recovery Solution 4
Samsung Support Center
Samsung Update Plus
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Skype Toolbars
Skype™ 5.1
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Update for Microsoft Office Word 2007 (KB974631)
User Guide
VC80CRTRedist - 8.0.50727.4053
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
6/6/2011 2:36:33 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
6/6/2011 1:20:10 AM, Error: Service Control Manager [7000] - The McAfee VirusScan Announcer service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:20:10 AM, Error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:20:10 AM, Error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:20:10 AM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:18:10 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
6/6/2011 1:18:08 AM, Error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:18:08 AM, Error: Service Control Manager [7000] - The McAfee Personal Firewall service failed to start due to the following error: The system cannot find the file specified.
6/6/2011 1:18:08 AM, Error: Service Control Manager [7000] - The McAfee Anti-Spam Service service failed to start due to the following error: The system cannot find the file specified.
6/5/2011 9:23:37 PM, Error: Service Control Manager [7023] - The Server service terminated with the following error: The data is invalid.
6/5/2011 9:23:34 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/5/2011 9:23:34 PM, Error: Service Control Manager [7000] - The Portable Device Enumerator Service service failed to start due to the following error: A system shutdown is in progress.
6/5/2011 9:23:34 PM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.
6/5/2011 9:19:55 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:19:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
6/5/2011 9:18:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/5/2011 9:18:44 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdrom DfsC discache mfehidk mfenlfk mfewfpk NetBIOS NetBT nsiproxy Psched rdbss SABI spldr Tcpip tdx vwififlt Wanarpv6 WfpLwf
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:42 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 9:18:41 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2011 11:06:25 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 10:59:25 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 10:59:18 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/5/2011 10:46:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
6/5/2011 10:35:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/5/2011 10:27:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
6/5/2011 10:20:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/5/2011 10:20:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/5/2011 10:20:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/5/2011 10:19:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/5/2011 10:19:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom discache SABI spldr Wanarpv6
6/4/2011 3:21:05 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
.
==== End Of File ===========================










