Jump to content

redirecting from Google search


Recommended Posts

Im using firefox and quite frequently a google search will re-direct to some ad site. I run malwarebytes at least 3 times a day and it doesnt find it.

Here is my HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:02 AM, on 5/18/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe

C:\WINDOWS\system32\STacSV.exe

C:\WINDOWS\sttray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\mstsc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Startup: Remap.cmd

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190461668203

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://proquest.webex.com/client/T23SP33EP...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4968C2-C178-4BBF-9608-D4D560F1D8DA}: NameServer = 10.49.17.151

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: SBS_GM_TOMCAT6 - Apache Software Foundation - C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe

O23 - Service: SBS_GM_TRANSBASE - Transaction Software, D 81829 Munich - C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--

End of file - 5810 bytes

Link to post
Share on other sites

Hello SKITTLECAR1

Welcome to Malwarebytes.

=====================

  • Please download OTH.scr to your desktop.
  • Download OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    OTH_Main.jpg
    Then select Start OTL OTL will now run
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

OTL logfile created on: 5/18/2010 2:05:09 PM - Run 2

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 134.11 Gb Total Space | 93.68 Gb Free Space | 69.85% Space Free | Partition Type: NTFS

Drive D: | 14.92 Gb Total Space | 13.13 Gb Free Space | 87.98% Space Free | Partition Type: FAT32

Drive E: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

F: Drive not present or media not loaded

Drive G: | 3.74 Gb Total Space | 2.97 Gb Free Space | 79.49% Space Free | Partition Type: FAT32

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 48.83 Gb Total Space | 18.45 Gb Free Space | 37.79% Space Free | Partition Type: NTFS

Computer Name: SPC01

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Documents and Settings\Administrator\Desktop\OTH.scr (OldTimer Tools)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)

SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)

SRV - (SBS_GM_TRANSBASE) -- C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe (Transaction Software, D 81829 Munich)

SRV - (SBS_GM_TOMCAT6) -- C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe (Apache Software Foundation)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)

SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)

SRV - (McAfeeFramework) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)

SRV - (STacSV) -- C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)

DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.2

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/05/11 14:46:38 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 06:44:27 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/12 06:43:57 | 000,000,000 | ---D | M]

[2010/05/12 06:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2010/05/12 06:44:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/05/18 06:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e1o5hajc.default\extensions

[2010/05/12 06:50:26 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e1o5hajc.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}

[2010/05/12 06:43:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/05/12 06:43:58 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2010/04/01 13:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/04/01 13:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2010/04/01 13:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2010/04/01 11:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2010/04/01 11:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2010/04/01 11:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2010/04/01 11:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2010/04/01 11:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010/04/01 11:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2010/04/01 11:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/13 09:20:57 | 000,000,757 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 10.49.17.151 pbs001pdc

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKCU\..Trusted Domains: localhost ([]http in Trusted sites)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1190461668203 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://proquest.webex.com/client/T23SP33EP...bex/ieatgpc.cab (GpcContainer Class)

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/01/17 17:13:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2007/09/14 17:35:09 | 000,000,036 | R--- | M] () - E:\Autorun.inf -- [ UDF ]

O33 - MountPoints2\{00becab6-a5e7-11db-ac4e-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{00becab6-a5e7-11db-ac4e-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{00becab6-a5e7-11db-ac4e-806d6172696f}\Shell\AutoRun\command - "" = E:\Programs\nu2menu\nu2menu.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/01/17 17:13:14 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/18 13:58:22 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/18 13:40:48 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/05/17 11:07:39 | 010,196,424 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\My Documents\windows-kb890830-v3.7.exe

[2010/05/17 09:36:41 | 000,000,000 | ---D | C] -- C:\QUARANTINE

[2010/05/17 09:22:54 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys

[2010/05/17 09:22:50 | 000,207,792 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys

[2010/05/17 09:22:49 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys

[2010/05/17 09:22:43 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys

[2010/05/17 09:22:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools

[2010/05/17 09:22:14 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor

[2010/05/17 09:22:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools

[2010/05/17 09:22:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PC Tools

[2010/05/17 09:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/05/17 09:02:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater

[2010/05/17 09:02:29 | 000,000,000 | ---D | C] -- C:\Program Files\Google

[2010/05/13 14:19:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak

[2010/05/13 09:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/05/13 09:00:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2010/05/13 09:00:02 | 001,495,552 | ---- | C] (PGP Corporation) -- C:\WINDOWS\System32\epoPGPsdk.dll

