Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System protection and redirect virus


  • This topic is locked This topic is locked
30 replies to this topic

#1 lovelocs

lovelocs

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 September 2011 - 02:46 AM

Hello,
My computer was hit with these viruses maybe 2 weeks ago. I have tried various types of online help, and I have not been able to get rid of the issue. My computer was offline for a few days, and when I went back online today, I was able to search without redirects for a few hours (I actually got to the real google page instead of the redirect one), but the issue is back now. I have read that sometimes, the virus can remain in the router until it is reset. I do not have access to the router to do this, so I hope that this is not the case. I have McAfee on my computer, but it is expired, so I am not sure that I disabled it correctly before running the scans. If I need to do anything over again let me know. Thank you in advance for your expert help.

Here are my logs.

************************************************************************************************************************************************
Checkupresult
************************************************************************************************************************************************

Results of screen317's Security Check version 0.99.7
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee AntiVirus Plus
McAfee Security Scan Plus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader 8.1.4
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.22)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````



************************************************************************************************************************************************
DDS
************************************************************************************************************************************************
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_27
Run by Cymande at 2:17:18 on 2011-09-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.856 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\4DEmbroidery\DesignerSECommuni.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110829225817.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DesignerSECommuni.exe] "c:\4dembroidery\DesignerSECommuni.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
uRun: [appapiInit] "rundll32.exe" "c:\users\cymande.cymande-pc\appdata\local\wincommssupport\appapiInit.dll",olenetWan winAuthenticationdsc
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [dscactivate] "c:\dell\dsca.exe" 3
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BrMfcWnd] "c:\program files\brother\brmfcmon\BrMfcWnd.exe" /AUTORUN
mRun: [ControlCenter3] "c:\program files\brother\controlcenter3\brctrcen.exe" /autorun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LWS] "c:\program files\logitech\lws\webcam software\LWS.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\cymand~1.cym\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\ereg\eReg.exe
StartupFolder: c:\users\cymand~1.cym\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: adecco.com\*.xpert
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
TCP: Interfaces\{77C5ACE4-17FE-4958-B620-B4CFFC511825} : DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
TCP: Interfaces\{C259A12D-64BE-4682-8725-9B566DB10DA0} : DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cymande.cymande-pc\appdata\roaming\mozilla\firefox\profiles\dypooc45.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\users\cymande.cymande-pc\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\mcafee\SiteAdvisor
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-2 459728]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-5-29 21728]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-2 64648]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-2 163400]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-18 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-24 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-2 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-2 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-2 148520]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2011-5-29 272864]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-5-29 699896]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-2 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-2 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-2 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-2 337912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-2 85984]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-9-4 50704]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-17 06:43:52 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6b4c5836-1984-4503-8694-d77029427aaa}\mpengine.dll
2011-09-17 06:34:40 709968 ----a-w- c:\windows\isRS-000.tmp
2011-09-05 03:17:06 96784 ----a-w- c:\windows\system32\Packet.dll
2011-09-05 03:17:06 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-09-05 03:17:06 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-09-05 03:17:06 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-08-30 03:58:17 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-08-29 19:33:02 -------- d-----w- c:\users\cymande.cymande-pc\appdata\local\temp
2011-08-29 19:27:10 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-29 19:14:41 -------- d-----w- C:\ComboFix
2011-08-29 18:56:54 208896 ----a-w- c:\windows\MBR.exe
2011-08-29 18:56:51 518144 ----a-w- c:\windows\SWREG.exe
2011-08-29 18:56:51 256000 ----a-w- c:\windows\PEV.exe
2011-08-29 18:56:50 98816 ----a-w- c:\windows\sed.exe
2011-08-29 09:06:39 -------- d-----w- c:\program files\CCleaner
2011-08-29 01:33:54 -------- d-----w- c:\users\cymande.cymande-pc\appdata\local\winCommsSupport
2011-08-26 23:45:01 -------- d-----w- c:\program files\iPod
2011-08-26 23:44:55 -------- d-----w- c:\program files\iTunes
2011-08-26 23:32:19 -------- d-----w- c:\program files\Bonjour
2011-08-26 20:24:04 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 03:55:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-19 10:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-20 08:54:36 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54:36 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
.
============= FINISH: 2:18:03.26 ===============



************************************************************************************************************************************************
Minitoolkitresult
************************************************************************************************************************************************
MiniToolBox by Farbar
Ran by Cymande (administrator) on 17-09-2011 at 00:37:03
Windows Vista ™ Home Premium Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Cymande-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR WNDA3100v2 N600 Wireless Dual Band USB Adapter
Physical Address. . . . . . . . . : C4-3D-C7-C8-AD-E1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::44a5:6a02:ed91:e936%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.3.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, September 16, 2011 8:25:28 PM
Lease Expires . . . . . . . . . . : Saturday, September 17, 2011 8:25:37 PM
Default Gateway . . . . . . . . . : 192.168.3.1
DHCP Server . . . . . . . . . . . : 192.168.3.1
DHCPv6 IAID . . . . . . . . . . . : 281296327
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-DA-BF-B8-00-1D-09-77-2D-7A
DNS Servers . . . . . . . . . . . : 216.114.0.3
216.114.0.5
192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection
Physical Address. . . . . . . . . : 00-1D-09-77-2D-7A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:342d:9c6:3f57:fc9a(Preferred)
Link-local IPv6 Address . . . . . : fe80::342d:9c6:3f57:fc9a%8(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8780E2F9-E198-4683-BEFB-2081B6A8C54A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{C259A12D-64BE-4682-8725-9B566DB10DA0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: ns1.powercom.net
Address: 216.114.0.3

Name: google.com
Addresses: 74.125.225.48
74.125.225.49
74.125.225.50
74.125.225.51
74.125.225.52



Pinging google.com [74.125.225.81] with 32 bytes of data:

Request timed out.

Reply from 74.125.225.81: bytes=32 time=16ms TTL=54



Ping statistics for 74.125.225.81:

Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 16ms, Maximum = 16ms, Average = 16ms

Server: ns1.powercom.net
Address: 216.114.0.3

Name: yahoo.com
Addresses: 67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56
209.191.122.70



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=401ms TTL=54

Reply from 209.191.122.70: bytes=32 time=56ms TTL=54



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 56ms, Maximum = 401ms, Average = 228ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
16 ...c4 3d c7 c8 ad e1 ...... NETGEAR WNDA3100v2 N600 Wireless Dual Band USB Adapter
9 ...00 1d 09 77 2d 7a ...... Intel® 82562V-2 10/100 Network Connection
1 ........................... Software Loopback Interface 1
8 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
10 ...00 00 00 00 00 00 00 e0 isatap.{8780E2F9-E198-4683-BEFB-2081B6A8C54A}
20 ...00 00 00 00 00 00 00 e0 isatap.{C259A12D-64BE-4682-8725-9B566DB10DA0}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.101 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.3.0 255.255.255.0 On-link 192.168.3.101 281
192.168.3.101 255.255.255.255 On-link 192.168.3.101 281
192.168.3.255 255.255.255.255 On-link 192.168.3.101 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.3.101 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.3.101 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
8 18 ::/0 On-link
1 306 ::1/128 On-link
8 18 2001::/32 On-link
8 266 2001:0:4137:9e76:342d:9c6:3f57:fc9a/128
On-link
16 281 fe80::/64 On-link
8 266 fe80::/64 On-link
8 266 fe80::342d:9c6:3f57:fc9a/128
On-link
16 281 fe80::44a5:6a02:ed91:e936/128
On-link
1 306 ff00::/8 On-link
8 266 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/16/2011 10:43:58 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/16/2011 10:43:58 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/16/2011 08:27:13 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/16/2011 08:27:13 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/15/2011 10:46:19 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/15/2011 10:46:19 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/14/2011 04:42:57 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/14/2011 04:42:57 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/14/2011 04:17:01 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/14/2011 04:17:01 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (09/12/2011 00:16:31 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80246007Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 x86 (KB2533523){B9AE51DE-0D68-4F66-8236-13494EEF0082}100

Error: (09/12/2011 00:16:30 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80246007Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 x86 (KB2468871){3B123BCE-0562-45B4-834D-74EB1352D508}102

Error: (09/12/2011 00:16:19 PM) (Source: DCOM) (User: )
Description: {C2BFE331-6739-4270-86C9-493D9A04CD38}

Error: (09/12/2011 10:09:32 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.3.103 for the Network Card with network address C43DC7C8ADE1 has been denied by the DHCP server 192.168.3.1 (The DHCP Server sent a DHCPNACK message).