GMER

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-06-08 14:22:15
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.PBBO
Running: gmer.exe; Driver: C:\Users\Ashley\AppData\Local\Temp\uxdiqpod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x869C30B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x869C30E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x869C30CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x869C30A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E45118 5 Bytes JMP 869C30A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81E5D569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E82092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\etlsa.sys The system cannot find the path specified. !
? C:\Users\Ashley\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\windows\Explorer.exe[408] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FEF
.text C:\windows\Explorer.exe[408] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040FCA
.text C:\windows\Explorer.exe[408] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00040000
.text C:\windows\Explorer.exe[408] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00090F35
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 000900AF
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 0009009E
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00090FCD
.text C:\windows\Explorer.exe[408] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00090F50
.text C:\windows\Explorer.exe[408] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00090F72
.text C:\windows\Explorer.exe[408] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 0009004A
.text C:\windows\Explorer.exe[408] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00090F97
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00090FEF
.text C:\windows\Explorer.exe[408] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 000900C0
.text C:\windows\Explorer.exe[408] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00090039
.text C:\windows\Explorer.exe[408] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00090FA8
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 0009000A
.text C:\windows\Explorer.exe[408] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00090079
.text C:\windows\Explorer.exe[408] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00090FDE
.text C:\windows\Explorer.exe[408] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00090F1A
.text C:\windows\Explorer.exe[408] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00090F61
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 000B0000
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 000B0FE5
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 000B0FAF
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 000B0FCA
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 000B0025
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 000B006C
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 000B0036
.text C:\windows\Explorer.exe[408] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 000B0047
.text C:\windows\Explorer.exe[408] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00170000
.text C:\windows\Explorer.exe[408] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00170040
.text C:\windows\Explorer.exe[408] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00170FB5
.text C:\windows\Explorer.exe[408] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00170FD7
.text C:\windows\Explorer.exe[408] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00170FC6
.text C:\windows\Explorer.exe[408] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00170011
.text C:\windows\Explorer.exe[408] WS2_32.dll!socket 757D3F00 5 Bytes JMP 005D0000
.text C:\windows\Explorer.exe[408] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 005F0000
.text C:\windows\Explorer.exe[408] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 005F0036
.text C:\windows\Explorer.exe[408] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 005F0025
.text C:\windows\Explorer.exe[408] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 005F005B
.text C:\windows\system32\services.exe[676] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 004E0FE5
.text C:\windows\system32\services.exe[676] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 004E0011
.text C:\windows\system32\services.exe[676] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 004E0000
.text C:\windows\system32\services.exe[676] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 004F00A2
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 004F00F3
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 004F00D8
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 004F0FD4
.text C:\windows\system32\services.exe[676] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 004F0087
.text C:\windows\system32\services.exe[676] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 004F0F94
.text C:\windows\system32\services.exe[676] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 004F006C
.text C:\windows\system32\services.exe[676] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 004F0051
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 004F0025
.text C:\windows\system32\services.exe[676] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 004F0104
.text C:\windows\system32\services.exe[676] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 004F0FB9
.text C:\windows\system32\services.exe[676] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 004F0040
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 004F0000
.text C:\windows\system32\services.exe[676] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 004F0F5E
.text C:\windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 004F0FE5
.text C:\windows\system32\services.exe[676] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 004F00C7
.text C:\windows\system32\services.exe[676] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 004F0F79
.text C:\windows\system32\services.exe[676] msvcrt.dll!_open 759F7E48 5 Bytes JMP 006E000C
.text C:\windows\system32\services.exe[676] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 006E0FC0
.text C:\windows\system32\services.exe[676] msvcrt.dll!system 75A2B16F 5 Bytes JMP 006E004B
.text C:\windows\system32\services.exe[676] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 006E003A
.text C:\windows\system32\services.exe[676] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 006E0FDB
.text C:\windows\system32\services.exe[676] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 006E001D
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 006F0FEF
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 006F0FC3
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 006F0F97
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 006F0FA8
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 006F0014
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExW 75D9B946 1 Byte [E9]
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 006F004A
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 006F0025
.text C:\windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 006F0FD4
.text C:\windows\system32\services.exe[676] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 01120FEF
.text C:\windows\system32\services.exe[676] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 01120FC3
.text C:\windows\system32\services.exe[676] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 01120FDE
.text C:\windows\system32\services.exe[676] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 01120FA8
.text C:\windows\system32\services.exe[676] WS2_32.dll!socket 757D3F00 5 Bytes JMP 006D0FEF
.text C:\windows\system32\lsass.exe[724] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FEF
.text C:\windows\system32\lsass.exe[724] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040FD4
.text C:\windows\system32\lsass.exe[724] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 0004000A
.text C:\windows\system32\lsass.exe[724] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00050051
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00050EE1
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00050EF2
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00050F9E
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00050F28
.text C:\windows\system32\lsass.exe[724] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00050F43
.text C:\windows\system32\lsass.exe[724] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 0005001B
.text C:\windows\system32\lsass.exe[724] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 0005000A
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00050FDE
.text C:\windows\system32\lsass.exe[724] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00050091
.text C:\windows\system32\lsass.exe[724] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00050F8D
.text C:\windows\system32\lsass.exe[724] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00050F72
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00050FEF
.text C:\windows\system32\lsass.exe[724] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 0005006C
.text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00050FB9
.text C:\windows\system32\lsass.exe[724] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00050F0D
.text C:\windows\system32\lsass.exe[724] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 0005002C
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!_open 759F7E48 5 Bytes JMP 0007000C
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00070042
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00070031
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00070FD2
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00070FC1
.text C:\windows\system32\lsass.exe[724] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00070FE3
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 006A0000
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 006A0036
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 006A0062
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 006A0047
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 006A0FEF
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 006A0FA5
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 006A0FD4
.text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 006A0025
.text C:\windows\system32\lsass.exe[724] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00060000
.text C:\windows\system32\svchost.exe[864] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00320FE5
.text C:\windows\system32\svchost.exe[864] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00320FCA
.text C:\windows\system32\svchost.exe[864] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00320000
.text C:\windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 003300CE
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00330F6C
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 0033010B
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00330040
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00330FAF
.text C:\windows\system32\svchost.exe[864] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00330FCA
.text C:\windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 003300A2
.text C:\windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00330087
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00330014
.text C:\windows\system32\svchost.exe[864] kernel32.dll!GetProcAddress 75501857 1 Byte [E9]
.text C:\windows\system32\svchost.exe[864] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00330F5B
.text C:\windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 0033005B
.text C:\windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00330076
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00330FEF
.text C:\windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 003300DF
.text C:\windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 0033002F
.text C:\windows\system32\svchost.exe[864] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 003300F0
.text C:\windows\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 003300BD
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!_open 759F7E48 5 Bytes JMP 003D0FEF
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 003D0044
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!system 75A2B16F 5 Bytes JMP 003D0033
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 003D0022
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 003D0FCD
.text C:\windows\system32\svchost.exe[864] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 003D0FDE
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 003E0FEF
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 003E0040
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 003E0FB9
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 003E005B
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 003E0000
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 003E0080
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 003E0FD4
.text C:\windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 003E002F
.text C:\windows\system32\svchost.exe[864] WS2_32.dll!socket 757D3F00 5 Bytes JMP 003C0FE5
.text C:\windows\system32\svchost.exe[944] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 001B0FEF
.text C:\windows\system32\svchost.exe[944] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 001B0FD4
.text C:\windows\system32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 001B000A
.text C:\windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 001C0F28
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 001C0EDE
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 001C007D
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 001C0000
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 001C0F39
.text C:\windows\system32\svchost.exe[944] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 001C0051
.text C:\windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 001C0036
.text C:\windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 001C001B
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 001C0FCA
.text C:\windows\system32\svchost.exe[944] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 001C0ECD
.text C:\windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 001C0F94
.text C:\windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 001C0F79
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 001C0FE5
.text C:\windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 001C0F17
.text C:\windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 001C0FAF
.text C:\windows\system32\svchost.exe[944] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 001C006C
.text C:\windows\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 001C0F54
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00220FEF
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00220FC3
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!system 75A2B16F 5 Bytes JMP 0022004E
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00220FDE
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00220033
.text C:\windows\system32\svchost.exe[944] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00220018
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 0023000A
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00230076
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00230FEF
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00230091
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00230025
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00230FDE
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00230040
.text C:\windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00230051
.text C:\windows\system32\svchost.exe[944] WS2_32.dll!socket 757D3F00 5 Bytes JMP 001D0000
.text C:\windows\System32\svchost.exe[996] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 009E000A
.text C:\windows\System32\svchost.exe[996] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 009E0025
.text C:\windows\System32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 009E0FEF
.text C:\windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00A30F54
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00A30F25
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00A300C4
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00A30FCA
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00A30F6F
.text C:\windows\System32\svchost.exe[996] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00A3007D
.text C:\windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00A30FAF
.text C:\windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00A30062
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00A30FE5
.text C:\windows\System32\svchost.exe[996] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00A300D5
.text C:\windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00A30036
.text C:\windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00A30051
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00A30000
.text C:\windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00A30098
.text C:\windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00A3001B
.text C:\windows\System32\svchost.exe[996] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00A300A9
.text C:\windows\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00A30F8A
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00A9000C
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00A90FD4
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00A90055
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00A90029
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00A9003A
.text C:\windows\System32\svchost.exe[996] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00A90FEF
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 00AA0FEF
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00AA0FAF
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00AA0F83
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00AA0F9E
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00AA000A
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 75D9B946 1 Byte [E9]
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00AA004A
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00AA0FD4
.text C:\windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00AA001B
.text C:\windows\System32\svchost.exe[996] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00A80FEF
.text C:\windows\System32\svchost.exe[1088] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00B5000A
.text C:\windows\System32\svchost.exe[1088] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00B50025
.text C:\windows\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00B50FEF
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00E70F39
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00E70ED7
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00E70EFC
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00E70FC0
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00E70062
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00E70051
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00E70F79
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00E70F94
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00E70000
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00E70087
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00E7002C
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00E70FAF
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00E70FEF
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00E70F28
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00E7001B
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00E70F17
.text C:\windows\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00E70F54
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00ED0FE3
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00ED0036
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00ED001B
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00ED0FC6
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00ED0FAB
.text C:\windows\System32\svchost.exe[1088] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00ED0000
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 00EE0FEF
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00EE0FD4
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00EE006C
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00EE005B
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00EE0014
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00EE0FA5
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00EE002F
.text C:\windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00EE0040
.text C:\windows\System32\svchost.exe[1088] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00E80FEF
.text C:\windows\system32\svchost.exe[1116] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 010D0FEF
.text C:\windows\system32\svchost.exe[1116] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 010D0FCA
.text C:\windows\system32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 010D000A
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 01180091
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 01180F10
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 01180F21
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 01180039
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 01180F72
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 01180F83
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 01180F9E
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 0118005B
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 01180014
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 01180EF5
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 01180FC3
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 0118004A
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 01180FEF
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 01180F4D
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 01180FDE
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 01180F32
.text C:\windows\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 01180076
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!_open 759F7E48 5 Bytes JMP 011E000C
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 011E0F94
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!system 75A2B16F 5 Bytes JMP 011E0FB9
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 011E0FD4
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 011E0029
.text C:\windows\system32\svchost.exe[1116] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 011E0FEF
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 01230000
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 01230FC3
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 0123004A
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 01230FA8
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 01230FEF
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 01230065
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 01230FD4
.text C:\windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 0123002F
.text C:\windows\system32\svchost.exe[1116] WS2_32.dll!socket 757D3F00 5 Bytes JMP 011D0000
.text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00520FEF
.text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00520FDE
.text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 0052000A
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00530F3C
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00530080
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00530EF5
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00530036
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00530F4D
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00530F72
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00530F8D
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00530FA8
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 0053000A
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00530ED0
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00530FCA
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00530FB9
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00530FEF
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00530F21
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 0053001B
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00530F06
.text C:\windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00530065
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00590FEF
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00590FBE
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00590049
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 0059001D
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00590038
.text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 0059000C
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 005E0FEF
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 005E0FAF
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 005E0F8D
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 005E0F9E
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 005E0000
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 75D9B946 1 Byte [E9]
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 005E004A
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 005E0FCA
.text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 005E001B
.text C:\windows\system32\svchost.exe[1252] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00580000
.text C:\windows\system32\svchost.exe[1396] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00350FEF
.text C:\windows\system32\svchost.exe[1396] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 0035000A
.text C:\windows\system32\svchost.exe[1396] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00350FCA
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 003F008E
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 003F00D5
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 003F00C4
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 003F002C
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 003F0073
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 003F0F65
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 003F0F8A
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 003F0047
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 003F0FDB
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 003F00F0
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 003F0FC0
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 003F0FA5
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 003F0000
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 003F009F
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 003F0011
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 003F0F40
.text C:\windows\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 003F0058
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00410000
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00410049
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00410038
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00410FD2
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 0041001D
.text C:\windows\system32\svchost.exe[1396] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00410FE3
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 0042000A
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00420FC3
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00420F9E
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 0042004A