[2010/05/13 09:00:02 | 000,499,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll

[2010/05/13 09:00:02 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll

[2010/05/13 08:58:43 | 000,034,152 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys

[2010/05/13 08:58:42 | 000,168,776 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys

[2010/05/13 08:58:42 | 000,072,264 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys

[2010/05/13 08:58:42 | 000,064,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys

[2010/05/13 08:58:42 | 000,052,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys

[2010/05/13 08:56:25 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee

[2010/05/13 08:56:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee

[2010/05/13 08:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/05/13 08:48:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/13 08:48:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/13 08:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/13 08:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/05/13 08:47:03 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe

[2010/05/12 16:17:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun

[2010/05/12 06:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads

[2010/05/12 06:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla

[2010/05/12 06:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla

[2010/05/12 06:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2010/05/12 03:06:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles

[2010/05/11 21:17:26 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys

[2010/05/11 15:20:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org

[2010/05/11 14:59:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\PARTS_STUFF

[2010/05/11 14:47:03 | 000,000,000 | ---D | C] -- C:\Program Files\JRE

[2010/05/11 14:46:58 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3

[2010/05/11 14:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/05/11 14:46:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/05/11 14:46:45 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/05/11 14:46:45 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/05/11 14:46:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/05/11 14:46:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/05/11 14:46:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/05/11 14:46:34 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/05/11 14:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun

[2010/05/11 14:41:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\OpenOffice.org 3.2 (en-US) Installation Files

[2010/05/11 13:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TurboMeeting

[2010/05/11 13:39:35 | 000,000,000 | ---D | C] -- C:\lexmark2

[2010/05/11 13:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Lexmark_PCL_UNIV_Driver

[2010/05/11 13:33:30 | 000,000,000 | ---D | C] -- C:\lexmark

[2010/05/11 12:49:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations

[2010/05/11 12:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia

[2010/05/11 10:53:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Snap-on Business Solutions

[2010/05/11 10:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Global EPC

[2010/05/11 10:53:12 | 000,000,000 | ---D | C] -- C:\Program Files\Snap-on Business Solutions

[2010/05/11 10:51:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\webex

[2010/05/11 10:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\WebEx

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 13:58:30 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/18 13:47:26 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/18 13:47:15 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/05/18 13:46:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/18 13:46:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/18 13:46:12 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/05/18 13:46:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/05/18 13:41:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\7b1nowvf.exe

[2010/05/18 13:40:55 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/05/17 11:50:46 | 000,007,168 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\0240.xls

[2010/05/17 11:09:50 | 010,196,424 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\My Documents\windows-kb890830-v3.7.exe

[2010/05/17 09:02:18 | 001,251,432 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Google Updater.exe

[2010/05/14 12:22:06 | 002,389,595 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SDCSRulebook%202008%202009.pdf

[2010/05/13 16:30:09 | 006,937,988 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/05/13 09:20:51 | 000,001,156 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp

[2010/05/13 08:48:51 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Malwarebytes' Anti-Malware.lnk

[2010/05/13 08:48:01 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe

[2010/05/13 08:13:53 | 000,017,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/05/12 16:28:59 | 000,355,944 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/05/12 16:28:59 | 000,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/05/12 16:28:59 | 000,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/05/12 16:25:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/05/12 12:00:11 | 000,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd

[2010/05/12 06:44:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat

[2010/05/12 06:43:59 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/12 03:37:24 | 000,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/05/11 15:21:19 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

[2010/05/11 15:02:23 | 002,046,976 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\May 2010 Tires.xls

[2010/05/11 14:46:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/05/11 14:46:37 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/05/11 14:46:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/05/11 14:46:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/05/11 14:46:37 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/05/11 13:58:41 | 000,000,070 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd

[2010/05/11 13:52:14 | 000,001,128 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PBS.RDP

[2010/05/11 13:49:02 | 000,001,253 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\TurboMeeting.lnk

[2010/05/11 12:50:25 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\GM EPC4.url

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/18 13:41:20 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\7b1nowvf.exe

[2010/05/17 11:50:39 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\0240.xls