Error: (09/11/2011 04:26:36 PM) (Source: Service Control Manager) (User: )
Description: McAfee Security Scan Component Host Service1

Error: (09/08/2011 00:03:56 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070643Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 x86 (KB2533523){B9AE51DE-0D68-4F66-8236-13494EEF0082}100

Error: (09/08/2011 00:03:20 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070643Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 x86 (KB2468871){3B123BCE-0562-45B4-834D-74EB1352D508}102

Error: (09/08/2011 00:02:07 PM) (Source: DCOM) (User: )
Description: {C2BFE331-6739-4270-86C9-493D9A04CD38}

Error: (09/08/2011 06:48:20 AM) (Source: Service Control Manager) (User: )
Description: McAfee McShield150001Restart the service

Error: (09/08/2011 04:49:10 AM) (Source: Service Control Manager) (User: )
Description: 30000Netman


Microsoft Office Sessions:
=========================
Error: (09/16/2011 10:43:58 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/16/2011 10:43:58 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/16/2011 08:27:13 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/16/2011 08:27:13 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/15/2011 10:46:19 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/15/2011 10:46:19 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/14/2011 04:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/14/2011 04:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/14/2011 04:17:01 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK

Error: (09/14/2011 04:17:01 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE ANTIVIRUS PLUS.LNK


=========================== Installed Programs ============================

32-bit VSM Device Drivers (Version: 1.00.0000)
4D Embroidery System 8.0 (Version: 8.0)
Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)
Adobe Flash Player 10 Plugin (Version: 10.3.183.5)
Adobe Reader 8.1.4 (Version: 8.1.4)
Apple Application Support (Version: 2.0.1)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
Audacity 1.3.7 (Unicode)
Bonjour (Version: 3.0.0.2)
Brother MFL-Pro Suite (Version: 1.00)
CameraHelperMsi (Version: 13.25.1010.0)
CCleaner (Version: 3.09)
Conexant D850 PCI V.92 Modem (Version: 7.74.00)
Dell Getting Started Guide (Version: 1.00.0000)
Dell Support Center (Version: 1.0.07192)
DellSupport (Version: 6.0.3075)
Digital Line Detect (Version: 1.21)
EarthLink Setup Files (Version: 2008.1.18.0)
EDocs
erLT (Version: 1.20.138.34)
GIMP 2.6.3
Intel® PRO Network Connections 12.1.11.0 (Version: )
iTunes (Version: 10.4.1.10)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 27 (Version: 6.0.270)
LAME v3.98.2 for Audacity
Logitech Webcam Software (Version: 2.0)
LWS Facebook (Version: 13.20.1166.0)
LWS Gallery (Version: 13.20.1166.0)
LWS Help_main (Version: 13.25.1016.0)
LWS Launcher (Version: 13.20.1166.0)
LWS Motion Detection (Version: 13.20.1176.0)
LWS Pictures And Video (Version: 13.25.1010.0)
LWS Twitter (Version: 13.20.1166.0)
LWS Video Mask Maker (Version: 13.10.1216.0)
LWS VideoEffects (Version: 13.25.1005.0)
LWS Webcam Software (Version: 13.20.1168.0)
LWS WLM Plugin (Version: 1.20.1166.0)
LWS YouTube Plugin (Version: 13.20.1166.0)
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus (Version: 11.0.578)
McAfee Security Scan Plus (Version: 2.0.181.2)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Works (Version: 08.05.0818)
Mobile Broadband Drivers (Version: 2.01.07.10)
Modem Diagnostic Tool (Version: 1.0.24.0)
Mozilla Firefox (3.6.22) (Version: 3.6.22 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0)
Music, Photos & Videos Launcher (Version: 1.00.0000)
NETGEAR WNDA3100v2 wireless USB 2.0 adapter (Version: 1.03.000)
NetWaiting (Version: 2.5.53)
OpenOffice.org 3.0 (Version: 3.0.9358)
Plant Tycoon 1.0 (Version: 1.0)
Product Documentation Launcher (Version: 1.00.0000)
QuickTime (Version: 7.70.80.34)
Realtek High Definition Audio Driver
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 6.0.0)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
Yahoo! Messenger
Yahoo! Software Update

========================= Memory info: ===================================

Percentage of memory in use: 59%
Total physical RAM: 2036.45 MB
Available physical RAM: 821.75 MB
Total Pagefile: 4318.18 MB
Available Pagefile: 2442.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.74 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:455.72 GB) (Free:357.92 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:4.73 GB) NTFS
3 Drive e: (WNDA3100v2) (CDROM) (Total:0.05 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\CYMANDE-PC

Administrator Cymande Guest


**** End of log ****


************************************************************************************************************************************************
gmer log
************************************************************************************************************************************************
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-17 02:13:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-75A7B0 rev.01.03B01
Running: tbiozf61.exe; Driver: C:\Users\CYMAND~1.CYM\AppData\Local\Temp\pwdiafow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82A4BD48]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82A4BD72]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82A4BD5E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82A4BD34]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


************************************************************************************************************************************************
MBAM Log
************************************************************************************************************************************************
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7732

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19120

9/17/2011 1:52:59 AM
mbam-log-2011-09-17 (01-52-59).txt

Scan type: Quick scan
Objects scanned: 193943
Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
************************************************************************************************************************************************************************************************************************************************************************************************

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 AM

Posted 22 September 2011 - 02:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419297 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 23 September 2011 - 11:23 PM

Hi!
Gladly supplying the needed information. I got the system protection and google redirect virus on my computer, even though i had McAfee active on my computer at the time (and it was a green-lit, non-porn site). I used the BleepingComputer guide for removing security protection. Most of it worked- Windows Defender and Malwarebytes picked up most of the problems. But I was still getting redirects. At first, they didn't happen all the time, now when they occur, they tend to lock my computer up. So I then used an online tutorial: http://www.youtube.com/watch?v=TLVifFbLIso. I checked my proxy settings, ensured that google was set as my homepage, checked my internet protocol, and ensured that I was using only "orbit DNS services." I ran TDSS Killer, and CC Cleaner. Lastly, I ran ipconfig/dns/ (or something like this) to "flush" the router. None of this worked. I also ran combofix (I got it from another site, and did not know that it was like chemo for your computer). It still didn't work. The only time when I am redirect free is when my room mates log onto their computers after an extended absence(we're on the same network, and they use linux, if that helps). Then I'm redirect free for a few hours. I can't find my windows cd's right now, but I may have them. If you need any further clarification on anything I've listed, please let me know. Otherwise, I believe that's it. The logs follow:

GMER:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-23 22:43:15
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-75A7B0 rev.01.03B01
Running: gmer.exe; Driver: C:\Users\CYMAND~1.CYM\AppData\Local\Temp\pwdiafow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82A40D48]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82A40D72]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82A40D5E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82A40D34]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82467982 5 Bytes JMP 82A40D38 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8262D143 5 Bytes JMP 82A40D76 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8264C89A 7 Bytes JMP 82A40D4C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8264CB5D 5 Bytes JMP 82A40D62 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xAA4CD400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA571620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA571620]
.protect˙˙˙˙hardlockunknown last code section [0xAA571400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xAA571400, 0x5126, 0xE0000020]
? C:\Users\CYMAND~1.CYM\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[712] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 0023000A
.text C:\Windows\system32\services.exe[712] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00230FE5
.text C:\Windows\system32\services.exe[712] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 0023001B
.text C:\Windows\system32\services.exe[712] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00200F54
.text C:\Windows\system32\services.exe[712] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00200F65
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00200F28
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 002000BF
.text C:\Windows\system32\services.exe[712] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00200F8A
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00200FD4
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00200FB9
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 0020009A
.text C:\Windows\system32\services.exe[712] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00200062
.text C:\Windows\system32\services.exe[712] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00200040
.text C:\Windows\system32\services.exe[712] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00200051
.text C:\Windows\system32\services.exe[712] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 0020001B
.text C:\Windows\system32\services.exe[712] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00200089
.text C:\Windows\system32\services.exe[712] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 002000DA
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00200FE5
.text C:\Windows\system32\services.exe[712] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00200000
.text C:\Windows\system32\services.exe[712] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00200F43
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 007D0036
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 007D0025
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 007D0FEF
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 007D0F9E
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 007D0F79
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 007D0FC3
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 007D0FD4
.text C:\Windows\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 007D0014
.text C:\Windows\system32\services.exe[712] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 007E0FA6
.text C:\Windows\system32\services.exe[712] msvcrt.dll!system 770D804B 5 Bytes JMP 007E0FC1
.text C:\Windows\system32\services.exe[712] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 007E0FD2
.text C:\Windows\system32\services.exe[712] msvcrt.dll!_open 770DD106 5 Bytes JMP 007E0FE3
.text C:\Windows\system32\services.exe[712] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 007E0027
.text C:\Windows\system32\services.exe[712] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 007E0000
.text C:\Windows\system32\services.exe[712] WS2_32.dll!socket 778336D1 5 Bytes JMP 00830000
.text C:\Windows\system32\lsass.exe[784] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 000B0000
.text C:\Windows\system32\lsass.exe[784] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 000B0FCA
.text C:\Windows\system32\lsass.exe[784] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 000B0FE5
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00090F23
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00090F3E
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 000900BA
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 0009009F
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 0009004E
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00090FCA
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00090FAF
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00090F4F
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 0009003D
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00090F94
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 0009002C
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 0009001B
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 0009005F
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00090F08
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00090000
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00090FEF
.text C:\Windows\system32\lsass.exe[784] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00090084
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 001B0F86
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 001B0FA8
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 001B0FE5
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 001B0F97
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 001B0F75
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 001B0FB9
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 001B0FD4
.text C:\Windows\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 001B000A
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 001C0049
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!system 770D804B 5 Bytes JMP 001C0038
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 001C0016
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!_open 770DD106 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 001C0027
.text C:\Windows\system32\lsass.exe[784] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 001C0FD2
.text C:\Windows\system32\lsass.exe[784] WS2_32.dll!socket 778336D1 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 001C0F52
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 001C0F6D
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 001C0F0B
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 001C0F1C
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 001C007D
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 001C0FD4
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 001C0F88
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 001C006C
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 001C0040
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 001C005B
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 001C0FC3
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 001C0098
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 001C00C7
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 001C001B
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 001C0F37
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00380FA3
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!system 770D804B 5 Bytes JMP 0038002E
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 0038001D
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!_open 770DD106 5 Bytes JMP 00380000
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00380FBE
.text C:\Windows\system32\svchost.exe[944] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00380FE3
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00220FA8
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00220FD4
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00220FC3
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00220065
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00220036
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00220FE5
.text C:\Windows\system32\svchost.exe[944] WS2_32.dll!socket 778336D1 5 Bytes JMP 003D0FEF
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 001E0025
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 001D0080
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 001D006F
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 001D0EE9
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 001D0F04
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 001D0F55
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 001D0FB9
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 001D0F9E
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 001D0F44
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 001D002F
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 001D0F83
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 001D0F72
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 001D004A
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 001D0ECE
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 001D0FCA
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 001D0FE5
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 001D0F15
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00200FAD
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!system 770D804B 5 Bytes JMP 00200FBE
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00200FE3
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_open 770DD106 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 0020002E
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 0020001D
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 001F005E
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 001F0039
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 001F0FB2
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 001F0FA1
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 001F0FD4
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 001F0FC3
.text C:\Windows\system32\svchost.exe[1004] WS2_32.dll!socket 778336D1 5 Bytes JMP 00210000
.text C:\Windows\System32\svchost.exe[1044] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 002E0FEF
.text C:\Windows\System32\svchost.exe[1044] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 002E000A
.text C:\Windows\System32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 002E0FD4
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 002D0091
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 002D0076
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 002D00C7
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 002D00A2
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 002D0F70
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 002D0FDE
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 002D002F
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 002D0F4B
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 002D004A
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 002D0FA8
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 002D0F97
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 002D0FC3
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 002D005B
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 002D0F15
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 002D0014
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 002D0FEF
.text C:\Windows\System32\svchost.exe[1044] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 002D0F26
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00780051
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!system 770D804B 5 Bytes JMP 00780040
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00780FD7
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_open 770DD106 5 Bytes JMP 00780000
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00780FC6
.text C:\Windows\System32\svchost.exe[1044] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00780011
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00770F8D
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00770FAF
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00770000
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00770F9E
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 0077004A
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00770011
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00770FDB
.text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00770FC0
.text C:\Windows\System32\svchost.exe[1044] WS2_32.dll!socket 778336D1 5 Bytes JMP 0079000A
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00810FE5
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00810FD4
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 0081000A
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 007C0F68
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 007C00AE
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 007C00EE
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 007C0F57
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 007C0078
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 007C001B
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 007C0FCA
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 007C0093
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 007C0F9E
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 007C0047
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 007C0FAF
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 007C0036
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 007C0F8D
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 007C00FF
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 007C000A
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 007C0FE5
.text C:\Windows\System32\svchost.exe[1132] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 007C00C9
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00DF0FAF
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!system 770D804B 5 Bytes JMP 00DF003A
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00DF0029
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_open 770DD106 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00DF0FD4
.text C:\Windows\System32\svchost.exe[1132] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00DF000C
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00730FD1
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00730058
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00730000
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00730069
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00730FC0
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00730022
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00730011
.text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 0073003D
.text C:\Windows\System32\svchost.exe[1132] WS2_32.dll!socket 778336D1 5 Bytes JMP 01100000
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 009D0000
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 009D0FE5
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 009D0011
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 009C0F21
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 009C0F3C
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 009C0093
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 009C0EFC
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 009C0F5E
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 009C0000
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 009C0FA5
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 009C005D
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 009C0038
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 009C0F79
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 009C001B
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 009C0F8A
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 009C0F4D
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 009C00AE
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 009C0FD4
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 009C0FE5
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 009C0082
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 009F0FA1
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!system 770D804B 5 Bytes JMP 009F002C
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 009F0FD7
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_open 770DD106 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 009F0FBC
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 009F0011
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 009E0047
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 009E002C
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 009E0000
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 009E0FA5
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 009E0F94
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 009E0FD4
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 009E0FE5
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 009E001B
.text C:\Windows\System32\svchost.exe[1200] WS2_32.dll!socket 778336D1 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00DE0014
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00A000B8
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00A000A7
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00A000EE
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00A000DD
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00A00F9E
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00A00025
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00A00036
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00A00F7C
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00A00FB9
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00A00FD4
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00A00076
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00A0005B
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00A00F8D
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00A00F46
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7736B0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00A00FEF
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00A00000
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00A00F61
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 0100003A
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!system 770D804B 5 Bytes JMP 01000FB9
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 01000029
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_open 770DD106 5 Bytes JMP 01000000
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 01000FD4
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00DF0F94
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00DF0FC0
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00DF0FAF
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00DF0051
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00DF0036
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00DF001B
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00DF0FDB
.text C:\Windows\system32\svchost.exe[1220] WS2_32.dll!socket 778336D1 5 Bytes JMP 01190FEF
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00290000
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00290022
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00290011
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 0028008C
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00280F46
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00280F10
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 0028009D
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00280F97
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 0028001B
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00280036
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00280F61
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00280FA8
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00280FC3
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00280065
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00280FD4
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00280F7C
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00280EF5
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00280FE5
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00280000
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00280F21
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00190FB7
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!system 770D804B 5 Bytes JMP 00190042
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00190027
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_open 770DD106 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00190FD2