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00420FEF
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00420F8D
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00420025
.text C:\windows\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00420FD4
.text C:\windows\system32\svchost.exe[1396] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00400000
.text C:\windows\system32\svchost.exe[1412] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 0028000A
.text C:\windows\system32\svchost.exe[1412] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00280FDE
.text C:\windows\system32\svchost.exe[1412] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00280FEF
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 000F008E
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 000F0F14
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 000F00A9
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 000F002C
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 000F0F65
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 000F0073
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 000F0062
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 000F0047
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 000F0000
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 000F0EF9
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 000F0FB6
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 000F0FA5
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 000F0FE5
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 000F0F4A
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 000F0011
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 000F0F2F
.text C:\windows\system32\svchost.exe[1412] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 000F0F80
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!_open 759F7E48 5 Bytes JMP 0029000C
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00290066
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00290FDB
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 0029003A
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 0029004B
.text C:\windows\system32\svchost.exe[1412] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 0029001D
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 00270FEF
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00270F97
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExA 75D91B71 1 Byte [E9]
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00270F75
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00270F86
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00270FDE
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00270032
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00270FB9
.text C:\windows\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00270FA8
.text C:\windows\system32\svchost.exe[1640] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00470FE5
.text C:\windows\system32\svchost.exe[1640] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00470014
.text C:\windows\system32\svchost.exe[1640] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00470FD4
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 004500A9
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00450F40
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 004500D5
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00450FCA
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 0045008E
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 0045006C
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00450F94
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00450FAF
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00450FEF
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00450F25
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00450040
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00450051
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 0045000A
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 004500BA
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00450025
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00450F5B
.text C:\windows\system32\svchost.exe[1640] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 0045007D
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00490FE3
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00490FA1
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00490FB2
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00490011
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00490022
.text C:\windows\system32\svchost.exe[1640] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00490000
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 004A0000
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 004A002C
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 004A0F9E
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 004A0FAF
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 004A0FDB
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 004A0F8D
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 004A0FC0
.text C:\windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 004A001B
.text C:\windows\system32\svchost.exe[1640] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00480000
.text C:\windows\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00210000
.text C:\windows\system32\svchost.exe[1804] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00210FCA
.text C:\windows\system32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00210FE5
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 001C0F28
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 001C0087
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 001C0EFC
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 001C0FA5
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 001C0051
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 001C0022
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 001C0F54
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 001C0F6F
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 001C0FE5
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 001C0EE1
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 001C0011
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 001C0F80
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 001C0000
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 001C006C
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 001C0FC0
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 001C0F0D
.text C:\windows\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 001C0F39
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00450FEF
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 00450F86
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00450F97
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00450FC3
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00450FB2
.text C:\windows\system32\svchost.exe[1804] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00450FDE
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 00580000
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 00580FC0
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00580058
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00580047
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00580011
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00580F9B
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 0058002C
.text C:\windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00580FDB
.text C:\windows\system32\svchost.exe[1804] WS2_32.dll!socket 757D3F00 5 Bytes JMP 0044000A
.text C:\windows\System32\svchost.exe[5460] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FEF
.text C:\windows\System32\svchost.exe[5460] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040025
.text C:\windows\System32\svchost.exe[5460] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 0004000A
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00010F46
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 000100AF
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00010094
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00010025
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00010F61
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00010F72
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00010F8D
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 0001004A
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00010014
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00010EFF
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00010FC3
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00010FA8
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00010FEF
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00010F35
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00010FDE
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00010F1A
.text C:\windows\System32\svchost.exe[5460] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00010065
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!_open 759F7E48 5 Bytes JMP 000E0000
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 000E0066
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!system 75A2B16F 5 Bytes JMP 000E0FE5
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 000E003A
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 000E004B
.text C:\windows\System32\svchost.exe[5460] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 000E0029
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 000F0FE5
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 000F0FC3
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 000F0FA8
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 000F004A
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 000F000A
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 000F005B
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 000F001B
.text C:\windows\System32\svchost.exe[5460] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 000F0FD4
.text C:\windows\System32\svchost.exe[5460] WS2_32.dll!socket 757D3F00 5 Bytes JMP 001A0000
.text C:\windows\System32\svchost.exe[5460] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 00200000
.text C:\windows\System32\svchost.exe[5460] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 00200FCA
.text C:\windows\System32\svchost.exe[5460] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 00200FE5
.text C:\windows\System32\svchost.exe[5460] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 00200FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 0004001B
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 0004000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00080F46
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 000800C0
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00080F35
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00080FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00080F57
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 0008004A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00080F72
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 0008002F
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 0008000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00080F10
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateThread 7550281D 5 Bytes JMP 6B1D7133 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00080FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00080F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00080FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00080094
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00080FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 000800AF
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00080065
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 000A0000
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 000A0FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 000A0073
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 000A0062
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 000A0011
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 000A008E
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 000A0022
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 000A003D
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!_open 759F7E48 5 Bytes JMP 000B000C
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 000B0FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!system 75A2B16F 5 Bytes JMP 000B0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 000B0FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 000B0033
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 000B0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!EnableWindow 756AA72E 5 Bytes JMP 6B219884 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!UnhookWindowsHookEx 756ACC7B 5 Bytes JMP 6B25EB70 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!CallNextHookEx 756ACC8F 5 Bytes JMP 6B237AEF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DefWindowProcA 756AE0E4 7 Bytes JMP 6B1D9345 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!CreateWindowExA 756AE18A 5 Bytes JMP 6B1E3173 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!CreateWindowExW 756B0E51 5 Bytes JMP 6B23FF57 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!SetWindowsHookExW 756B210A 5 Bytes JMP 6B211FE4 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DefWindowProcW 756B724B 7 Bytes JMP 6B237B52 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DialogBoxIndirectParamW 756D4AA7 5 Bytes JMP 6B36590F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DialogBoxParamW 756D564A 5 Bytes JMP 6B1715BB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DialogBoxParamA 756ECF6A 5 Bytes JMP 6B3658AA C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!DialogBoxIndirectParamA 756ED29C 5 Bytes JMP 6B365974 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!MessageBoxIndirectA 756FE8C9 5 Bytes JMP 6B365831 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!MessageBoxIndirectW 756FE9C3 5 Bytes JMP 6B3657B8 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!MessageBoxExA 756FEA29 5 Bytes JMP 6B365754 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] USER32.dll!MessageBoxExW 756FEA4D 5 Bytes JMP 6B3656F0 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ole32.dll!OleLoadFromStream 75C25BF6 5 Bytes JMP 6B366110 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] ole32.dll!CoCreateInstance 75C7590C 5 Bytes JMP 6B23B6D4 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!HttpAddRequestHeadersA 76081B9C 5 Bytes JMP 00436B70
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 000C0000
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 000C0FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 000C001B
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!HttpAddRequestHeadersW 760CF7A8 5 Bytes JMP 00436D70
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 000C0FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!closesocket 757D3BED 5 Bytes JMP 00C3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00BD0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!recv 757D47DF 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!connect 757D48BE 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!getaddrinfo 757D6737 5 Bytes JMP 00FD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!send 757DC4C8 5 Bytes JMP 00C4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[59768] WS2_32.dll!gethostbyname 757E7133 5 Bytes JMP 00C5000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] ntdll.dll!LdrLoadDll 76F0F5B5 5 Bytes JMP 012413F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] WS2_32.dll!closesocket 757D3BED 5 Bytes JMP 0048000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] WS2_32.dll!connect 757D48BE 5 Bytes JMP 0036000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] WS2_32.dll!getaddrinfo 757D6737 5 Bytes JMP 005B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] WS2_32.dll!send 757DC4C8 5 Bytes JMP 0049000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[85680] WS2_32.dll!gethostbyname 757E7133 5 Bytes JMP 005A000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[88332] USER32.dll!TrackPopupMenu 756D4B3B 5 Bytes JMP 5FFAC334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\windows\explorer.exe[94948] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FE5
.text C:\windows\explorer.exe[94948] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040000
.text C:\windows\explorer.exe[94948] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00040FCA
.text C:\windows\explorer.exe[94948] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00090F51
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00090F36
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 000900CB
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00090025
.text C:\windows\explorer.exe[94948] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 0009007A
.text C:\windows\explorer.exe[94948] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00090069
.text C:\windows\explorer.exe[94948] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00090058
.text C:\windows\explorer.exe[94948] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00090047
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 00090FEF
.text C:\windows\explorer.exe[94948] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00090F25
.text C:\windows\explorer.exe[94948] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00090FB9
.text C:\windows\explorer.exe[94948] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00090036
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00090000
.text C:\windows\explorer.exe[94948] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00090095
.text C:\windows\explorer.exe[94948] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00090FD4
.text C:\windows\explorer.exe[94948] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 000900B0
.text C:\windows\explorer.exe[94948] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00090F6C
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 000B0FEF
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 000B0F97
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 000B0F61
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 000B0F7C
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 000B0FD4
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 000B0F50
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 000B0FC3
.text C:\windows\explorer.exe[94948] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 000B0FB2
.text C:\windows\explorer.exe[94948] msvcrt.dll!_open 759F7E48 5 Bytes JMP 000C0000
.text C:\windows\explorer.exe[94948] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 000C0036
.text C:\windows\explorer.exe[94948] msvcrt.dll!system 75A2B16F 5 Bytes JMP 000C0025
.text C:\windows\explorer.exe[94948] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 000C0FC6
.text C:\windows\explorer.exe[94948] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 000C0FAB
.text C:\windows\explorer.exe[94948] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 000C0FE3
.text C:\windows\explorer.exe[94948] WS2_32.dll!socket 757D3F00 5 Bytes JMP 01A50FEF
.text C:\windows\explorer.exe[94948] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 01AA0FEF
.text C:\windows\explorer.exe[94948] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 01AA001B
.text C:\windows\explorer.exe[94948] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 01AA000A
.text C:\windows\explorer.exe[94948] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 01AA0FCA
.text C:\windows\System32\svchost.exe[99256] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FE5
.text C:\windows\System32\svchost.exe[99256] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040FC3
.text C:\windows\System32\svchost.exe[99256] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00040FD4
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 0001009B
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 00010F32
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 00010F4D
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00010036
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00010080
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 00010F8D
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00010F9E
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00010FAF
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 0001000A
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00010F17
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00010047
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00010FC0
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00010FEF
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 000100AC
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 0001001B
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 000100BD
.text C:\windows\System32\svchost.exe[99256] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00010F7C
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!_open 759F7E48 5 Bytes JMP 000E0000
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 000E0F9F
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!system 75A2B16F 5 Bytes JMP 000E0FB0
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 000E0FD2
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 000E0FC1
.text C:\windows\System32\svchost.exe[99256] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 000E0FE3
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 000F0FEF
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 000F002C
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 000F004E
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 000F003D
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 000F0FD4
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 000F0F91
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 000F0000
.text C:\windows\System32\svchost.exe[99256] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 000F0011
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ntdll.dll!NtCreateFile 76EF4870 5 Bytes JMP 00040FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ntdll.dll!NtCreateProcess 76EF4940 5 Bytes JMP 00040011
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ntdll.dll!NtProtectVirtualMemory 76EF51C0 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!GetStartupInfoA 754B1DF0 5 Bytes JMP 00080F75
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateProcessW 754B202D 5 Bytes JMP 000800DE
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateProcessA 754B2062 5 Bytes JMP 000800B9
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateNamedPipeW 754E1FD6 5 Bytes JMP 00080025
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreatePipe 754E4A8B 5 Bytes JMP 00080F90
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!VirtualProtect 754F50AB 5 Bytes JMP 0008008A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!LoadLibraryExW 754FB6BF 5 Bytes JMP 00080079
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!LoadLibraryExA 754FBC8B 5 Bytes JMP 00080FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateFileW 75500B7D 5 Bytes JMP 0008000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!GetProcAddress 75501857 5 Bytes JMP 00080F2E
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!LoadLibraryA 75502884 5 Bytes JMP 00080040
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!LoadLibraryW 755028D2 5 Bytes JMP 00080FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateFileA 7550291C 5 Bytes JMP 00080FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!GetStartupInfoW 75507CD5 5 Bytes JMP 00080F64
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!CreateNamedPipeA 7553D5BF 5 Bytes JMP 00080FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!WinExec 7553E76D 5 Bytes JMP 00080F49
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] kernel32.dll!VirtualProtectEx 7553F729 5 Bytes JMP 00080FA1
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegOpenKeyA 75D8D2ED 5 Bytes JMP 00110FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegCreateKeyA 75D8D3C1 5 Bytes JMP 0011000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegCreateKeyExA 75D91B71 5 Bytes JMP 00110036
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegCreateKeyW 75D91CC0 5 Bytes JMP 00110025
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegOpenKeyW 75D93129 5 Bytes JMP 00110FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegCreateKeyExW 75D9B946 5 Bytes JMP 00110047
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegOpenKeyExA 75D9BC0D 5 Bytes JMP 00110FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] ADVAPI32.dll!RegOpenKeyExW 75D9BEC4 5 Bytes JMP 00110F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!_open 759F7E48 5 Bytes JMP 00220000
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!_wsystem 75A2B04F 5 Bytes JMP 0022004E
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!system 75A2B16F 5 Bytes JMP 00220033
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!_creat 75A2ED29 5 Bytes JMP 00220022
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!_wcreat 75A3038E 5 Bytes JMP 00220FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] msvcrt.dll!_wopen 75A30570 5 Bytes JMP 00220011
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!EnableWindow 756AA72E 5 Bytes JMP 6B219884 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!DialogBoxIndirectParamW 756D4AA7 5 Bytes JMP 6B36590F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!DialogBoxParamW 756D564A 5 Bytes JMP 6B1715BB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!DialogBoxParamA 756ECF6A 5 Bytes JMP 6B3658AA C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!DialogBoxIndirectParamA 756ED29C 5 Bytes JMP 6B365974 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!MessageBoxIndirectA 756FE8C9 5 Bytes JMP 6B365831 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!MessageBoxIndirectW 756FE9C3 5 Bytes JMP 6B3657B8 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!MessageBoxExA 756FEA29 5 Bytes JMP 6B365754 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] USER32.dll!MessageBoxExW 756FEA4D 5 Bytes JMP 6B3656F0 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!HttpAddRequestHeadersA 76081B9C 5 Bytes JMP 005E6B70
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!InternetOpenA 76094E2B 5 Bytes JMP 00230000
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!InternetOpenUrlA 7609BFCE 5 Bytes JMP 0023002C
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!InternetOpenW 760CC03E 5 Bytes JMP 0023001B
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!HttpAddRequestHeadersW 760CF7A8 5 Bytes JMP 005E6D70
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WININET.dll!InternetOpenUrlW 760FD722 5 Bytes JMP 00230FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!closesocket 757D3BED 5 Bytes JMP 008C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!socket 757D3F00 5 Bytes JMP 00690000
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!recv 757D47DF 5 Bytes JMP 008A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!connect 757D48BE 5 Bytes JMP 008B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!getaddrinfo 757D6737 5 Bytes JMP 00CB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!send 757DC4C8 5 Bytes JMP 008D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[104360] WS2_32.dll!gethostbyname 757E7133 5 Bytes JMP 008E000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\iaStor \Device\Ide\iaStor0 84E4B1ED
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 84E4B1ED