[2010/05/17 09:22:54 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat

[2010/05/17 09:22:50 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat

[2010/05/17 09:22:50 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat

[2010/05/17 09:22:43 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat

[2010/05/17 09:02:30 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/05/17 09:01:47 | 001,251,432 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Google Updater.exe

[2010/05/14 12:22:06 | 002,389,595 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SDCSRulebook%202008%202009.pdf

[2010/05/13 09:00:02 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2010/05/13 08:48:51 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Malwarebytes' Anti-Malware.lnk

[2010/05/12 06:44:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/05/12 06:43:59 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/11 15:21:18 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

[2010/05/11 15:02:23 | 002,046,976 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\May 2010 Tires.xls

[2010/05/11 15:01:23 | 000,067,364 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OrderTemplate.xls

[2010/05/11 13:54:29 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd

[2010/05/11 13:52:14 | 000,001,128 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PBS.RDP

[2010/05/11 13:49:35 | 000,001,156 | -H-- | C] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp

[2010/05/11 13:49:02 | 000,001,253 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\TurboMeeting.lnk

[2010/05/11 10:55:39 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\GM EPC4.url

[2008/12/31 05:14:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\softcoin.dll

[2008/12/31 05:14:00 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\gencoin.dll

[2007/01/22 16:01:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2007/01/19 10:32:09 | 000,348,880 | R--- | C] () -- C:\WINDOWS\System32\igmedkrn.dll

[2007/01/19 10:32:09 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll

[2006/02/28 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2010/05/11 15:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org

[2010/05/11 13:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TurboMeeting

[2010/05/11 10:51:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\webex

[2007/01/19 13:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates

[2010/05/11 10:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Snap-on Business Solutions

[2010/05/17 13:38:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2007/01/17 17:13:39 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2007/09/22 02:59:59 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2007/01/17 17:13:39 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2007/01/22 15:58:56 | 000,000,271 | ---- | M] () -- C:\Image.txt.rtf

[2007/01/17 17:13:39 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2007/01/17 17:13:39 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2006/02/28 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2006/02/28 08:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr

[2010/05/18 13:46:55 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

[2007/01/19 10:29:07 | 000,000,172 | ---- | M] () -- C:\Sigmatel

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2007/01/17 01:04:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2007/01/17 01:04:09 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2007/01/17 01:04:09 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

[2010/02/24 08:31:30 | 000,454,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 5/18/2010 2:00:23 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 134.11 Gb Total Space | 93.67 Gb Free Space | 69.85% Space Free | Partition Type: NTFS

Drive D: | 14.92 Gb Total Space | 13.13 Gb Free Space | 87.98% Space Free | Partition Type: FAT32

Drive E: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

F: Drive not present or media not loaded

Drive G: | 3.74 Gb Total Space | 2.97 Gb Free Space | 79.49% Space Free | Partition Type: FAT32

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 48.83 Gb Total Space | 18.45 Gb Free Space | 37.79% Space Free | Partition Type: NTFS

Computer Name: SPC01

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\WINDOWS\system32\spoolsv.exe" = C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe -- (Microsoft Corporation)

"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" = C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0FD1AFDF-00C6-46C9-8BC1-65EADD9C94A2}" = GM Global Infrastructure

"{1722A3B9-6575-49CA-BACB-2A5B146C7105}" = GM North America EPC Database

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2

"{6B936BFE-67E3-483C-A99F-D90943FE3C24}" = GM Global Local Database

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9B80125C-469A-4142-94A7-5284F9C396CC}" = General Motors Global License Manager

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio

"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8

"{B8304DED-B42A-4940-A39C-261657011565}" = GM North America EPC

"{E56CB7AB-05FD-47B3-85D5-2A934BCB35F3}" = GM North America EPC Archive Database

"{F6B23E59-1240-4C20-AE0B-70658A91976A}" = Intel® PRO Network Connections

"{FDC8065B-80DE-4466-B90B-2581F6D77DFF}" = Image Plugin

"ActiveTouchMeetingClient" = WebEx

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Google Updater" = Google Updater

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 2.0.2

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)

"Spyware Doctor" = Spyware Doctor 7.0

"TurboMeeting" = TurboMeeting

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 5/11/2010 12:00:30 PM | Computer Name = SPC01 | Source = Alert Manager Event Interface | ID = 257

Description =

Error - 5/11/2010 3:15:44 PM | Computer Name = SPC01 | Source = Application Hang | ID = 1002

Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/11/2010 3:16:10 PM | Computer Name = SPC01 | Source = Application Hang | ID = 1001

Description = Fault bucket 126637809.