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 0019000C
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 0018005B
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00180036
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00180FAF
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 0018006C
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00180025
.text C:\Windows\system32\svchost.exe[1324] WS2_32.dll!socket 778336D1 5 Bytes JMP 00830000
.text C:\Windows\system32\svchost.exe[1388] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 01000000
.text C:\Windows\system32\svchost.exe[1388] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 01000FC0
.text C:\Windows\system32\svchost.exe[1388] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 01000FE5
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00DF0076
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00DF0F30
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00DF00B3
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00DF00A2
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00DF0040
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00DF0FB9
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00DF0FA8
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00DF0065
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00DF002F
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00DF0014
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00DF0F72
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00DF0F97
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00DF0F55
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00DF0F01
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00DF0FD4
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1388] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00DF0087
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00DA0049
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!system 770D804B 5 Bytes JMP 00DA0038
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00DA0FC8
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!_open 770DD106 5 Bytes JMP 00DA0FEF
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00DA0027
.text C:\Windows\system32\svchost.exe[1388] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00DA0000
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00990FC3
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00990040
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00990065
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00990FB2
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00990025
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00990FE5
.text C:\Windows\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00990FD4
.text C:\Windows\system32\svchost.exe[1388] WS2_32.dll!socket 778336D1 5 Bytes JMP 01010FEF
.text C:\Windows\system32\svchost.exe[1388] WinInet.dll!InternetOpenA 7613D698 5 Bytes JMP 00D3000A
.text C:\Windows\system32\svchost.exe[1388] WinInet.dll!InternetOpenW 7613DB11 5 Bytes JMP 00D30FEF
.text C:\Windows\system32\svchost.exe[1388] WinInet.dll!InternetOpenUrlA 7613F3AC 5 Bytes JMP 00D30FD4
.text C:\Windows\system32\svchost.exe[1388] WinInet.dll!InternetOpenUrlW 76186D6F 5 Bytes JMP 00D30FAF
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00A10FD4
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00A1000A
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00A000B1
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00A00F6B
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00A000CC
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00A00F3F
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00A00F86
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00A0001B
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00A00FCA
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00A0008C
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00A00F97
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00A00FB9
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00A00FA8
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00A00036
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00A0007B
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00A000E7
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7736B0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00A00FEF
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00A00F50
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 009B0042
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!system 770D804B 5 Bytes JMP 009B0FB7
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 009B0FD2
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_open 770DD106 5 Bytes JMP 009B0000
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 009B0027
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 009B0FE3
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 009A0FC0
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 009A0FDB
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 009A0000
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 009A0058
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 009A007D
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 009A002C
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 009A001B
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 009A0047
.text C:\Windows\system32\svchost.exe[1564] WS2_32.dll!socket 778336D1 5 Bytes JMP 00A70FE5
.text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00980011
.text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00980000
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00970F38
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00970F49
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00970F0C
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 009700A3
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00970F6B
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00970014
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00970FB9
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00970F5A
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00970F7C
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00970F9E
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00970F8D
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00970025
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 0097006A
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00970EE7
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00970FDE
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00970FEF
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00970F27
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00810FCD
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!system 770D804B 5 Bytes JMP 0081004E
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00810033
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_open 770DD106 5 Bytes JMP 00810FEF
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00810FDE
.text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00810018
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 007E0F83
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 007E0FA5
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 007E0FEF
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 007E0F94
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 007E0040
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 007E000A
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 007E0FD4
.text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 007E001B
.text C:\Windows\system32\svchost.exe[1960] WS2_32.dll!socket 778336D1 5 Bytes JMP 00990000
.text C:\Windows\Explorer.EXE[1980] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 03590FEF
.text C:\Windows\Explorer.EXE[1980] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 0359001B
.text C:\Windows\Explorer.EXE[1980] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 03590000
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 03580F12
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 03580F23
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 03580EDC
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 03580069
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 0358002C
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 03580FC0
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 03580FAF
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 0358004E
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 03580F5E
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 03580F79
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 0358001B
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 03580F94
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 0358003D
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 0358008E
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 03580000
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 03580FEF
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 03580EF7
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 03300FA8
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 03300039
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 03300FEF
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 0330004A
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 0330006F
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 03300FC3
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 03300FD4
.text C:\Windows\Explorer.EXE[1980] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 0330001E
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 03570F9C
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!system 770D804B 5 Bytes JMP 03570FAD
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 0357001D
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!_open 770DD106 5 Bytes JMP 03570000
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 03570FC8
.text C:\Windows\Explorer.EXE[1980] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 03570FE3
.text C:\Windows\Explorer.EXE[1980] WININET.dll!InternetOpenA 7613D698 5 Bytes JMP 03560000
.text C:\Windows\Explorer.EXE[1980] WININET.dll!InternetOpenW 7613DB11 5 Bytes JMP 03560FE5
.text C:\Windows\Explorer.EXE[1980] WININET.dll!InternetOpenUrlA 7613F3AC 5 Bytes JMP 0356001B
.text C:\Windows\Explorer.EXE[1980] WININET.dll!InternetOpenUrlW 76186D6F 5 Bytes JMP 03560036
.text C:\Windows\Explorer.EXE[1980] WS2_32.dll!socket 778336D1 5 Bytes JMP 035A0000
.text C:\Windows\system32\svchost.exe[2068] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[2068] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[2068] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00190014
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 0018007B
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 0018006A
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 001800BB
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00180F24
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00180F6B
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00180FB9
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00180FA8
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00180F49
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00180039
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00180F86
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00180028
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00180F97
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00180F5A
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00180F09
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00180FD4
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[2068] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00180096
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00170049
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!system 770D804B 5 Bytes JMP 00170038
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 0017001D
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_open 770DD106 5 Bytes JMP 00170000
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00170FC8
.text C:\Windows\system32\svchost.exe[2068] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00170FE3
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 0016002F
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00160014
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00160FE5
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00160F8D
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00160040
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00160FC3
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00160FD4
.text C:\Windows\system32\svchost.exe[2068] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00160FA8
.text C:\Windows\system32\svchost.exe[2068] WS2_32.dll!socket 778336D1 5 Bytes JMP 00300FEF
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00DE0025
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00DE0FE5
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00D90054
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00D90F18
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 00D90EB3
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00D90ECE
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00D90F55
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00D90FC3
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 00D90FA8
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 00D90F29
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00D90039
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00D90F7C
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00D90028
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 00D90F8D
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00D90F44
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00D90065
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 00D90FD4
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00D90FEF
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00D90EF3
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00D80FB4
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!system 770D804B 5 Bytes JMP 00D8003F
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00D80FD9
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_open 770DD106 5 Bytes JMP 00D80000
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00D8002E
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00D8001D
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00D7005B
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 00D70040
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00D70000
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00D70FB9
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00D70076
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00D70FE5
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 00D7001B
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 00D70FCA
.text C:\Windows\system32\svchost.exe[2224] WS2_32.dll!socket 778336D1 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[2256] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 000C0000
.text C:\Windows\System32\svchost.exe[2256] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 000C002C
.text C:\Windows\System32\svchost.exe[2256] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 000C001B
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 000B0F9E
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 000B00E4
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 000B0110
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 000B0F79
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 000B0FB9
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 000B0025
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 000B0036
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 000B00D3
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 000B0087
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 000B0051
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 000B006C
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 000B0FCA
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 000B00B8
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 000B0F68
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateFileW 7736B0EB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 000B0FEF
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 000B000A
.text C:\Windows\System32\svchost.exe[2256] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 000B00FF
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 000A0051
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!system 770D804B 5 Bytes JMP 000A0FC6
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 000A0022
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!_open 770DD106 5 Bytes JMP 000A0000
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 000A0FD7
.text C:\Windows\System32\svchost.exe[2256] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 000A0011
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 00050FAF
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 0005002C
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 00050047
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 00050F9E
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 00050FCA
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[2256] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe[2256] WS2_32.dll!socket 778336D1 5 Bytes JMP 000D0FE5
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2980] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 6ECC9A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2980] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 6ECC99A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5256] ntdll.dll!LdrLoadDll 776B93A8 5 Bytes JMP 00BE13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5576] USER32.dll!TrackPopupMenu 75EE14F3 5 Bytes JMP 64BC893B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\svchost.exe[5636] ntdll.dll!NtCreateFile 776F4224 5 Bytes JMP 00040FE5
.text C:\Windows\system32\svchost.exe[5636] ntdll.dll!NtCreateProcess 776F42E4 5 Bytes JMP 00040FB9
.text C:\Windows\system32\svchost.exe[5636] ntdll.dll!NtProtectVirtualMemory 776F4B84 5 Bytes JMP 00040FD4
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00010F74
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 000100BA
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateProcessW 77321BF3 5 Bytes JMP 000100DF
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateProcessA 77321C28 5 Bytes JMP 00010F48
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!VirtualProtect 77321DC3 5 Bytes JMP 00010069
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateNamedPipeA 77322EF5 5 Bytes JMP 00010FCA
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateNamedPipeW 77325C0C 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreatePipe 77348F06 5 Bytes JMP 0001009F
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!LoadLibraryExW 7734927C 5 Bytes JMP 00010058
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!LoadLibraryW 77349400 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!LoadLibraryExA 77349554 5 Bytes JMP 00010F9B
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!LoadLibraryA 7734957C 5 Bytes JMP 0001002C
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!VirtualProtectEx 7734DC52 5 Bytes JMP 00010084
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!GetProcAddress 7736925B 5 Bytes JMP 00010F2D
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateFileW 7736B0EB 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!CreateFileA 7736D07F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[5636] kernel32.dll!WinExec 773B60CF 5 Bytes JMP 00010F63
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!_wsystem 770D7F2F 5 Bytes JMP 00060F8D
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!system 770D804B 5 Bytes JMP 00060FA8
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!_creat 770DBBE1 5 Bytes JMP 00060018
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!_open 770DD106 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!_wcreat 770DD326 5 Bytes JMP 00060FC3
.text C:\Windows\system32\svchost.exe[5636] msvcrt.dll!_wopen 770DD501 5 Bytes JMP 00060FDE
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegCreateKeyExA 75FB39AB 5 Bytes JMP 000B0F83
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegCreateKeyA 75FB3BA9 5 Bytes JMP 000B0F9E
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegOpenKeyA 75FB89C7 5 Bytes JMP 000B0000
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegCreateKeyW 75FC391E 5 Bytes JMP 000B0025
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegCreateKeyExW 75FC41F1 5 Bytes JMP 000B004A
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegOpenKeyExA 75FC7C42 5 Bytes JMP 000B0FC0
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegOpenKeyW 75FCE2B5 5 Bytes JMP 000B0FE5
.text C:\Windows\system32\svchost.exe[5636] ADVAPI32.dll!RegOpenKeyExW 75FD7BA1 5 Bytes JMP 000B0FAF
.text C:\Windows\system32\svchost.exe[5636] WS2_32.dll!socket 778336D1 5 Bytes JMP 000C0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----




DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_27
Run by Cymande at 21:14:05 on 2011-09-23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1156 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\4DEmbroidery\DesignerSECommuni.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110829225817.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DesignerSECommuni.exe] "c:\4dembroidery\DesignerSECommuni.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
uRun: [appapiInit] "rundll32.exe" "c:\users\cymande.cymande-pc\appdata\local\wincommssupport\appapiInit.dll",olenetWan winAuthenticationdsc
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [dscactivate] "c:\dell\dsca.exe" 3
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BrMfcWnd] "c:\program files\brother\brmfcmon\BrMfcWnd.exe" /AUTORUN
mRun: [ControlCenter3] "c:\program files\brother\controlcenter3\brctrcen.exe" /autorun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LWS] "c:\program files\logitech\lws\webcam software\LWS.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\cymand~1.cym\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\ereg\eReg.exe
StartupFolder: c:\users\cymand~1.cym\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: adecco.com\*.xpert
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
TCP: Interfaces\{77C5ACE4-17FE-4958-B620-B4CFFC511825} : DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
TCP: Interfaces\{C259A12D-64BE-4682-8725-9B566DB10DA0} : DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cymande.cymande-pc\appdata\roaming\mozilla\firefox\profiles\dypooc45.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\users\cymande.cymande-pc\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\mcafee\SiteAdvisor
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-2 459728]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-5-29 21728]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-2 64648]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-2 163400]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-18 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-24 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-2 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-2 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-2 148520]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2011-5-29 272864]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-5-29 699896]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-2 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-2 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-2 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-2 337912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-2 85984]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-9-4 50704]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-24 01:53:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-23 23:06:45 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{147de17e-2714-405f-8b32-664c3cbdc860}\offreg.dll
2011-09-23 19:15:54 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{147de17e-2714-405f-8b32-664c3cbdc860}\mpengine.dll
2011-09-17 01:33:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-09-05 03:17:06 96784 ----a-w- c:\windows\system32\Packet.dll
2011-09-05 03:17:06 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-09-05 03:17:06 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-09-05 03:17:06 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-08-30 03:58:17 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-08-29 19:33:02 -------- d-----w- c:\users\cymande.cymande-pc\appdata\local\temp
2011-08-29 19:27:10 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-29 19:14:41 -------- d-----w- C:\ComboFix
2011-08-29 18:56:54 208896 ----a-w- c:\windows\MBR.exe
2011-08-29 18:56:51 518144 ----a-w- c:\windows\SWREG.exe
2011-08-29 18:56:51 256000 ----a-w- c:\windows\PEV.exe
2011-08-29 18:56:50 98816 ----a-w- c:\windows\sed.exe
2011-08-29 09:06:39 -------- d-----w- c:\program files\CCleaner
2011-08-29 01:33:54 -------- d-----w- c:\users\cymande.cymande-pc\appdata\local\winCommsSupport
2011-08-26 23:45:01 -------- d-----w- c:\program files\iPod
2011-08-26 23:44:55 -------- d-----w- c:\program files\iTunes
2011-08-26 23:32:19 -------- d-----w- c:\program files\Bonjour
2011-08-26 20:24:04 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 03:55:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-19 10:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 21:15:40.43 ===============