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:308] 84E4FE7A
Thread System [4:312] 84E52008

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 19052
Process hidden process (*** hidden *** ) 20144
Process hidden process (*** hidden *** ) 22796
Process hidden process (*** hidden *** ) 23540
Process hidden process (*** hidden *** ) 26568
Process hidden process (*** hidden *** ) 28204
Process hidden process (*** hidden *** ) 29300
Process hidden process (*** hidden *** ) 29412
Process hidden process (*** hidden *** ) 32956
Process hidden process (*** hidden *** ) 33720
Process hidden process (*** hidden *** ) 34568
Process hidden process (*** hidden *** ) 35144
Process hidden process (*** hidden *** ) 36084
Process hidden process (*** hidden *** ) 36488
Process hidden process (*** hidden *** ) 36788
Process hidden process (*** hidden *** ) 38824

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f6e1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fedcf2
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f6e1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fedcf2 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 14 June 2011 - 04:37 PM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 17 June 2011 - 09:57 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 17 June 2011 - 05:57 PM

Hi ST, I appreciate the help. Here are my logs...




RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x8C205000 C:\windows\system32\DRIVERS\igdkmd32.sys 5275648 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81E00000 C:\windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x81E00000 PnpManager 4259840 bytes
0x81E00000 RAW 4259840 bytes
0x81E00000 WMIxWDM 4259840 bytes
0x8D234000 C:\windows\system32\drivers\RTKVHDA.sys 2801664 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x8F010000 Win32k 2404352 bytes
0x8F010000 C:\windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8A023000 C:\windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8CA2F000 C:\windows\system32\DRIVERS\athr.sys 1286144 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x86801000 C:\windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x89E00000 C:\windows\System32\Drivers\dump_iaStor.sys 892928 bytes
0x86638000 C:\windows\system32\DRIVERS\iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x8C70D000 C:\windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x86A2E000 C:\windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x862F5000 C:\windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xA7A3A000 C:\windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0xA488E000 C:\windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x86222000 C:\windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x86419000 C:\windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8696E000 C:\windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x863A0000 C:\windows\system32\drivers\mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0x8A228000 C:\windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA7B58000 C:\windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0x8CB73000 C:\windows\system32\DRIVERS\yk62x86.sys 331776 bytes (-, -)
0xA7B09000 C:\windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8D54C000 C:\windows\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0x8CE39000 C:\windows\system32\drivers\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x86562000 C:\windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x864A0000 C:\windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA4825000 C:\windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x89FB6000 C:\windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x862B3000 C:\windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8A300000 C:\windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x86B48000 C:\windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x86AE5000 C:\windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA496A000 C:\windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8C7C4000 C:\windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x82210000 ACPI_HAL 225280 bytes
0x82210000 C:\windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8CEBC000 C:\windows\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0x8675F000 C:\windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8CFAE000 C:\windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x867A4000 C:\windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x89F84000 C:\windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8A16C000 C:\windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8D4E0000 C:\windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x86B8F000 C:\windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x86930000 C:\windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x864F9000 C:\windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8A19D000 C:\windows\system32\drivers\mfewfpk.sys 159744 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0x86A00000 C:\windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x86B23000 C:\windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x8D528000 C:\windows\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0x8D5AE000 C:\windows\System32\Drivers\usbvideo.sys 147456 bytes (Microsoft Corporation, USB Video Class Driver)
0x8671B000 C:\windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0xA4947000 C:\windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8CF44000 C:\windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7ADB000 C:\windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8A387000 C:\windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x89F25000 C:\windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8A3BA000 C:\windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8A289000 C:\windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8F2A0000 C:\windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x8D20B000 C:\windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0xA49A5000 C:\windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8CE11000 C:\windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xA491C000 C:\windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8D50F000 C:\windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8A361000 C:\windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8CE97000 C:\windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x8CF21000 C:\windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8CF66000 C:\windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8CF7E000 C:\windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8CF95000 C:\windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8A1CF000 C:\windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x8D597000 C:\windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x865AD000 C:\windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x8695B000 C:\windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xA487B000 C:\windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8A2D5000 C:\windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8CF0F000 C:\windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x8A3A8000 C:\windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0xA4935000 C:\windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x86BD4000 C:\windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8D5DF000 C:\windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x86793000 C:\windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8CE00000 C:\windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8652E000 C:\windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x8629A000 C:\windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8A2A8000 C:\windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x8CFF0000 C:\windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x86BBC000 C:\windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0xA486B000 C:\windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8A2E8000 C:\windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x86552000 C:\windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x8CE84000 C:\windows\system32\drivers\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8A379000 C:\windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8A2B9000 C:\windows\system32\DRIVERS\mfenlfk.sys 57344 bytes (McAfee, Inc., McAfee NDIS Light Filter Driver)
0x8A2C7000 C:\windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x89F76000 C:\windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x86748000 C:\windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x869CB000 C:\windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x8CFE2000 C:\windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8648A000 C:\windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8CF02000 C:\windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x8D5D2000 C:\windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8CEAF000 C:\windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8CEF5000 C:\windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0xA7AFC000 C:\windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x89F46000 C:\windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8A355000 C:\windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x89F19000 C:\windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x86547000 C:\windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x8D200000 C:\windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x89F6B000 C:\windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8CF39000 C:\windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8A1C4000 C:\windows\system32\drivers\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8CBC4000 C:\windows\system32\drivers\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x86523000 C:\windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x8D5F0000 C:\windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8673E000 C:\windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x8A34B000 C:\windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8A341000 C:\windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xA7AD1000 C:\windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8CB69000 C:\windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
0x86756000 C:\windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0xA7BC2000 C:\windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x86712000 C:\windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0xA7BCB000 C:\windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x869D9000 C:\windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8F270000 C:\windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0xA4913000 C:\windows\system32\DRIVERS\vwifimp.sys 36864 bytes (Microsoft Corporation, Virtual WiFi Miniport Driver)
0x864E8000 C:\windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x862AB000 C:\windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8653F000 C:\windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x86BCC000 C:\windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x81D26000 C:\windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x864F1000 C:\windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x86498000 C:\windows\system32\drivers\Partizan.sys 32768 bytes (Greatis Software, Partizan - Rootkit detector)
0x89F53000 C:\windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x89F5B000 C:\windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x89F63000 C:\windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8A2F8000 C:\windows\system32\Drivers\SABI.sys 32768 bytes (SAMSUNG ELECTRONICS, SAMSUNG Kernel Driver)
0x86B87000 C:\windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x89F12000 C:\windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x89F0B000 C:\windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8A282000 C:\windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x8CE93000 C:\windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8CFAC000 C:\windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8CEF3000 C:\windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x8504B1ED unknown_irp_handler 3603 bytes
==============================================
>Stealth
==============================================
0x8504CA91 Unknown page with executable code, 1391 bytes
0x8504D191 Unknown page with executable code, 3695 bytes
0x8504FE7A Unknown thread object [ ETHREAD 0x851EAD48 ] TID: 304, 600 bytes
0x85052008 Unknown thread object [ ETHREAD 0x85239660 ] TID: 308, 600 bytes
0x85051CDC Unknown page with executable code, 804 bytes



