Error - 5/11/2010 3:27:54 PM | Computer Name = SPC01 | Source = Application Hang | ID = 1002

Description = Hanging application soffice.bin, version 3.2.9476.500, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/11/2010 3:27:54 PM | Computer Name = SPC01 | Source = Application Hang | ID = 1002

Description = Hanging application soffice.bin, version 3.2.9476.500, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/12/2010 12:00:24 PM | Computer Name = SPC01 | Source = Alert Manager Event Interface | ID = 257

Description =

Error - 5/17/2010 9:38:11 AM | Computer Name = SPC01 | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 2072 (0x818) Thread address : 0x7C90E514 Thread message : Build VSCORE.13.3.1.100

/ 5400.1158 Object being scanned = \Device\HarddiskVolume1\PROGRAM FILES\NETWORK

ASSOCIATES\COMMON FRAMEWORK\NAXML71.DLL by C:\Program Files\Spyware Doctor\pctsSvc.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 5/17/2010 9:38:12 AM | Computer Name = SPC01 | Source = McLogEvent | ID = 1008

Description = The McShield service terminated unexpectedly. Please review event 5019

or 5051 for details. The McShield service will be restarted in 5 seconds;

[ System Events ]

Error - 5/18/2010 1:59:13 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The Java Quick Starter service terminated unexpectedly. It has done

this 1 time(s).

Error - 5/18/2010 1:59:13 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The McAfee Framework Service service terminated unexpectedly. It

has done this 1 time(s).

Error - 5/18/2010 1:59:43 PM | Computer Name = SPC01 | Source = DCOM | ID = 10005

Description = DCOM got error "%1053" attempting to start the service McAfeeFramework

with arguments "" in order to run the server: {D3580208-D4E1-46D4-876C-B45A328AF25A}

Error - 5/18/2010 1:59:43 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7009

Description = Timeout (30000 milliseconds) waiting for the McAfee Framework Service

service to connect.

Error - 5/18/2010 1:59:43 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7000

Description = The McAfee Framework Service service failed to start due to the following

error: %%1053

Error - 5/18/2010 1:59:44 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The McAfee Task Manager service terminated unexpectedly. It has done

this 1 time(s).

Error - 5/18/2010 1:59:44 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The SigmaTel Audio Service service terminated unexpectedly. It has

done this 1 time(s).

Error - 5/18/2010 1:59:44 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The SBS_GM_TOMCAT6 service terminated unexpectedly. It has done this

1 time(s).

Error - 5/18/2010 1:59:44 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The SBS_GM_TRANSBASE service terminated unexpectedly. It has done

this 1 time(s).

Error - 5/18/2010 2:01:43 PM | Computer Name = SPC01 | Source = Service Control Manager | ID = 7034

Description = The McAfee McShield service terminated unexpectedly. It has done

this 1 time(s).

< End of report >

Link to post
Share on other sites

and here is the gmer

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-18 14:41:49

Windows 5.1.2600 Service Pack 2

Running: 7b1nowvf.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdypog.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9ECAE52]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9EABCDE]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9EABED0]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9ECB640]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9ECB8F4]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9EC9B44]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9ECBD60]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9ECB112]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9EAB984]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA7B2B35F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA7B2B3B5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA7B2B373]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA7B2B3CB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA7B2B39F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C54 80503A28 8 Bytes JMP EABED0B9

.text ntkrnlpa.exe!ZwYieldExecution 80503FF4 7 Bytes JMP A7B2B3A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80577ECA 5 Bytes JMP A7B2B363 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0A7E 7 Bytes JMP A7B2B3B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B188C 5 Bytes JMP A7B2B3CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6E62 7 Bytes JMP A7B2B377 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F01380]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E10FEF

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E10084

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E10073

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E10062

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E10FA5

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E10040

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E100BA

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E10F72

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E100DF

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E10F46

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E10F2B

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E10051

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E10FD4

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E100A9

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E10025

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E1000A

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E10F57

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E00FB9

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E00F86

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E00FD4

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E0000A

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E00F97

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E00FEF

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E00FA8

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E0002F

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DF004E

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DF0FC3

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DF0FDE

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DF0FEF

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DF0033

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DF0018

.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[508] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DE000A