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 24 September 2011 - 10:18 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run aswMBR, let's see if a rootkit comes up

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 24 September 2011 - 11:56 AM

Hello Mole,
Thank you fior replying so quickly. I am most definitely here. I downloaded the software as you advised, and I have run it, but I did have two questions. 1. As I was downloading it, it says it is a standalone program, and will run better with avast! I declined to download avast! as it was not in your instructions as I understood them. 2. The directions I have read on this site are very specific about downloading things to the desktop. When I download things using Firefox, they go into a downloads file, and I drag and drop the items to the desktop. Don't know if this makes a difference. If I need to do or redo anything, please let me know. Here is the log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-24 11:52:50
-----------------------------
11:52:50.142 OS Version: Windows 6.0.6002 Service Pack 2
11:52:50.142 Number of processors: 2 586 0xF0D
11:52:50.143 ComputerName: CYMANDE-PC UserName: Cymande
11:52:51.156 Initialize success
11:52:57.294 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:52:57.298 Disk 0 Vendor: WDC_WD5000AAKS-75A7B0 01.03B01 Size: 476940MB BusType: 3
11:52:59.324 Disk 0 MBR read successfully
11:52:59.327 Disk 0 MBR scan
11:52:59.330 Disk 0 Windows VISTA default MBR code
11:52:59.335 Disk 0 scanning sectors +976771072
11:52:59.488 Disk 0 scanning C:\Windows\system32\drivers
11:53:06.760 Service scanning
11:53:08.313 Modules scanning
11:53:12.965 Disk 0 trace - called modules:
11:53:12.987 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
11:53:12.997 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85849800]
11:53:13.000 3 CLASSPNP.SYS[880118b3] -> nt!IofCallDriver -> [0x8465c1d8]
11:53:13.004 5 acpi.sys[806916bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x846648a0]
11:53:13.010 Scan finished successfully
11:53:46.030 Disk 0 MBR has been saved successfully to "C:\Users\Cymande.Cymande-PC\Desktop\MBR.dat"
11:53:46.042 The log file has been saved successfully to "C:\Users\Cymande.Cymande-PC\Desktop\aswMBR.txt"




Thank you.

Edited by lovelocs, 24 September 2011 - 12:53 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 24 September 2011 - 02:23 PM

Please run OTL, this is a scanner

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 24 September 2011 - 07:30 PM

OTL.txt

OTL logfile created on: 9/24/2011 7:17:51 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = c:\Users\Cymande.Cymande-PC\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 65.03% Memory free
4.22 Gb Paging File | 2.93 Gb Available in Paging File | 69.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.72 Gb Total Space | 357.41 Gb Free Space | 78.43% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.73 Gb Free Space | 47.29% Space Free | Partition Type: NTFS
Drive E: | 47.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: CYMANDE-PC | User Name: Cymande | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - c:\Users\Cymande.Cymande-PC\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe ()
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
PRC - C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe ()
PRC - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\4DEmbroidery\DesignerSECommuni.exe (VSM Group AB)
PRC - C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe (Brother Industries, Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Users\Cymande.Cymande-PC\AppData\Local\winCommsSupport\appapiInit.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Common Files\LogiShrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll ()
MOD - C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe ()
MOD - C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
MOD - C:\Program Files\NETGEAR\WNDA3100v2\WifiSvcLib.dll ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll ()
MOD - C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll ()
MOD - C:\Program Files\Yahoo!\Messenger\yui.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()


========== Win32 Services (SafeList) ==========

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (UMVPFSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe ()
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (WSWNDA3100) -- C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe ()
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (WinHttpAutoProxySvc) -- winhttp.dll (Microsoft Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()


========== Driver Services (SafeList) ==========

DRV - (LVUVC) Logitech Webcam C260(UVC) -- C:\Windows\System32\drivers\lvuvc.sys (Logitech Inc.)
DRV - (LVRS) -- C:\Windows\System32\drivers\lvrs.sys (Logitech Inc.)
DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\Windows\System32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfewfpk) -- C:\Windows\System32\drivers\mfewfpk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\Windows\System32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\Windows\System32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfenlfk) -- C:\Windows\System32\drivers\mfenlfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\Windows\System32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (lvpopflt) -- C:\Windows\System32\drivers\lvpopflt.sys (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\Windows\System32\drivers\LVPr2Mon.sys ()
DRV - (NPF) -- C:\Windows\System32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (BCMH43XX) -- C:\Windows\System32\drivers\bcmwlhigh6.sys (Broadcom Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (NWADI) -- C:\Windows\System32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (NWUSBPort2) -- C:\Windows\System32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\Windows\System32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\Windows\System32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (dsunidrv) -- C:\Windows\System32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (SCMNdisP) -- C:\Windows\system32\DRIVERS\scmndisp.sys (Windows ® Codename Longhorn DDK provider)
DRV - (Hardlock) -- C:\Windows\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (aksusb) -- C:\Windows\System32\drivers\aksusb.sys (Aladdin Knowledge Systems Ltd.)
DRV - (akshasp) -- C:\Windows\System32\drivers\akshasp.sys (Aladdin Knowledge Systems Ltd.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.2.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}:6.0.19
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}:6.0.27
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.22
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\Cymande.Cymande-PC\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/03 15:41:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/09/21 12:25:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/09 10:27:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/09 10:27:30 | 000,000,000 | ---D | M]

[2008/12/18 01:03:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\mozilla\Extensions
[2008/12/18 01:03:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/09/24 14:30:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\mozilla\Firefox\Profiles\dypooc45.default\extensions
[2010/04/27 21:20:12 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\mozilla\Firefox\Profiles\dypooc45.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/18 20:17:06 | 000,000,000 | ---D | M] (LeechBlock) -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\mozilla\Firefox\Profiles\dypooc45.default\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
[2011/08/29 13:06:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/09 10:27:30 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/07 20:34:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/09/28 13:31:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/11/21 17:36:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2010/04/06 22:40:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
[2010/04/22 19:50:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/06 14:19:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/05 00:33:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/11 02:25:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/23 23:20:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/30 14:56:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/08/29 12:56:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
[2011/09/21 12:25:50 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/05/31 01:55:30 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/09 10:27:24 | 000,025,048 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2011/09/09 10:27:24 | 000,140,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/07/19 05:05:25 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/02/06 12:44:28 | 001,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2011/08/17 22:51:43 | 000,066,520 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2008/10/14 22:33:30 | 000,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2011/08/26 18:26:27 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2011/08/26 18:26:28 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2011/06/30 12:30:51 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2011/06/30 12:30:51 | 000,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2011/06/30 12:30:51 | 000,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2011/06/30 12:30:51 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2011/06/30 12:30:51 | 000,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2011/06/30 12:30:52 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2011/06/30 12:30:52 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2011/08/29 14:27:04 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110829225817.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe ( )
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [appapiInit] C:\Users\Cymande.Cymande-PC\AppData\Local\winCommsSupport\appapiInit.dll ()
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DesignerSECommuni.exe] C:\4DEmbroidery\DesignerSECommuni.exe (VSM Group AB)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = C:\Program Files\Logitech\Ereg\eReg.exe (Leader Technologies/Logitech)
O4 - Startup: C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: adecco.com ([*.xpert] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 216.114.0.3 216.114.0.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{77C5ACE4-17FE-4958-B620-B4CFFC511825}: DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C259A12D-64BE-4682-8725-9B566DB10DA0}: DhcpNameServer = 216.114.0.3 216.114.0.5
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\Windows\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\Windows\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O29 - HKLM SecurityProviders - (credssp.dll) -credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) -C:\Windows\System32\TSpkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/10/01 01:14:36 | 000,358,880 | R--- | M] (NETGEAR Inc.) - E:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/05/29 03:27:40 | 000,000,047 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/24 11:42:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/09/23 20:53:07 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/19 03:20:42 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/09/04 22:17:06 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\wpcap.dll
[2011/09/04 22:17:06 | 000,096,784 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\Packet.dll
[2011/09/04 22:17:06 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\drivers\npf.sys
[2011/08/29 14:33:02 | 000,000,000 | ---D | C] -- C:\Users\Cymande.Cymande-PC\AppData\Local\temp
[2011/08/29 14:27:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/08/29 14:14:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/08/29 14:14:41 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/08/29 13:56:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/08/29 13:56:50 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/08/29 13:56:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/08/29 13:55:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/29 13:06:29 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/08/29 13:06:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/08/29 13:06:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/08/29 04:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/08/28 20:33:54 | 000,000,000 | ---D | C] -- C:\Users\Cymande.Cymande-PC\AppData\Local\winCommsSupport
[2011/08/26 18:47:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/08/26 18:45:01 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/08/26 18:44:55 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/08/26 18:32:19 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/08/26 18:26:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/08/26 15:29:50 | 001,406,768 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Cymande.Cymande-PC\Desktop\killer.exe
[2011/08/26 15:24:04 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