OTL logfile created on: 6/17/2011 6:41:05 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Ashley\Downloads
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.30 Mb Total Physical Memory | 66.79 Mb Available Physical Memory | 6.59% Memory free
1.99 Gb Paging File | 0.79 Gb Available in Paging File | 39.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.97 Gb Total Space | 21.70 Gb Free Space | 32.41% Space Free | Partition Type: NTFS
Drive D: | 66.98 Gb Total Space | 66.89 Gb Free Space | 99.87% Space Free | Partition Type: NTFS

Computer Name: ASHLEY-PC | User Name: Ashley | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/17 18:40:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Ashley\Downloads\OTL.exe
PRC - [2011/06/09 14:38:22 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/11/12 14:17:32 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/11/12 14:17:32 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2010/07/09 14:55:32 | 001,053,440 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
PRC - [2010/04/14 21:08:14 | 000,598,696 | ---- | M] ( ) -- C:\Windows\System32\lxeccoms.exe
PRC - [2009/11/20 00:01:36 | 002,247,168 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
PRC - [2009/11/04 00:11:48 | 000,835,072 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009/10/26 07:53:14 | 000,091,136 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2009/10/13 06:03:04 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
PRC - [2009/08/13 21:58:10 | 000,044,312 | ---- | M] () -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/03/05 05:54:50 | 000,311,296 | ---- | M] () -- C:\Windows\System32\Rezip.exe
PRC - [2008/11/13 09:33:54 | 000,097,128 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/17 18:40:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Ashley\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (McODS)
SRV - [2011/06/13 01:54:21 | 006,470,464 | ---- | M] (SurfRight B.V.) [Auto | Stopped] -- C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe -- (HitmanPro35CrusaderBoot) Hitman Pro 3.5 Crusader (Boot)
SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/11/12 14:17:32 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/11/12 14:17:32 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2010/07/09 14:55:32 | 001,053,440 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe -- (NACAgent)
SRV - [2010/04/14 21:08:14 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\windows\System32\lxeccoms.exe -- (lxec_device)
SRV - [2009/08/13 21:58:10 | 000,044,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/05 05:54:50 | 000,311,296 | ---- | M] () [Auto | Running] -- C:\Windows\System32\Rezip.exe -- (Rezip)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2011/06/13 03:22:57 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\regguard.sys -- (RegGuard)
DRV - [2011/06/13 03:07:17 | 000,035,816 | ---- | M] (Greatis Software) [Kernel | Boot | Stopped] -- C:\windows\system32\drivers\Partizan.sys -- (Partizan)
DRV - [2010/11/12 14:17:32 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/11/12 14:17:32 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/11/12 14:17:32 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/11/12 14:17:32 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/11/12 14:17:32 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/11/12 14:17:32 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/11/12 14:17:32 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/11/12 14:17:32 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/12 14:17:32 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/06/10 03:43:18 | 001,271,808 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/09/28 05:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://myru.radford.edu/cp/home/displaylogin\r"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: chachaguidebar@chacha.com:1.2
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/06/06 18:31:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/09 14:38:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/09 14:38:31 | 000,000,000 | ---D | M]

[2010/10/13 18:09:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Extensions
[2010/10/13 18:09:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/06/13 01:40:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\extensions
[2011/04/11 20:39:44 | 000,000,000 | ---D | M] (ChaCha Guide App Toolbar) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\extensions\chachaguidebar@chacha.com
[2011/04/21 13:58:41 | 000,001,820 | ---- | M] () -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\searchplugins\bing.xml
[2011/04/05 20:39:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/15 13:28:15 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/10/13 18:02:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/30 17:45:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
File not found (No name found) --
[2011/06/06 18:31:19 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
() (No name found) -- C:\USERS\ASHLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\FD1CLHV3.DEFAULT\EXTENSIONS\{C1970C0D-DBE6-4D91-804F-C9C0DE643A57}.XPI
[2011/06/09 14:38:21 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/12 14:17:32 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/06/09 14:38:25 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/06/05 22:19:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110418222225.dll (McAfee, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O4 - HKLM..\Run: [APLangApp] C:\Program Files\AnyPC Client\APLangApp.exe (DoctorSoft)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] File not found
O4 - HKLM..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe (Cisco Systems, Inc.)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 253
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 253
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - File not found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/06/16 14:54:25 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/06/16 14:54:25 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (bootdelete) - C:\windows\System32\bootdelete.exe (SurfRight B.V.)
O34 - HKLM BootExecute: (Partizan) - C:\windows\System32\Partizan.exe (Greatis Software)
O34 - HKLM BootExecute: (settings...) - File not found
O34 - HKLM BootExecute: (ountPoints2\D\Shell) - C:\windows\System32\Shell.dll (Microsoft Corporation)
O34 - HKLM BootExecute: (nts2\C) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/16 14:54:25 | 000,000,000 | RHSD | C] -- C:\comment.htt
[2011/06/16 14:54:25 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/06/13 12:29:30 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\windows\System32\bootdelete.exe
[2011/06/13 12:18:38 | 001,437,488 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Ashley\Desktop\123.com
[2011/06/13 03:16:12 | 000,024,416 | ---- | C] (Greatis Software) -- C:\windows\System32\drivers\regguard.sys
[2011/06/13 03:07:17 | 000,039,192 | ---- | C] (Greatis Software) -- C:\windows\System32\Partizan.exe
[2011/06/13 03:07:17 | 000,035,816 | ---- | C] (Greatis Software) -- C:\windows\System32\drivers\Partizan.sys
[2011/06/13 03:07:02 | 000,000,000 | ---D | C] -- C:\Users\Ashley\Documents\RegRun2
[2011/06/13 03:06:55 | 000,012,808 | ---- | C] (Greatis Software, LLC.) -- C:\windows\System32\drivers\UnHackMeDrv.sys
[2011/06/13 03:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
[2011/06/13 03:06:55 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\regruninfo
[2011/06/13 03:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2011/06/13 02:49:17 | 000,000,000 | -H-D | C] -- C:\windows\PIF
[2011/06/13 01:54:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hitman Pro 3.5
[2011/06/13 01:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/06/13 01:52:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/06/12 19:49:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Inspector File Recovery
[2011/06/12 19:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery
[2011/06/12 19:20:00 | 000,000,000 | ---D | C] -- C:\Users\Ashley\Documents\CardRecovery
[2011/06/12 19:17:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CardRecovery
[2011/06/12 19:17:10 | 000,000,000 | ---D | C] -- C:\Program Files\CardRecovery
[2011/06/09 01:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/05 23:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/05 23:45:55 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/05 23:07:48 | 000,000,000 | ---D | C] -- C:\windows\temp
[2011/06/05 23:06:18 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/05 22:45:47 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/06/05 22:17:33 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\temp
[2011/06/05 22:13:39 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Roaming\Malwarebytes
[2011/06/05 22:13:30 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/06/05 22:13:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/05 22:13:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/05 22:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/05 22:09:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyware Doctor
[2011/06/05 21:59:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/06/05 21:59:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/06/05 21:59:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/06/05 21:58:30 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/06/05 21:34:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/30 03:05:49 | 000,089,360 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\VB5DB.DLL
[2011/05/27 20:45:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\oDesk
[2011/05/27 20:45:53 | 000,000,000 | ---D | C] -- C:\Program Files\oDesk
[2011/05/27 20:44:16 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\oDesk
[2011/05/26 16:50:54 | 000,026,496 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\drivers\Diskdump.sys
[2011/05/19 20:43:33 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\Deployment
[2011/05/19 20:43:33 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\Apps
[2010/04/14 21:08:16 | 000,324,264 | ---- | C] ( ) -- C:\windows\System32\lxecih.exe
[2010/04/14 21:08:14 | 000,598,696 | ---- | C] ( ) -- C:\windows\System32\lxeccoms.exe
[2010/04/14 21:08:12 | 000,373,416 | ---- | C] ( ) -- C:\windows\System32\lxeccfg.exe
[2010/04/13 20:41:34 | 000,442,368 | ---- | C] ( ) -- C:\windows\System32\lxeccoin.dll
[2009/12/09 20:47:50 | 000,643,072 | ---- | C] ( ) -- C:\windows\System32\lxecpmui.dll
[2009/12/09 20:43:14 | 001,048,576 | ---- | C] ( ) -- C:\windows\System32\lxecserv.dll
[2009/12/09 20:41:22 | 000,688,128 | ---- | C] ( ) -- C:\windows\System32\lxechbn3.dll
[2009/12/09 20:40:12 | 000,847,872 | ---- | C] ( ) -- C:\windows\System32\lxecusb1.dll
[2009/12/09 20:37:34 | 000,356,352 | ---- | C] ( ) -- C:\windows\System32\lxechcp.dll
[2009/12/09 20:36:32 | 000,577,536 | ---- | C] ( ) -- C:\windows\System32\lxeclmpm.dll
[2009/12/09 20:35:50 | 000,344,064 | ---- | C] ( ) -- C:\windows\System32\lxeciesc.dll
[2009/12/09 20:35:44 | 000,802,816 | ---- | C] ( ) -- C:\windows\System32\lxeccomc.dll
[2009/12/09 20:35:32 | 000,364,544 | ---- | C] ( ) -- C:\windows\System32\lxecinpa.dll