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0007009F

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070084

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070073

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FB6

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070FC7

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F74

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000700B0

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F2D

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F3E

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000700D7

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0007004E

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070011

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070F85

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0007003D

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070022

.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F4F

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00060FB9

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00060F72

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00060FCA

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00060FE5

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00060F83

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00060000

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0006001B

.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00060F94

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050044

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FC3

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FDE

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050033

.text C:\WINDOWS\system32\services.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FEF

.text C:\WINDOWS\system32\services.exe[760] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30000

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30F74

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30069

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30F8F

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30FB6

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30047

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F3009A

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F30F52

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30F2D

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F300C6

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F300E1

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F30058

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F3001B

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F30F63

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F30036

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F30FE5

.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F300B5

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00F20040

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00F20F9E

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00F2002F

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00F2000A

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00F20FC3

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00F20FEF

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00F20FD4

.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00F2005B

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10042

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FB7

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10027

.text C:\WINDOWS\system32\lsass.exe[772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3

.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FEF

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BD0000

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BD00A2

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BD0091

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BD0FC3

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BD0076

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BD005B

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BD0F5A

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BD0F81

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BD00E2

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BD0F49

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00BD0F2E

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00BD0FD4

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00BD0FEF

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00BD0F9C

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00BD0040

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00BD0025

.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00BD00C7

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00BC0036

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00BC007D

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00BC001B

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00BC000A

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00BC0062

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00BC0FEF

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00BC0047

.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00BC0FCA

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FB4

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0049

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FD9

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB002E

.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB001D

.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BA0FEF

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80000

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A800B3

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80098

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80FCA

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80087

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80051

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A800EB

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A80FA3

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F66

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A80F81

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A80110

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A8006C

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A8001B

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A800CE

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A80036

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A80FE5

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A80F92

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A70FE5

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A7007D

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7832 1 Byte [E9]

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A70036

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A7001B

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A70062

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A70000

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A70051

.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A70FCA

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FBC

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60047

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60022

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60000

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FCD

.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60011

.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50FEF

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02730000

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02730090

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0273007F

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02730FA5

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02730062

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0273002C

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 027300D7

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 027300BC

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02730103

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02730F6A

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02730114

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02730047

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02730FE5

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 027300AB

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0273001B

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02730FCA

.text C:\WINDOWS\System32\svchost.exe[1100] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 027300E8

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02720FD4

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02720FB9

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02720FEF

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02720025

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0272006C

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0272000A

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0272005B

.text C:\WINDOWS\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02720040

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0271004C

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 02710FC1

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02710FD2

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02710FE3

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02710031

.text C:\WINDOWS\System32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0271000C

.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02100FEF

.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 02310011

.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 02310000

.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 02310038

.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 02310FDB

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00830FEF

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00830F6B

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00830F7C

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00830F8D

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00830F9E

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0083002F

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0083008E

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00830F46

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00830F2B

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008300BA

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00830F06

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0083004A

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0083000A

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00830071

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00830FC3

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00830FD4

.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008300A9

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0082002C

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0082007D

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0082001B

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0082000A

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00820062

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00820FEF

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0082003D

.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00820FC0

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0081004E

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00810033

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00810FCD

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00810FEF

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00810022

.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00810FDE

.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00800FE5

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00970000

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00970FB6

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009700AB

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0097008E

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00970073

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00970047

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009700E8

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009700D7

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00970F59

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00970F74

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00970F34

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00970062

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00970011

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009700C6

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00970FDB

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00970022

.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00970F85

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00960036

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00960FAF

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0096001B

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00960000

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0096006C

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00960FE5

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00960FD4

.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0096005B

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0095005F

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00950FD4

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950044

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00950000

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FEF

.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0095001D

.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00940000

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 024F0000

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 024F0F88

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 024F0F99

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 024F0073

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 024F0062

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 024F0047

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024F00BA

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024F00A9

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024F00DF

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024F0F46

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 024F00F0

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 024F0FCA

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 024F0011

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 024F0098

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 024F0FDB

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 024F0022

.text C:\WINDOWS\system32\wuauclt.exe[1672] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 024F0F57

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024D0058

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 024D003D

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024D0FDE

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024D000C

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024D0FCD

.text C:\WINDOWS\system32\wuauclt.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024D0FEF