========== Files - Modified Within 30 Days ==========

[2011/09/24 17:39:56 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 17:39:56 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 11:53:46 | 000,000,512 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\MBR.dat
[2011/09/24 11:41:08 | 000,000,915 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2011/09/24 11:39:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/24 11:39:54 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/23 22:03:24 | 000,302,592 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\gmer.exe
[2011/09/23 20:54:52 | 217,730,013 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/23 20:53:07 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/17 04:34:28 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/17 04:34:28 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/17 01:34:40 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/17 00:56:19 | 000,302,592 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\tbiozf61.exe
[2011/09/11 12:49:06 | 000,119,438 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\Neroli-Application.pdf
[2011/09/07 00:25:51 | 000,000,966 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2011/09/07 00:25:51 | 000,000,948 | ---- | M] () -- C:\Users\Public\Desktop\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2011/09/04 22:19:29 | 000,000,948 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/29 14:27:04 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/08/29 14:26:39 | 000,336,848 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/08/29 07:11:42 | 000,067,930 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Documents\cc_20110829_071114.reg
[2011/08/29 04:18:48 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/08/28 18:15:32 | 000,002,831 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\.recently-used.xbel
[2011/08/28 18:12:19 | 000,004,765 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\corner stain.jpg
[2011/08/28 18:09:18 | 000,038,892 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\Geometric Free Pattern1.jpg
[2011/08/26 18:47:04 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/08/26 18:26:08 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2011/08/26 15:29:58 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Cymande.Cymande-PC\Desktop\killer.exe
[2011/08/26 15:27:25 | 000,000,876 | ---- | M] () -- C:\Users\Cymande.Cymande-PC\Desktop\iExplore - Shortcut.lnk

========== Files Created - No Company Name ==========

[2011/09/24 11:53:46 | 000,000,512 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\MBR.dat
[2011/09/24 11:41:08 | 000,000,915 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2011/09/19 03:20:34 | 217,730,013 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/09/17 01:34:40 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/17 00:56:19 | 000,302,592 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\tbiozf61.exe
[2011/09/11 12:49:06 | 000,119,438 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\Neroli-Application.pdf
[2011/09/04 22:19:29 | 000,000,948 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2011/09/04 22:17:06 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2011/09/04 22:17:05 | 000,000,948 | ---- | C] () -- C:\Users\Public\Desktop\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2011/08/30 23:49:43 | 2136,133,632 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/29 13:56:54 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/08/29 13:56:51 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/08/29 13:56:51 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/08/29 13:56:51 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/08/29 13:56:50 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/08/29 07:11:17 | 000,067,930 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Documents\cc_20110829_071114.reg
[2011/08/29 04:18:48 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/08/28 18:15:32 | 000,002,831 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\.recently-used.xbel
[2011/08/28 18:12:17 | 000,004,765 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\corner stain.jpg
[2011/08/28 18:09:13 | 000,038,892 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\Geometric Free Pattern1.jpg
[2011/08/26 18:47:04 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/08/26 18:26:08 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2011/08/26 15:27:25 | 000,000,876 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\Desktop\iExplore - Shortcut.lnk
[2011/04/01 00:07:02 | 010,877,272 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll
[2011/04/01 00:07:02 | 000,102,744 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe
[2011/04/01 00:06:56 | 000,331,608 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll
[2011/03/31 23:56:00 | 000,027,872 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2011/03/22 23:58:22 | 000,014,168 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2010/05/07 18:43:30 | 000,025,824 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2010/03/27 09:28:39 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/03/27 09:28:39 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI
[2010/03/27 09:25:23 | 000,000,213 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2010/03/27 09:25:23 | 000,000,094 | ---- | C] () -- C:\Windows\brpcfx.ini
[2010/03/27 09:25:23 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf06a.dat
[2010/03/27 09:20:10 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2009/10/21 02:34:57 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/10/21 02:34:56 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/02/26 01:41:29 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/01/07 08:17:43 | 000,007,680 | ---- | C] () -- C:\Users\Cymande.Cymande-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/27 01:38:42 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/12/11 14:51:06 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/12/11 14:51:06 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/12/11 14:51:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/12/11 14:51:06 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/12/11 14:51:04 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2006/11/10 08:26:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,336,848 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/09/21 00:02:32 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/21 00:02:32 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll

========== LOP Check ==========

[2011/01/06 02:58:08 | 000,000,000 | ---D | M] -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\Audacity
[2011/09/17 01:17:10 | 000,000,000 | ---D | M] -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\gtk-2.0
[2011/07/16 00:57:45 | 000,000,000 | ---D | M] -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\Leadertech
[2008/12/22 16:41:23 | 000,000,000 | ---D | M] -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\OpenOffice.org
[2008/12/17 23:25:17 | 000,000,000 | ---D | M] -- C:\Users\Cymande.Cymande-PC\AppData\Roaming\Smith Micro
[2011/09/24 00:06:44 | 000,032,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

#8 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 24 September 2011 - 07:31 PM

Extras.txt


OTL Extras logfile created on: 9/24/2011 7:17:51 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = c:\Users\Cymande.Cymande-PC\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 65.03% Memory free
4.22 Gb Paging File | 2.93 Gb Available in Paging File | 69.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.72 Gb Total Space | 357.41 Gb Free Space | 78.43% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.73 Gb Free Space | 47.29% Space Free | Partition Type: NTFS
Drive E: | 47.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: CYMANDE-PC | User Name: Cymande | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{25263D90-ADCB-43BE-AE2B-C18F6B043DDC}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{2C19B0CD-2684-4900-9F1C-93B778FCDC5E}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{3D85C9E1-E89F-42DB-9554-4CE6CA104700}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5A6B4131-1740-4302-91A4-DA9FC0F054D4}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{7B4913A8-638D-491C-8293-511EA47E5A26}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{993B181B-F43E-44A5-802E-8604E0C7349C}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{C0FE4C49-6CA6-4141-B1BB-AD311D2CDA8C}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{C8F54C5D-9D5F-466C-A359-B46BC64CF036}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{CE5D080A-CEC3-4361-AED7-60819A2188E5}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{D3398092-6C40-4475-AD39-BFD7DA5B02EA}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{ECBEDF60-C541-42D5-B2C1-625026805CF1}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{171B351E-A25C-4DEA-AC00-6B0B7B826810}" = 4D Embroidery System 8.0
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{190D0C6E-C8A7-4019-8FB5-FD041EC1F2D2}" = Mobile Broadband Drivers
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{255909FA-8E58-4BC2-A83A-3C71EB5DD6EC}" = EarthLink Setup Files
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 27
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C7839E7-21F4-49E0-B4D5-AC8ED818CCB0}" = NETGEAR WNDA3100v2 wireless USB 2.0 adapter
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.11.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}" = Brother MFL-Pro Suite
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{D4EA1B09-400B-442C-809B-9067B014D7EC}" = 32-bit VSM Device Drivers
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.7 (Unicode)
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_HSF" = Conexant D850 PCI V.92 Modem
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.22)" = Mozilla Firefox (3.6.22)
"MSC" = McAfee AntiVirus Plus
"Plant Tycoon" = Plant Tycoon 1.0
"PROSetDX" = Intel® PRO Network Connections 12.1.11.0
"WinGimp-2.0_is1" = GIMP 2.6.3
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/1/2011 9:38:22 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 17737673