========== Files - Modified Within 30 Days ==========

[2011/06/17 18:32:30 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/06/13 15:48:04 | 000,000,638 | ---- | M] () -- C:\Users\Ashley\AppData\Roaming\wklnhst.dat
[2011/06/13 12:29:30 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\windows\System32\bootdelete.exe
[2011/06/13 12:29:30 | 000,000,662 | ---- | M] () -- C:\windows\System32\.crusader
[2011/06/13 12:29:29 | 000,000,166 | ---- | M] () -- C:\windows\System32\bootdelete.lst
[2011/06/13 12:19:16 | 000,017,480 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/06/13 12:18:34 | 000,010,272 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/13 12:18:34 | 000,010,272 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/13 12:10:54 | 796,889,088 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/13 03:22:57 | 000,024,416 | ---- | M] (Greatis Software) -- C:\windows\System32\drivers\regguard.sys
[2011/06/13 03:07:22 | 000,002,577 | ---- | M] () -- C:\windows\System32\config.nt
[2011/06/13 03:07:22 | 000,001,688 | ---- | M] () -- C:\windows\System32\autoexec.nt
[2011/06/13 03:07:22 | 000,000,002 | RHS- | M] () -- C:\windows\winstart.bat
[2011/06/13 03:07:17 | 000,039,192 | ---- | M] (Greatis Software) -- C:\windows\System32\Partizan.exe
[2011/06/13 03:07:17 | 000,035,816 | ---- | M] (Greatis Software) -- C:\windows\System32\drivers\Partizan.sys
[2011/06/13 03:06:57 | 000,000,406 | ---- | M] () -- C:\windows\tasks\UnHackMe Task Scheduler.job
[2011/06/13 03:06:56 | 000,000,917 | ---- | M] () -- C:\Users\Ashley\Desktop\UnHackMe.lnk
[2011/06/13 01:54:43 | 000,001,950 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/06/12 19:49:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\PC Inspector File Recovery.lnk
[2011/06/12 19:17:11 | 000,000,957 | ---- | M] () -- C:\Users\Public\Desktop\CardRecovery.lnk
[2011/06/09 14:39:00 | 000,002,002 | ---- | M] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/07 17:32:48 | 001,437,488 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Ashley\Desktop\123.com
[2011/06/05 23:45:55 | 000,002,969 | ---- | M] () -- C:\Users\Ashley\Desktop\HiJackThis.lnk
[2011/06/05 22:19:43 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
[2011/06/05 22:13:31 | 000,001,095 | ---- | M] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/05 22:13:31 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/05 20:45:44 | 000,000,136 | ---- | M] () -- C:\ProgramData\~26926840
[2011/06/05 20:45:43 | 000,000,160 | ---- | M] () -- C:\ProgramData\~26926840r
[2011/06/05 20:31:18 | 000,000,392 | ---- | M] () -- C:\ProgramData\26926840
[2011/05/30 03:23:50 | 000,624,178 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2011/05/30 03:23:50 | 000,106,522 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/05/24 19:14:10 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2011/06/13 12:29:29 | 000,000,166 | ---- | C] () -- C:\windows\System32\bootdelete.lst
[2011/06/13 03:07:22 | 000,000,002 | RHS- | C] () -- C:\windows\winstart.bat
[2011/06/13 03:06:57 | 000,000,406 | ---- | C] () -- C:\windows\tasks\UnHackMe Task Scheduler.job
[2011/06/13 03:06:56 | 000,000,917 | ---- | C] () -- C:\Users\Ashley\Desktop\UnHackMe.lnk
[2011/06/13 02:02:53 | 000,000,662 | ---- | C] () -- C:\windows\System32\.crusader
[2011/06/13 01:54:50 | 000,017,480 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/06/13 01:54:43 | 000,001,950 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/06/12 19:49:43 | 000,006,200 | ---- | C] () -- C:\windows\System32\INT13EXT.VXD
[2011/06/12 19:49:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\PC Inspector File Recovery.lnk
[2011/06/12 19:17:11 | 000,000,957 | ---- | C] () -- C:\Users\Public\Desktop\CardRecovery.lnk
[2011/06/09 14:38:36 | 000,001,112 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/06/05 23:45:55 | 000,002,969 | ---- | C] () -- C:\Users\Ashley\Desktop\HiJackThis.lnk
[2011/06/05 22:13:31 | 000,001,095 | ---- | C] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/05 22:13:31 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/05 21:59:51 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/06/05 21:59:51 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2011/06/05 21:59:51 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2011/06/05 21:59:50 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2011/06/05 21:59:50 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2011/06/05 21:59:50 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2011/06/05 21:59:50 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2011/06/05 21:59:50 | 000,001,105 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2011/06/05 21:59:49 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/06/05 21:59:48 | 000,002,503 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/06/05 21:59:48 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/06/05 21:59:48 | 000,000,900 | ---- | C] () -- C:\Users\Public\Desktop\User Guide.lnk
[2011/06/05 21:59:47 | 000,002,072 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Support Center.lnk
[2011/06/05 21:59:47 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/06/05 21:59:47 | 000,001,870 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Update Plus.lnk
[2011/06/05 21:59:47 | 000,000,888 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Recovery Solution 4.lnk
[2011/06/05 21:59:47 | 000,000,161 | ---- | C] () -- C:\Users\Public\Desktop\SkyDrive - Windows Live.url
[2011/06/05 21:59:46 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/06/05 21:59:46 | 000,002,055 | ---- | C] () -- C:\Users\Public\Desktop\Easy Resolution Manager.lnk
[2011/06/05 21:59:46 | 000,002,038 | ---- | C] () -- C:\Users\Public\Desktop\Cisco NAC Agent.lnk
[2011/06/05 21:59:46 | 000,002,034 | ---- | C] () -- C:\Users\Public\Desktop\Easy Network Manager.lnk
[2011/06/05 21:59:46 | 000,001,267 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office - 60 Day Trial.lnk
[2011/06/05 21:59:45 | 000,001,984 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/05 21:59:45 | 000,001,859 | ---- | C] () -- C:\Users\Public\Desktop\AIM.lnk
[2011/06/05 21:59:45 | 000,001,788 | ---- | C] () -- C:\Users\Public\Desktop\ChargeableUSB.lnk
[2011/06/05 21:59:45 | 000,001,642 | ---- | C] () -- C:\Users\Public\Desktop\AnyPC.lnk
[2011/06/05 21:59:14 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/06/05 21:59:14 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2011/06/05 21:59:14 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/06/05 21:59:14 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/06/05 21:59:13 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/06/05 20:07:40 | 000,000,160 | ---- | C] () -- C:\ProgramData\~26926840r
[2011/06/05 20:07:39 | 000,000,136 | ---- | C] () -- C:\ProgramData\~26926840
[2011/06/05 20:06:43 | 000,000,392 | ---- | C] () -- C:\ProgramData\26926840
[2011/04/15 10:48:04 | 000,007,597 | ---- | C] () -- C:\Users\Ashley\AppData\Local\Resmon.ResmonCfg
[2011/02/15 13:29:26 | 000,000,048 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/09 23:31:25 | 000,000,638 | ---- | C] () -- C:\Users\Ashley\AppData\Roaming\wklnhst.dat
[2010/08/13 05:03:16 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini
[2009/12/14 08:56:19 | 000,311,296 | ---- | C] () -- C:\windows\System32\Rezip.exe
[2009/11/09 09:06:52 | 000,106,496 | ---- | C] () -- C:\windows\System32\lxecinsr.dll
[2009/11/09 09:06:50 | 000,036,864 | ---- | C] () -- C:\windows\System32\lxeccur.dll
[2009/11/09 09:06:40 | 000,057,344 | ---- | C] () -- C:\windows\System32\lxecjswr.dll
[2009/11/09 09:06:26 | 000,262,144 | ---- | C] () -- C:\windows\System32\lxecinsb.dll
[2009/11/09 09:06:22 | 000,090,112 | ---- | C] () -- C:\windows\System32\lxeccub.dll
[2009/11/09 09:06:14 | 000,208,896 | ---- | C] () -- C:\windows\System32\lxecgrd.dll
[2009/11/09 09:06:06 | 000,253,952 | ---- | C] () -- C:\windows\System32\lxeccu.dll
[2009/11/09 09:05:54 | 000,323,584 | ---- | C] () -- C:\windows\System32\lxecins.dll
[2009/11/09 08:59:58 | 000,086,016 | ---- | C] () -- C:\windows\System32\lxecgcfg.dll
[2009/10/21 11:06:22 | 000,110,592 | ---- | C] () -- C:\windows\System32\lxeccuir.dll
[2009/10/21 11:06:20 | 000,294,912 | ---- | C] () -- C:\windows\System32\lxeccui.dll
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/14 00:33:53 | 000,334,432 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,624,178 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,522 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,982,196 | ---- | C] () -- C:\windows\System32\igkrng500.bin
[2009/07/13 18:09:19 | 000,417,344 | ---- | C] () -- C:\windows\System32\igcompkrng500.bin
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- C:\windows\System32\igfcg500.bin
[2009/07/13 18:09:19 | 000,097,448 | ---- | C] () -- C:\windows\System32\igfcg500m.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2009/02/20 09:48:44 | 000,023,552 | ---- | C] () -- C:\windows\System32\lxecsmr.dll
[2009/02/20 09:48:04 | 000,299,008 | ---- | C] () -- C:\windows\System32\lxecsm.dll
[2008/03/05 03:55:36 | 000,040,960 | ---- | C] () -- C:\windows\System32\lxecvs.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 197 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 177 bytes -> C:\ProgramData\Temp:4CF61E54
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:ABE89FFE
@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8

< End of report >

















































OTL Extras logfile created on: 6/17/2011 6:41:05 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Ashley\Downloads
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.30 Mb Total Physical Memory | 66.79 Mb Available Physical Memory | 6.59% Memory free
1.99 Gb Paging File | 0.79 Gb Available in Paging File | 39.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.97 Gb Total Space | 21.70 Gb Free Space | 32.41% Space Free | Partition Type: NTFS
Drive D: | 66.98 Gb Total Space | 66.89 Gb Free Space | 99.87% Space Free | Partition Type: NTFS

Computer Name: ASHLEY-PC | User Name: Ashley | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution 4
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{178EE5F4-0F86-4BF0-A0D1-9790AFF409D1}" = EasyBatteryManager
"{1AFA1FEF-8CF9-4A51-AC46-64FAA7F3D9E2}" = AnyPC Client
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 24
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3DA31541-3CEE-48B5-95FB-6DA67DD39053}" = Bing HRS Toolbar
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45535A5E-1F81-4F35-BE1D-43D10A7D03B4}" = Easy Resolution Manager
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63eafc52-b963-4297-a7eb-d412944e7065}_is1" = Game Pack
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114072167}" = Go-Go Gourmet
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11531173}" = Farm Frenzy 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{853F8A41-A3C9-43FA-87FA-1AE74FC6F3F7}" = BatteryLifeExtender
"{88D68A69-D247-466B-90DD-575F6BE16230}_is1" = CardRecovery 5.30
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92D50865-FC60-4EA8-BA7A-5581B0D13EFB}" = ChargeableUSB
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B660E0D0-A8CB-45A7-96FB-93E8C915A0B2}" = Easy Network Manager
"{B6FC0292-2F77-4907-BF0E-61B23F5E10BD}" = Cisco NAC Agent
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CCC2B140-B47A-45FA-AAE3-BD60DA41AE00}" = Samsung Support Center
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{D1434266-0486-4469-B338-A60082CC04E1}" = Atheros Client Installation Program
"{D3F2FAA5-FEC4-42AA-9ABA-1F763919A2B5}" = Samsung Update Plus
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EA710A0A-BF5D-433C-8EB5-D17DC54CC298}" = Microsoft Office Live Meeting 2007
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2BC3383-F000-410C-A038-3846ADBE8D90}" = REALTEK Wireless LAN Software
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"Alice Greenfingers_is1" = Alice Greenfingers
"DivX Setup.divx.com" = DivX Setup
"FrostWire" = FrostWire 4.21.1
"HDMI" = Intel® Graphics Media Accelerator Driver
"HitmanPro35" = Hitman Pro 3.5
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Marvell Miniport Driver" = Marvell Miniport Driver
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"MSC" = McAfee SecurityCenter
"PokerStars" = PokerStars
"Scribe" = Express Scribe
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"UnHackMe_is1" = UnHackMe 5.99 release
"uTorrent" = µTorrent
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4104606857-3133348855-1979720558-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"oDVT" = oDesk Team

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/9/2011 6:21:03 PM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5414

Error - 6/9/2011 6:21:03 PM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5414

Error - 6/9/2011 6:37:00 PM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/9/2011 6:37:00 PM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 961980

Error - 6/9/2011 6:37:00 PM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 961980

Error - 6/10/2011 12:41:26 AM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/10/2011 12:41:26 AM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 21601521

Error - 6/10/2011 12:41:26 AM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 21601521

Error - 6/10/2011 12:41:40 AM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/10/2011 12:41:40 AM | Computer Name = Ashley-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6552

[ System Events ]
Error - 5/19/2011 9:42:06 PM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7000
Description = The McAfee VirusScan Announcer service failed to start due to the
following error: %%2

Error - 5/19/2011 9:42:06 PM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7000
Description = The McAfee Network Agent service failed to start due to the following
error: %%2

Error - 5/20/2011 1:56:41 AM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 5/26/2011 7:48:39 PM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 5/27/2011 3:03:00 AM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 5/28/2011 6:36:43 AM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 5/28/2011 7:24:16 PM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 5/29/2011 12:36:24 PM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 5/30/2011 2:47:08 AM | Computer Name = Ashley-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 5/30/2011 2:52:23 AM | Computer Name = Ashley-PC | Source = DCOM | ID = 10010
Description =


< End of report >












I am still getting redirects on Google searches unless I disable Javascript

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 17 June 2011 - 06:39 PM

Hi!