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 024E0FDE

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 024E0F97

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 024E0025

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 024E000A

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 024E0054

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 024E0FEF

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 024E0FA8

.text C:\WINDOWS\system32\wuauclt.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 024E0FB9

.text C:\WINDOWS\system32\wuauclt.exe[1672] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 024C0FE5

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007E0F3C

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007E0F61

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007E003B

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007E0F72

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007E0F9E

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007E0F06

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007E004C

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007E0073

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007E0EE4

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007E0EBF

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007E0F83

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007E0000

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007E0F21

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007E0FB9

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007E0FCA

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007E0EF5

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007D001E

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007D006F

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007D0FC3

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007D0FDE

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007D005E

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007D0FEF

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007D0FB2

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007D0039

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0042

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0027

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C000C

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0FEF

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0FB7

.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FD2

.text C:\WINDOWS\system32\svchost.exe[1720] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 007B0FE5

.text C:\WINDOWS\system32\svchost.exe[1720] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 007B000A

.text C:\WINDOWS\system32\svchost.exe[1720] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 007B001B

.text C:\WINDOWS\system32\svchost.exe[1720] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 007B0036

.text C:\WINDOWS\system32\svchost.exe[1720] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007A000A

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01A60000

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01A60073

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01A60F7E

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01A60062

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01A60FA5

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01A60036

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01A60090

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01A60F48

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01A600C6

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01A60F2D

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01A60F12

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01A60051

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01A6001B

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01A60F59

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01A60FCA

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01A60FE5

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01A600A1

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01A50025

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01A50F94

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01A50FD4

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01A50FE5

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01A50051

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01A50000

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01A50FB9

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01A50036

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A40FB4

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A4003F

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A4001D

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A40FEF

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A4002E

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A4000C

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1816] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01A30000

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01BE0FEF

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01BE0093

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01BE0078

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01BE0F9E

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01BE0FAF

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01BE0040

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01BE0F7C

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01BE00C4

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01BE00F3

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01BE0F5A

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01BE010E

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01BE0051

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01BE0014

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01BE0F8D

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01BE0025

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01BE0FDE

.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01BE0F6B

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01BD001B

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01BD0036

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01BD000A

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01BD0FCA

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01BD0F79

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01BD0FE5

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01BD0F94

.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01BD0FA5

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016D0F9C

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 016D0027

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016D0FD2

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016D0000

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016D0FB7

.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016D0FE3

.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenW 771BAEED 5 Bytes JMP 016C000A

.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenA 771C573E 5 Bytes JMP 016C0FEF

.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlA 771C59F1 5 Bytes JMP 016C0025

.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlW 771D5B3A 5 Bytes JMP 016C0FD2

.text C:\WINDOWS\Explorer.EXE[1968] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01650FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort1 [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort2 [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [b9EF49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs A8A12400

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

==================

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

===========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

06:47:46:093 1956 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17

06:47:46:093 1956 ================================================================================

06:47:46:093 1956 SystemInfo:

06:47:46:093 1956 OS Version: 5.1.2600 ServicePack: 2.0

06:47:46:093 1956 Product type: Workstation

06:47:46:093 1956 ComputerName: SPC01

06:47:46:093 1956 UserName: Administrator

06:47:46:093 1956 Windows directory: C:\WINDOWS

06:47:46:093 1956 Processor architecture: Intel x86

06:47:46:093 1956 Number of processors: 2

06:47:46:093 1956 Page size: 0x1000

06:47:46:093 1956 Boot type: Normal boot

06:47:46:093 1956 ================================================================================

06:47:46:093 1956 UnloadDriverW: NtUnloadDriver error 2

06:47:46:093 1956 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2

06:47:46:187 1956 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

06:47:46:187 1956 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

06:47:46:187 1956 wfopen_ex: Trying to KLMD file open

06:47:46:187 1956 wfopen_ex: File opened ok (Flags 2)

06:47:46:187 1956 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

06:47:46:187 1956 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

06:47:46:187 1956 wfopen_ex: Trying to KLMD file open

06:47:46:187 1956 wfopen_ex: File opened ok (Flags 2)

06:47:46:187 1956 KLAVA engine initialized

06:47:46:359 1956 Initialize success

06:47:46:359 1956

06:47:46:359 1956 Scanning Services ...

06:47:46:609 1956 Raw services enum returned 282 services

06:47:46:625 1956

06:47:46:625 1956 Scanning Drivers ...