Error - 8/1/2011 9:38:23 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/1/2011 9:38:23 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 17738671

Error - 8/1/2011 9:38:23 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 17738671

Error - 8/1/2011 9:38:24 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/1/2011 9:38:24 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 17739669

Error - 8/1/2011 9:38:24 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 17739669

Error - 8/1/2011 9:38:25 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/1/2011 9:38:25 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 17740668

Error - 8/1/2011 9:38:25 AM | Computer Name = Cymande-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 17740668

[ System Events ]
Error - 9/11/2011 5:26:36 PM | Computer Name = Cymande-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 9/12/2011 11:09:32 AM | Computer Name = Cymande-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.3.103 for the Network Card with network
address C43DC7C8ADE1 has been denied by the DHCP server 192.168.3.1 (The DHCP Server
sent a DHCPNACK message).

Error - 9/12/2011 1:16:19 PM | Computer Name = Cymande-PC | Source = DCOM | ID = 10010
Description =

Error - 9/12/2011 1:16:30 PM | Computer Name = Cymande-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 9/12/2011 1:16:31 PM | Computer Name = Cymande-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 9/17/2011 2:34:47 AM | Computer Name = Cymande-PC | Source = DCOM | ID = 10010
Description =

Error - 9/17/2011 5:28:41 AM | Computer Name = Cymande-PC | Source = DCOM | ID = 10010
Description =

Error - 9/19/2011 4:20:46 AM | Computer Name = Cymande-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 3:17:29 AM on 9/19/2011 was unexpected.

Error - 9/23/2011 9:54:59 PM | Computer Name = Cymande-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:53:42 PM on 9/23/2011 was unexpected.

Error - 9/24/2011 6:18:25 PM | Computer Name = Cymande-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.3.101 for the Network Card with network
address C43DC7C8ADE1 has been denied by the DHCP server 192.168.3.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 24 September 2011 - 08:27 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 26 September 2011 - 02:16 PM

combofix log

ComboFix 11-09-26.02 - Cymande 09/26/2011 13:50:18.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1178 [GMT -5:00]
Running from: c:\users\Cymande.Cymande-PC\Desktop\comfix.exe.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
.
.
2011-09-26 18:59 . 2011-09-26 18:59 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{147DE17E-2714-405F-8B32-664C3CBDC860}\offreg.dll
2011-09-26 18:57 . 2011-09-26 19:00 -------- d-----w- c:\users\Cymande.Cymande-PC\AppData\Local\temp
2011-09-26 18:57 . 2011-09-26 18:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-09-26 18:57 . 2011-09-26 18:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-26 18:57 . 2011-09-26 18:57 -------- d-----w- c:\users\Cymande\AppData\Local\temp
2011-09-24 01:53 . 2011-09-24 01:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-23 19:15 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{147DE17E-2714-405F-8B32-664C3CBDC860}\mpengine.dll
2011-09-17 01:33 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-29 19:14 . 2011-09-26 18:34 -------- d-----w- C:\ComboFix
2011-08-29 09:06 . 2011-08-29 09:18 -------- d-----w- c:\program files\CCleaner
2011-08-29 01:33 . 2011-08-29 01:33 -------- d-----w- c:\users\Cymande.Cymande-PC\AppData\Local\winCommsSupport
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 22:00 . 2010-09-11 00:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 03:55 . 2011-06-28 02:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-23 11:04 . 2011-08-09 22:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00 . 2011-08-09 22:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59 . 2011-08-09 22:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59 . 2011-08-09 22:54 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59 . 2011-08-09 22:54 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03 . 2011-08-09 22:54 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27 . 2011-08-09 22:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25 . 2011-08-09 22:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-19 10:05 . 2010-04-23 00:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-16 05:57 . 2011-07-16 05:57 53248 ----a-r- c:\users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-11 13:25 . 2011-08-26 20:24 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31 . 2011-08-09 22:55 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-05-31 06:55 . 2011-05-31 06:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-08-03 03:21 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DesignerSECommuni.exe"="c:\4dembroidery\DesignerSECommuni.exe" [2007-01-15 94208]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"appapiInit"="c:\users\Cymande.Cymande-PC\AppData\Local\winCommsSupport\appapiInit.dll" [2011-08-29 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-11-25 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
c:\users\Cymande.Cymande-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Ereg\eReg.exe [2009-11-16 517384]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-17 50688]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2011-5-29 4577760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 0082031317062521mcinstcleanup;McAfee Application Installer Cleanup (0082031317062521);c:\users\CYMAND~1.CYM\AppData\Local\Temp\008203~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [2010-08-19 272864]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2007-04-19 99200]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: adecco.com\*.xpert
TCP: DhcpNameServer = 216.114.0.3 216.114.0.5 192.168.1.254
FF - ProfilePath - c:\users\Cymande.Cymande-PC\AppData\Roaming\Mozilla\Firefox\Profiles\dypooc45.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-26 14:01
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-09-26 14:05:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-26 19:05
ComboFix2.txt 2011-08-29 19:33
.
Pre-Run: 383,997,657,088 bytes free
Post-Run: 384,116,994,048 bytes free
.
- - End Of File - - E7F215EC2FB9AB0D8A0D4FB059F02B83

#11 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 26 September 2011 - 02:47 PM

I don't know if this was supposed to be the final step or not, but I do still have redirects. Thank you for all your help so far.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 26 September 2011 - 05:25 PM

That was not the last step.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Windows 7).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Posted Image
m0le is a proud member of UNITE

#13 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 27 September 2011 - 11:18 AM

Here is the gooredfix log. Thank you as always.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 11:14 on 27/09/2011 (Cymande)
Firefox version 3.6.22 (en-US)

========== GooredScan ==========

Removing Orphan:
"{4ED1F68A-5463-4931-9384-8FFF5ED91D92}"="C:\Program Files\McAfee\SiteAdvisor" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:50 18/12/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [01:34 08/03/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [18:31 28/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [22:36 21/11/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [03:40 07/04/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [00:50 23/04/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [19:19 06/09/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [05:33 05/11/2010]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [07:25 11/01/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [04:20 24/02/2011]
{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [19:56 30/06/2011]
{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} [17:56 29/08/2011]

C:\Users\Cymande.Cymande-PC\Application Data\Mozilla\Firefox\Profiles\dypooc45.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [02:20 28/04/2010]
{a95d8332-e4b4-6e7f-98ac-20b733364387} [01:17 19/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [09:53 23/08/2009]

-=E.O.F=-

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 27 September 2011 - 11:42 AM

Please run MBAM next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#15 lovelocs

lovelocs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 27 September 2011 - 06:34 PM

Here is the Malwarebytes' log:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7811

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19120

9/27/2011 6:32:57 PM
mbam-log-2011-09-27 (18-32-57).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 327618
Time elapsed: 39 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Users\cymande.cymande-pc\AppData\Local\wincommssupport\appapiinit.dll (Trojan.Blueinit.SGen) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\cymande.cymande-pc\AppData\Local\wincommssupport\appapiinit.dll (Trojan.Blueinit.SGen) -> Delete on reboot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users