No problem!

Do the following for me:

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 50370
    FF - prefs.js..network.proxy.type: 4
    [2010/10/13 18:02:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011/03/30 17:45:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [mcui_exe] File not found
    O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
    O4 - HKLM..\RunOnceEx: [Title] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O34 - HKLM BootExecute: (settings...) - File not found
    O34 - HKLM BootExecute: (nts2\C) - File not found
    [2011/06/13 12:18:38 | 001,437,488 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Ashley\Desktop\123.com
    [2011/06/13 03:07:22 | 000,000,002 | RHS- | M] () -- C:\windows\winstart.bat
    [2011/06/05 20:45:44 | 000,000,136 | ---- | M] () -- C:\ProgramData\~26926840
    [2011/06/05 20:45:43 | 000,000,160 | ---- | M] () -- C:\ProgramData\~26926840r
    [2011/06/05 20:31:18 | 000,000,392 | ---- | M] () -- C:\ProgramData\26926840
    [2011/06/13 03:07:22 | 000,000,002 | RHS- | C] () -- C:\windows\winstart.bat
    [2011/06/05 20:07:40 | 000,000,160 | ---- | C] () -- C:\ProgramData\~26926840r
    [2011/06/05 20:07:39 | 000,000,136 | ---- | C] () -- C:\ProgramData\~26926840
    [2011/06/05 20:06:43 | 000,000,392 | ---- | C] () -- C:\ProgramData\26926840
    @Alternate Data Stream - 197 bytes -> C:\ProgramData\Temp:DFC5A2B2
    @Alternate Data Stream - 177 bytes -> C:\ProgramData\Temp:4CF61E54
    @Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:E1F04E8D
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:ABE89FFE
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8
    
    :Reg
    
    :Files
    type "C:\ComboFix.txt" /c
    type "C:\TDSSKiller*.txt" /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 17 June 2011 - 08:19 PM

My desktop has also turned black. I have Windows 7 Starter. Here is the log. Thank you.


========== SERVICES/DRIVERS ==========
========== OTL ==========
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 50370 removed from network.proxy.http_port
Prefs.js: 4 removed from network.proxy.type
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\mcui_exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Flags deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Title deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:settings... deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:nts2\C deleted successfully.
File C:\Users\Ashley\Desktop\123.com not found.
C:\Windows\winstart.bat moved successfully.
C:\ProgramData\~26926840 moved successfully.
C:\ProgramData\~26926840r moved successfully.
C:\ProgramData\26926840 moved successfully.
File C:\windows\winstart.bat not found.
File C:\ProgramData\~26926840r not found.
File C:\ProgramData\~26926840 not found.
File C:\ProgramData\26926840 not found.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\Temp:4CF61E54 deleted successfully.
ADS C:\ProgramData\Temp:E1F04E8D deleted successfully.
ADS C:\ProgramData\Temp:ABE89FFE deleted successfully.
ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< type "C:\ComboFix.txt" /c >
ComboFix 11-06-05.06 - Ashley 06/05/2011 22:47:52.2.2 - x86 NETWORK
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.479 [GMT -4:00]
Running from: c:\users\Ashley\Downloads\ComboFix.exe
Command switches used :: c:\users\Ashley\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\bSinTMFIBqqAiGT.exe"
"c:\users\user\AppData\Local\Dyereqariwi.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\26926840.exe
c:\programdata\FullRemove.exe
c:\programdata\yjmUjuesNXqx.exe
c:\users\Ashley\AppData\Local\Temp\is-9V4J3.tmp\mbam.dll
c:\users\Ashley\AppData\Local\Temp\is-HHG4U.tmp\mbam-setup-1.51.0.1200(2).tmp
c:\users\Ashley\AppData\Roaming\Microsoft\stor.cfg
c:\users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk
c:\users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnk
c:\users\Ashley\Desktop\Windows 7 Recovery.lnk
.
-- Previous Run --
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-ntfs_31bf3856ad364e35_6.1.7600.20921_none_a70e0489972fb38f\ntfs.sys
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 02:58 . 2011-06-06 02:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-06 02:17 . 2011-06-06 02:58 -------- d-----w- c:\users\Ashley\AppData\Local\temp
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\users\Ashley\AppData\Roaming\Malwarebytes
2011-06-06 02:13 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\programdata\Malwarebytes
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-30 07:05 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-05-28 00:45 . 2011-05-28 00:45 -------- d-----w- c:\program files\oDesk
2011-05-28 00:44 . 2011-05-28 00:46 -------- d-----w- c:\users\Ashley\AppData\Local\oDesk
2011-05-26 20:50 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-20 00:43 . 2011-05-20 00:43 -------- d-----w- c:\users\Ashley\AppData\Local\Deployment
2011-05-20 00:43 . 2011-05-20 00:43 -------- d-----w- c:\users\Ashley\AppData\Local\Apps
2011-05-13 22:33 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 18:22 . 2011-03-25 03:06 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 18:22 . 2011-03-25 03:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 18:22 . 2011-03-25 03:06 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 18:22 . 2011-03-25 03:06 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 18:22 . 2011-03-25 03:06 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 18:22 . 2011-03-25 03:06 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 18:22 . 2011-03-25 03:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 18:22 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 18:22 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-04-15 15:57 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{247E6E24-2A7F-48C5-84F1-15EE3C084A86}\mpengine.dll
2011-03-12 11:31 . 2011-04-27 20:29 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:52 . 2011-04-27 20:29 1210752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44 . 2011-04-27 20:29 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44 . 2011-04-27 20:29 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44 . 2011-04-27 20:29 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43 . 2011-04-27 20:29 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43 . 2011-04-27 20:29 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43 . 2011-04-27 20:29 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40 . 2011-04-14 03:26 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40 . 2011-04-14 03:26 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39 . 2011-04-27 20:29 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37 . 2011-04-27 20:29 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:38 . 2011-04-14 03:26 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-11-12 18:17 . 2011-04-19 02:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775d}]
2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-14 39408]
"yjmUjuesNXqx"="c:\programdata\yjmUjuesNXqx.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-23 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-18 8092192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"APLangApp"="c:\program files\AnyPC Client\APLangApp.exe" [2009-10-20 13312]
"fsi"="c:\program files\Phoenix Technologies Ltd\FailSafe\FailSafeLauncher.exe" [2009-09-09 9728]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-07-09 487680]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-13 135664]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe [2010-04-15 598696]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
R2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2010-07-09 1053440]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-14 44312]
R2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-12 55840]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-13 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-12 84264]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-11-12 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-11-12 164840]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-11-12 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-12 141792]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-12 313288]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-13 10:40]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-13 10:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\
FF - prefs.js: browser.startup.homepage - hxxps://myru.radford.edu/cp/home/displaylogin\r
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-05 23:07:38
ComboFix-quarantined-files.txt 2011-06-06 03:07
.
Pre-Run: 24,825,589,760 bytes free
Post-Run: 24,788,062,208 bytes free
.
- - End Of File - - 1444F3E7E484A5601A4A7446ADE98CE5
C:\Users\Ashley\Downloads\cmd.bat deleted successfully.
C:\Users\Ashley\Downloads\cmd.txt deleted successfully.
< type "C:\TDSSKiller*.txt" /c >
C:\Users\Ashley\Downloads\cmd.bat deleted successfully.
C:\Users\Ashley\Downloads\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ashley\Downloads\cmd.bat deleted successfully.
C:\Users\Ashley\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


OTL by OldTimer - Version 3.2.24.1 log created on 06172011_211649

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 18 June 2011 - 09:15 AM

Hi!

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 18 June 2011 - 05:03 PM

Hi ST,

Here is the log for ComboFix...



ComboFix 11-06-17.04 - Ashley 06/18/2011 17:26:28.3.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.249 [GMT -4:00]
Running from: c:\users\Ashley\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-18 21:42 . 2011-06-18 21:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-18 10:55 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-18 10:55 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-18 10:55 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-18 01:16 . 2011-06-18 01:16 -------- d-----w- C:\_OTL
2011-06-17 23:19 . 2011-05-24 23:12 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4B5756B9-DE55-47EB-9AB5-6A31E6CA2818}\mpengine.dll
2011-06-16 18:54 . 2011-06-16 18:54 -------- d-----r- C:\comment.htt
2011-06-16 17:15 . 2011-04-27 02:33 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-16 17:15 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-16 17:15 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-16 17:15 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-16 17:14 . 2011-04-25 04:56 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-16 17:14 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-16 12:49 . 2010-12-18 05:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 12:46 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 12:46 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-16 12:46 . 2011-05-04 02:43 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-16 12:46 . 2011-05-04 02:43 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-16 12:46 . 2011-05-04 02:43 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-13 07:16 . 2011-06-13 07:22 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-06-13 07:07 . 2011-06-13 07:07 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-06-13 07:07 . 2011-06-13 07:07 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-06-13 07:06 . 2011-05-18 14:53 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-06-13 07:06 . 2011-06-13 07:07 -------- d-----w- c:\program files\UnHackMe
2011-06-13 06:49 . 2011-06-13 06:49 -------- d--h--w- c:\windows\PIF
2011-06-13 05:54 . 2011-06-18 11:30 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-13 05:54 . 2011-06-13 05:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-06-13 05:52 . 2011-06-13 06:02 -------- d-----w- c:\programdata\Hitman Pro
2011-06-12 23:49 . 2002-02-18 22:40 6200 ----a-w- c:\windows\system32\INT13EXT.VXD
2011-06-12 23:49 . 2011-06-12 23:49 -------- d-----w- c:\program files\PC Inspector File Recovery
2011-06-12 23:17 . 2011-06-12 23:17 -------- d-----w- c:\program files\CardRecovery
2011-06-09 18:38 . 2011-06-09 18:38 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-09 18:38 . 2011-06-09 18:38 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-09 18:38 . 2011-06-09 18:38 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-09 18:38 . 2011-06-09 18:38 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-09 18:38 . 2011-06-09 18:38 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-09 18:38 . 2011-06-09 18:38 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-09 18:38 . 2011-06-09 18:38 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-09 18:38 . 2011-06-09 18:38 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-09 05:46 . 2011-06-09 05:46 -------- d-----w- c:\program files\ESET
2011-06-06 03:45 . 2011-06-06 03:45 388096 ----a-r- c:\users\Ashley\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-06 03:45 . 2011-06-06 03:45 -------- d-----w- c:\program files\Trend Micro
2011-06-06 02:17 . 2011-06-18 21:42 -------- d-----w- c:\users\Ashley\AppData\Local\temp
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\users\Ashley\AppData\Roaming\Malwarebytes
2011-06-06 02:13 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\programdata\Malwarebytes
2011-06-06 02:13 . 2011-06-06 02:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-30 07:05 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-05-28 00:45 . 2011-05-28 00:45 -------- d-----w- c:\program files\oDesk
2011-05-28 00:44 . 2011-05-28 00:46 -------- d-----w- c:\users\Ashley\AppData\Local\oDesk
2011-05-26 20:50 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-20 00:43 . 2011-05-20 00:43 -------- d-----w- c:\users\Ashley\AppData\Local\Deployment
2011-05-20 00:43 . 2011-05-20 00:43 -------- d-----w- c:\users\Ashley\AppData\Local\Apps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-24 23:14 . 2010-08-14 23:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 19:24 . 2011-05-10 19:24 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-10 19:24 . 2011-05-10 19:24 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-10 19:24 . 2011-05-10 19:24 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-10 19:24 . 2011-05-10 19:24 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-10 19:24 . 2011-05-10 19:24 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-10 19:24 . 2011-05-10 19:24 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-10 19:24 . 2011-05-10 19:24 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-10 19:24 . 2011-05-10 19:24 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-10 19:24 . 2011-05-10 19:24 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-10 19:24 . 2011-05-10 19:24 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-10 19:24 . 2011-05-10 19:24 367104 ----a-w- c:\windows\system32\html.iec
2011-05-10 19:24 . 2011-05-10 19:24 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-10 19:24 . 2011-05-10 19:24 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-10 19:24 . 2011-05-10 19:24 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-10 19:24 . 2011-05-10 19:24 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-10 19:24 . 2011-05-10 19:24 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-10 19:24 . 2011-05-10 19:24 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-10 19:24 . 2011-05-10 19:24 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-10 19:24 . 2011-05-10 19:24 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-09 06:13 . 2011-05-11 18:22 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 18:22 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-13 22:33 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-03-25 03:06 . 2011-05-11 18:22 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:06 . 2011-05-11 18:22 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 03:06 . 2011-05-11 18:22 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:06 . 2011-05-11 18:22 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:06 . 2011-05-11 18:22 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:06 . 2011-05-11 18:22 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:06 . 2011-05-11 18:22 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-06-09 18:38 . 2011-06-09 18:38 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-11-12 18:17 . 2011-04-19 02:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775d}]
2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-23 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-18 8092192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"APLangApp"="c:\program files\AnyPC Client\APLangApp.exe" [2009-10-20 13312]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-07-09 487680]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-12 55840]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-12 84264]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2011-06-13 24416]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-11-12 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-11-12 164840]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe [2010-04-15 598696]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-11-12 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-12 141792]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2010-07-09 1053440]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-14 44312]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-12 313288]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-06-13 35816]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-13 c:\windows\Tasks\UnHackMe Task Scheduler.job
- c:\program files\UnHackMe\hackmon.exe [2011-06-13 14:53]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\
FF - prefs.js: browser.startup.homepage - hxxps://myru.radford.edu/cp/home/displaylogin\r
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5084)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
Completion time: 2011-06-18 18:02:13
ComboFix-quarantined-files.txt 2011-06-18 22:02
ComboFix2.txt 2011-06-06 03:07
.
Pre-Run: 23,395,311,616 bytes free
Post-Run: 23,240,876,032 bytes free
.
- - End Of File - - 7AC385DD59D28FAC59BFA9CEF4F1CF7F

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 18 June 2011 - 06:52 PM

Hi!

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 18 June 2011 - 10:36 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6891

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/18/2011 8:13:56 PM
mbam-log-2011-06-18 (20-13-56).txt

Scan type: Quick scan
Objects scanned: 153534
Time elapsed: 7 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)














Results of screen317's Security Check version 0.99.14
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 24
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.1.82.76
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
Mozilla Firefox OnlineScannerApp.exe -?-
``````````End of Log````````````










I have been trying to run the ESET Online Scanner for the last 3 hours. It has stayed on 41% for almost an hour now. I will post the log for it if it finishes running.

Thanks.

#10 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 18 June 2011 - 11:19 PM

ST,

The scan was unable to finish running. It stayed at 41%. It had found 4 threats

C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I189HSLT\06[1].htm JS/Kryptik.AP trojan
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\1bb557d6-1489304c Java/TrojanDownloader.OpenStream.NBV trojan
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-72960064 multiple threats
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\72c9d0a5-4853cd96 Java/TrojanDownloader.OpenStream.NBV trojan

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 19 June 2011 - 08:28 AM

Hi!

When you ran ESET it just got stuck on 41% then? Was it stuck on a particular file?

These threat(s) below will be removed very shortly:

C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I189HSLT\06[1].htm JS/Kryptik.AP trojan
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\1bb557d6-1489304c Java/TrojanDownloader.OpenStream.NBV trojan
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-72960064 multiple threats
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\72c9d0a5-4853cd96 Java/TrojanDownloader.OpenStream.NBV trojan


____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.

Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform.
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I189HSLT\06[1].htm
    C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\1bb557d6-1489304c
    C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-72960064
    C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\72c9d0a5-4853cd96
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 19 June 2011 - 01:38 PM

Both times that I had scanned ESET it stuck on 41% for almost an hour. The program it was stuck on was under C: Program Files The Sims Game (I think is a torrent and I do not need the file).

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I189HSLT\06[1].htm moved successfully.
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\1bb557d6-1489304c moved successfully.
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-72960064 moved successfully.
C:\Users\Ashley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\72c9d0a5-4853cd96 moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ashley\Downloads\cmd.bat deleted successfully.
C:\Users\Ashley\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Ashley
->Temp folder emptied: 323718689 bytes
->Temporary Internet Files folder emptied: 29886435 bytes
->Java cache emptied: 16530525 bytes
->FireFox cache emptied: 109842976 bytes
->Flash cache emptied: 130434 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 844 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 458.00 mb


[EMPTYFLASH]

User: All Users

User: Ashley
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.1 log created on 06192011_141556

Files\Folders moved on Reboot...
File\Folder C:\Users\Ashley\AppData\Local\Temp\fla6681.tmp not found!
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRRGL44J\fw-nonplayer-banner[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRRGL44J\fw-nonplayer-banner[2].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRRGL44J\fw-nonplayer-banner[3].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRRGL44J\pixel[2].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRRGL44J\rebecca-black-calls-off-friday[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQQ1XGJW\fp[1].js moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LU725NNF\5441474b7a6b333949346b4141316667[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L8MBGTUB\login_status[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J5RE9FNI\emily[2].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXC0NSLX\15_BING_Garden_15_4x3_640x480_8_700k[1].flv moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYSHX4SH\pixel[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8FGKZT22\xd_receiver[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2VKS253G\data_sync[1].htm moved successfully.
C:\Users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2VKS253G\data_sync[2].htm moved successfully.

Registry entries deleted on Reboot...






















OTL logfile created on: 6/19/2011 2:26:31 PM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Ashley\Downloads
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.30 Mb Total Physical Memory | 83.63 Mb Available Physical Memory | 8.25% Memory free
1.99 Gb Paging File | 1.02 Gb Available in Paging File | 51.30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.97 Gb Total Space | 21.77 Gb Free Space | 32.50% Space Free | Partition Type: NTFS
Drive D: | 66.98 Gb Total Space | 66.89 Gb Free Space | 99.87% Space Free | Partition Type: NTFS

Computer Name: ASHLEY-PC | User Name: Ashley | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/17 18:40:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Ashley\Downloads\OTL.exe
PRC - [2011/06/09 14:38:22 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/11/12 14:17:32 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/11/12 14:17:32 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2010/09/16 16:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/07/09 14:58:10 | 000,487,680 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
PRC - [2010/07/09 14:55:32 | 001,053,440 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
PRC - [2010/04/20 14:26:44 | 000,300,912 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
PRC - [2010/04/14 21:08:14 | 000,598,696 | ---- | M] ( ) -- C:\Windows\System32\lxeccoms.exe
PRC - [2009/11/20 00:01:36 | 002,247,168 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
PRC - [2009/11/04 00:11:48 | 000,835,072 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009/10/26 07:53:14 | 000,091,136 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2009/10/20 05:12:58 | 000,013,312 | ---- | M] (DoctorSoft) -- C:\Program Files\AnyPC Client\APLangApp.exe
PRC - [2009/10/13 06:03:04 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
PRC - [2009/08/13 21:58:10 | 000,044,312 | ---- | M] () -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
PRC - [2009/08/03 16:33:06 | 001,626,112 | ---- | M] (Eastman Kodak Company) -- C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/03/05 05:54:50 | 000,311,296 | ---- | M] () -- C:\Windows\System32\Rezip.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/17 18:40:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Ashley\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (McODS)
SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/11/12 14:17:32 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/11/12 14:17:32 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2010/07/09 14:55:32 | 001,053,440 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe -- (NACAgent)
SRV - [2010/04/14 21:08:14 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\windows\System32\lxeccoms.exe -- (lxec_device)
SRV - [2009/08/13 21:58:10 | 000,044,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/05 05:54:50 | 000,311,296 | ---- | M] () [Auto | Running] -- C:\Windows\System32\Rezip.exe -- (Rezip)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2011/06/13 03:22:57 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\regguard.sys -- (RegGuard)
DRV - [2011/06/13 03:07:17 | 000,035,816 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Partizan.sys -- (Partizan)
DRV - [2010/11/12 14:17:32 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/11/12 14:17:32 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/11/12 14:17:32 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/11/12 14:17:32 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/11/12 14:17:32 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/11/12 14:17:32 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/11/12 14:17:32 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/11/12 14:17:32 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/12 14:17:32 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/06/10 03:43:18 | 001,271,808 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/09/28 05:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://myru.radford.edu/cp/home/displaylogin\r"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: chachaguidebar@chacha.com:1.2
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/06/06 18:31:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/09 14:38:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/09 14:38:31 | 000,000,000 | ---D | M]

[2010/10/13 18:09:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Extensions
[2010/10/13 18:09:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/06/13 01:40:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\extensions
[2011/04/11 20:39:44 | 000,000,000 | ---D | M] (ChaCha Guide App Toolbar) -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\extensions\chachaguidebar@chacha.com
[2011/04/21 13:58:41 | 000,001,820 | ---- | M] () -- C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fd1clhv3.default\searchplugins\bing.xml
[2011/06/19 14:11:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/15 13:28:15 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/06/19 14:11:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
File not found (No name found) --
[2011/06/06 18:31:19 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
() (No name found) -- C:\USERS\ASHLEY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\FD1CLHV3.DEFAULT\EXTENSIONS\{C1970C0D-DBE6-4D91-804F-C9C0DE643A57}.XPI
[2011/06/09 14:38:21 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/12 14:17:32 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2011/06/19 14:11:14 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/06/09 14:38:25 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/06/19 14:16:12 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110418222225.dll (McAfee, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O4 - HKLM..\Run: [APLangApp] C:\Program Files\AnyPC Client\APLangApp.exe (DoctorSoft)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe (Cisco Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 253
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 253
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - File not found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/06/16 14:54:25 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/06/16 14:54:25 | 000,000,000 | R--D | M] - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (Partizan) - C:\windows\System32\Partizan.exe (Greatis Software)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/19 14:12:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/19 14:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2011/06/19 14:08:45 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/18 17:50:29 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/18 17:12:26 | 004,130,419 | R--- | C] (Swearware) -- C:\Users\Ashley\Desktop\ComboFix.exe
[2011/06/17 21:16:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/16 14:54:25 | 000,000,000 | R--D | C] -- C:\comment.htt
[2011/06/16 14:54:25 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2011/06/13 03:16:12 | 000,024,416 | ---- | C] (Greatis Software) -- C:\windows\System32\drivers\regguard.sys
[2011/06/13 03:07:17 | 000,039,192 | ---- | C] (Greatis Software) -- C:\windows\System32\Partizan.exe
[2011/06/13 03:07:17 | 000,035,816 | ---- | C] (Greatis Software) -- C:\windows\System32\drivers\Partizan.sys
[2011/06/13 03:07:02 | 000,000,000 | ---D | C] -- C:\Users\Ashley\Documents\RegRun2
[2011/06/13 03:06:55 | 000,012,808 | ---- | C] (Greatis Software, LLC.) -- C:\windows\System32\drivers\UnHackMeDrv.sys
[2011/06/13 03:06:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
[2011/06/13 03:06:55 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\regruninfo
[2011/06/13 03:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2011/06/13 02:49:17 | 000,000,000 | -H-D | C] -- C:\windows\PIF
[2011/06/13 01:54:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hitman Pro 3.5
[2011/06/13 01:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/06/13 01:52:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/06/12 19:49:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Inspector File Recovery
[2011/06/12 19:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery
[2011/06/12 19:20:00 | 000,000,000 | ---D | C] -- C:\Users\Ashley\Documents\CardRecovery
[2011/06/12 19:17:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CardRecovery
[2011/06/12 19:17:10 | 000,000,000 | ---D | C] -- C:\Program Files\CardRecovery
[2011/06/09 01:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/05 23:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/05 23:45:55 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/05 23:07:48 | 000,000,000 | ---D | C] -- C:\windows\temp
[2011/06/05 22:17:33 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\temp
[2011/06/05 22:13:39 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Roaming\Malwarebytes
[2011/06/05 22:13:30 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/06/05 22:13:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/05 22:13:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/05 22:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/05 22:09:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyware Doctor
[2011/06/05 21:59:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/06/05 21:59:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/06/05 21:59:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/06/05 21:58:30 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/06/05 21:34:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/27 20:45:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\oDesk
[2011/05/27 20:45:53 | 000,000,000 | ---D | C] -- C:\Program Files\oDesk
[2011/05/27 20:44:16 | 000,000,000 | ---D | C] -- C:\Users\Ashley\AppData\Local\oDesk
[2010/04/14 21:08:16 | 000,324,264 | ---- | C] ( ) -- C:\windows\System32\lxecih.exe
[2010/04/14 21:08:14 | 000,598,696 | ---- | C] ( ) -- C:\windows\System32\lxeccoms.exe
[2010/04/14 21:08:12 | 000,373,416 | ---- | C] ( ) -- C:\windows\System32\lxeccfg.exe
[2010/04/13 20:41:34 | 000,442,368 | ---- | C] ( ) -- C:\windows\System32\lxeccoin.dll
[2009/12/09 20:47:50 | 000,643,072 | ---- | C] ( ) -- C:\windows\System32\lxecpmui.dll
[2009/12/09 20:43:14 | 001,048,576 | ---- | C] ( ) -- C:\windows\System32\lxecserv.dll
[2009/12/09 20:41:22 | 000,688,128 | ---- | C] ( ) -- C:\windows\System32\lxechbn3.dll
[2009/12/09 20:40:12 | 000,847,872 | ---- | C] ( ) -- C:\windows\System32\lxecusb1.dll
[2009/12/09 20:37:34 | 000,356,352 | ---- | C] ( ) -- C:\windows\System32\lxechcp.dll
[2009/12/09 20:36:32 | 000,577,536 | ---- | C] ( ) -- C:\windows\System32\lxeclmpm.dll
[2009/12/09 20:35:50 | 000,344,064 | ---- | C] ( ) -- C:\windows\System32\lxeciesc.dll
[2009/12/09 20:35:44 | 000,802,816 | ---- | C] ( ) -- C:\windows\System32\lxeccomc.dll
[2009/12/09 20:35:32 | 000,364,544 | ---- | C] ( ) -- C:\windows\System32\lxecinpa.dll

========== Files - Modified Within 30 Days ==========

[2011/06/19 14:29:23 | 000,010,272 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/19 14:29:23 | 000,010,272 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/19 14:21:31 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/06/19 14:21:26 | 796,889,088 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/19 14:16:12 | 000,000,098 | ---- | M] () -- C:\windows\System32\drivers\etc\Hosts
[2011/06/18 17:14:10 | 004,130,419 | R--- | M] (Swearware) -- C:\Users\Ashley\Desktop\ComboFix.exe
[2011/06/18 07:30:59 | 000,017,480 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/06/13 15:48:04 | 000,000,638 | ---- | M] () -- C:\Users\Ashley\AppData\Roaming\wklnhst.dat
[2011/06/13 12:29:30 | 000,000,662 | ---- | M] () -- C:\windows\System32\.crusader
[2011/06/13 03:22:57 | 000,024,416 | ---- | M] (Greatis Software) -- C:\windows\System32\drivers\regguard.sys
[2011/06/13 03:07:22 | 000,002,577 | ---- | M] () -- C:\windows\System32\config.nt
[2011/06/13 03:07:22 | 000,001,688 | ---- | M] () -- C:\windows\System32\autoexec.nt
[2011/06/13 03:07:17 | 000,039,192 | ---- | M] (Greatis Software) -- C:\windows\System32\Partizan.exe
[2011/06/13 03:07:17 | 000,035,816 | ---- | M] (Greatis Software) -- C:\windows\System32\drivers\Partizan.sys
[2011/06/13 03:06:57 | 000,000,406 | ---- | M] () -- C:\windows\tasks\UnHackMe Task Scheduler.job
[2011/06/13 03:06:56 | 000,000,917 | ---- | M] () -- C:\Users\Ashley\Desktop\UnHackMe.lnk
[2011/06/13 01:54:43 | 000,001,950 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/06/12 19:49:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\PC Inspector File Recovery.lnk
[2011/06/12 19:17:11 | 000,000,957 | ---- | M] () -- C:\Users\Public\Desktop\CardRecovery.lnk
[2011/06/09 14:39:00 | 000,002,002 | ---- | M] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/05 23:45:55 | 000,002,969 | ---- | M] () -- C:\Users\Ashley\Desktop\HiJackThis.lnk
[2011/06/05 22:13:31 | 000,001,095 | ---- | M] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/05 22:13:31 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/30 03:23:50 | 000,624,178 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2011/05/30 03:23:50 | 000,106,522 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys

========== Files Created - No Company Name ==========

[2011/06/13 03:06:57 | 000,000,406 | ---- | C] () -- C:\windows\tasks\UnHackMe Task Scheduler.job
[2011/06/13 03:06:56 | 000,000,917 | ---- | C] () -- C:\Users\Ashley\Desktop\UnHackMe.lnk
[2011/06/13 02:02:53 | 000,000,662 | ---- | C] () -- C:\windows\System32\.crusader
[2011/06/13 01:54:50 | 000,017,480 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/06/13 01:54:43 | 000,001,950 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/06/12 19:49:43 | 000,006,200 | ---- | C] () -- C:\windows\System32\INT13EXT.VXD
[2011/06/12 19:49:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\PC Inspector File Recovery.lnk
[2011/06/12 19:17:11 | 000,000,957 | ---- | C] () -- C:\Users\Public\Desktop\CardRecovery.lnk
[2011/06/09 14:38:36 | 000,001,112 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/06/05 23:45:55 | 000,002,969 | ---- | C] () -- C:\Users\Ashley\Desktop\HiJackThis.lnk
[2011/06/05 22:13:31 | 000,001,095 | ---- | C] () -- C:\Users\Ashley\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/05 22:13:31 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/05 21:59:51 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/06/05 21:59:51 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2011/06/05 21:59:51 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2011/06/05 21:59:50 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2011/06/05 21:59:50 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2011/06/05 21:59:50 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2011/06/05 21:59:50 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2011/06/05 21:59:50 | 000,001,105 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2011/06/05 21:59:49 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/06/05 21:59:48 | 000,002,503 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/06/05 21:59:48 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/06/05 21:59:48 | 000,000,900 | ---- | C] () -- C:\Users\Public\Desktop\User Guide.lnk
[2011/06/05 21:59:47 | 000,002,072 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Support Center.lnk
[2011/06/05 21:59:47 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/06/05 21:59:47 | 000,001,870 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Update Plus.lnk
[2011/06/05 21:59:47 | 000,000,888 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Recovery Solution 4.lnk
[2011/06/05 21:59:47 | 000,000,161 | ---- | C] () -- C:\Users\Public\Desktop\SkyDrive - Windows Live.url
[2011/06/05 21:59:46 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/06/05 21:59:46 | 000,002,055 | ---- | C] () -- C:\Users\Public\Desktop\Easy Resolution Manager.lnk
[2011/06/05 21:59:46 | 000,002,038 | ---- | C] () -- C:\Users\Public\Desktop\Cisco NAC Agent.lnk
[2011/06/05 21:59:46 | 000,002,034 | ---- | C] () -- C:\Users\Public\Desktop\Easy Network Manager.lnk
[2011/06/05 21:59:46 | 000,001,267 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office - 60 Day Trial.lnk
[2011/06/05 21:59:45 | 000,001,984 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/06/05 21:59:45 | 000,001,859 | ---- | C] () -- C:\Users\Public\Desktop\AIM.lnk
[2011/06/05 21:59:45 | 000,001,788 | ---- | C] () -- C:\Users\Public\Desktop\ChargeableUSB.lnk
[2011/06/05 21:59:45 | 000,001,642 | ---- | C] () -- C:\Users\Public\Desktop\AnyPC.lnk
[2011/06/05 21:59:14 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/06/05 21:59:14 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2011/06/05 21:59:14 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/06/05 21:59:14 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/06/05 21:59:13 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/04/15 10:48:04 | 000,007,597 | ---- | C] () -- C:\Users\Ashley\AppData\Local\Resmon.ResmonCfg
[2011/02/15 13:29:26 | 000,000,048 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/09 23:31:25 | 000,000,638 | ---- | C] () -- C:\Users\Ashley\AppData\Roaming\wklnhst.dat
[2010/08/13 05:03:16 | 000,000,002 | ---- | C] () -- C:\windows\HotFixList.ini
[2009/12/14 08:56:19 | 000,311,296 | ---- | C] () -- C:\windows\System32\Rezip.exe
[2009/11/09 09:06:52 | 000,106,496 | ---- | C] () -- C:\windows\System32\lxecinsr.dll
[2009/11/09 09:06:50 | 000,036,864 | ---- | C] () -- C:\windows\System32\lxeccur.dll
[2009/11/09 09:06:40 | 000,057,344 | ---- | C] () -- C:\windows\System32\lxecjswr.dll
[2009/11/09 09:06:26 | 000,262,144 | ---- | C] () -- C:\windows\System32\lxecinsb.dll
[2009/11/09 09:06:22 | 000,090,112 | ---- | C] () -- C:\windows\System32\lxeccub.dll
[2009/11/09 09:06:14 | 000,208,896 | ---- | C] () -- C:\windows\System32\lxecgrd.dll
[2009/11/09 09:06:06 | 000,253,952 | ---- | C] () -- C:\windows\System32\lxeccu.dll
[2009/11/09 09:05:54 | 000,323,584 | ---- | C] () -- C:\windows\System32\lxecins.dll
[2009/11/09 08:59:58 | 000,086,016 | ---- | C] () -- C:\windows\System32\lxecgcfg.dll
[2009/10/21 11:06:22 | 000,110,592 | ---- | C] () -- C:\windows\System32\lxeccuir.dll
[2009/10/21 11:06:20 | 000,294,912 | ---- | C] () -- C:\windows\System32\lxeccui.dll
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/14 00:33:53 | 000,334,432 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,624,178 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,522 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,982,196 | ---- | C] () -- C:\windows\System32\igkrng500.bin
[2009/07/13 18:09:19 | 000,417,344 | ---- | C] () -- C:\windows\System32\igcompkrng500.bin
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- C:\windows\System32\igfcg500.bin
[2009/07/13 18:09:19 | 000,097,448 | ---- | C] () -- C:\windows\System32\igfcg500m.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2009/02/20 09:48:44 | 000,023,552 | ---- | C] () -- C:\windows\System32\lxecsmr.dll
[2009/02/20 09:48:04 | 000,299,008 | ---- | C] () -- C:\windows\System32\lxecsm.dll
[2008/03/05 03:55:36 | 000,040,960 | ---- | C] () -- C:\windows\System32\lxecvs.dll

========== LOP Check ==========

[2011/02/13 22:03:20 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\acccore
[2011/04/06 13:20:28 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\FrostWire
[2010/08/14 06:55:50 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\GameConsole
[2010/11/03 13:35:49 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\LimeWire
[2011/04/07 23:53:32 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\NCH Swift Sound
[2010/08/14 07:19:35 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\PlayFirst
[2010/11/09 23:31:34 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\Template
[2011/06/12 19:23:08 | 000,000,000 | ---D | M] -- C:\Users\Ashley\AppData\Roaming\uTorrent
[2009/07/14 00:53:46 | 000,015,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/06/13 03:06:57 | 000,000,406 | ---- | M] () -- C:\Windows\Tasks\UnHackMe Task Scheduler.job

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/06/09 14:38:26 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/06/09 14:38:26 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/06/09 14:38:26 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/06/09 14:38:22 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/06/09 14:38:22 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/06/09 14:38:22 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/05/10 15:24:13 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/05/10 15:24:13 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/05/10 15:24:13 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/05/10 15:24:14 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2011/05/10 15:24:14 | 000,748,336 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-06-18 11:03:03

< End of report >




My pages are still redirecting and my desktop background is still black.

Thanks

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 19 June 2011 - 02:01 PM

Hi!

Do you connect via a Wireless router, and if so, are any other computers in the household experiencing redirects?

Okay.

Please run this tool:


Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Edited by SweetTech, 19 June 2011 - 02:04 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 agoh

agoh
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 19 June 2011 - 05:11 PM

ST,

Nope, just me.

tdsskiller will not open even after I rename it.

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 19 June 2011 - 05:29 PM

Was the answer to this question:

Do you connect via a Wireless router,

No as well?

Do you have access to a flash drive?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users