06:47:46:765 1956 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

06:47:46:828 1956 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

06:47:46:906 1956 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

06:47:46:937 1956 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

06:47:47:109 1956 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

06:47:47:171 1956 atapi (183b1617e1805d3d9be2e3a5712fbf3a) C:\WINDOWS\system32\DRIVERS\atapi.sys

06:47:47:171 1956 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 183b1617e1805d3d9be2e3a5712fbf3a, Fake md5: cdfe4411a69c224bd1d11b2da92dac51

06:47:47:171 1956 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 06:47:49:265 1956 Backup copy found, using it..

06:47:49:343 1956 will be cured on next reboot

06:47:49:421 1956 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

06:47:49:453 1956 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

06:47:49:515 1956 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

06:47:49:546 1956 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

06:47:49:562 1956 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

06:47:49:625 1956 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

06:47:49:640 1956 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

06:47:49:718 1956 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

06:47:49:750 1956 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

06:47:49:781 1956 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

06:47:49:781 1956 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

06:47:49:812 1956 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

06:47:49:843 1956 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

06:47:49:890 1956 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys

06:47:49:937 1956 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

06:47:49:937 1956 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

06:47:49:968 1956 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

06:47:49:984 1956 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

06:47:50:031 1956 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

06:47:50:031 1956 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

06:47:50:062 1956 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

06:47:50:078 1956 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

06:47:50:125 1956 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

06:47:50:187 1956 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

06:47:50:250 1956 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

06:47:50:328 1956 ialm (88164ba0e3fc4172ff3a1bd82b756454) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

06:47:50:531 1956 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

06:47:50:609 1956 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

06:47:50:640 1956 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

06:47:50:671 1956 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

06:47:50:687 1956 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

06:47:50:734 1956 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

06:47:50:765 1956 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

06:47:50:812 1956 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

06:47:50:875 1956 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

06:47:50:921 1956 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

06:47:50:984 1956 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

06:47:51:031 1956 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

06:47:51:093 1956 mfeapfk (1f334eb2a13816df45671ebb98896da7) C:\WINDOWS\system32\drivers\mfeapfk.sys

06:47:51:109 1956 mfeavfk (8a1dedbbdad33587f6fad780ce4b34b5) C:\WINDOWS\system32\drivers\mfeavfk.sys

06:47:51:140 1956 mfebopk (d800e31a019a6979698eef0507baa746) C:\WINDOWS\system32\drivers\mfebopk.sys

06:47:51:171 1956 mfehidk (0ae14fab8e25c258c6ebf3827c649273) C:\WINDOWS\system32\drivers\mfehidk.sys

06:47:51:234 1956 mferkdk (e72afc5056f6804c616e7dc32a38945f) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys

06:47:51:343 1956 mfetdik (a47f0f63e92730de15d41624ab998c5c) C:\WINDOWS\system32\drivers\mfetdik.sys

06:47:51:375 1956 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

06:47:51:406 1956 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

06:47:51:484 1956 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

06:47:51:500 1956 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

06:47:51:515 1956 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

06:47:51:562 1956 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

06:47:51:593 1956 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

06:47:51:625 1956 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

06:47:51:656 1956 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

06:47:51:687 1956 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

06:47:51:734 1956 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

06:47:51:781 1956 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

06:47:51:812 1956 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

06:47:51:859 1956 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

06:47:51:906 1956 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

06:47:51:921 1956 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

06:47:51:937 1956 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

06:47:51:937 1956 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

06:47:51:984 1956 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

06:47:52:000 1956 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

06:47:52:109 1956 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

06:47:52:140 1956 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

06:47:52:171 1956 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

06:47:52:203 1956 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

06:47:52:265 1956 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

06:47:52:281 1956 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

06:47:52:312 1956 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

06:47:52:343 1956 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

06:47:52:375 1956 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

06:47:52:421 1956 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

06:47:52:484 1956 PCTCore (ad629e621cb1242ba8707cd9c2c5b6ec) C:\WINDOWS\system32\drivers\PCTCore.sys

06:47:52:703 1956 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

06:47:52:718 1956 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

06:47:52:750 1956 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

06:47:52:781 1956 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

06:47:52:812 1956 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

06:47:52:812 1956 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

06:47:52:828 1956 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

06:47:52:875 1956 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

06:47:52:906 1956 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

06:47:52:953 1956 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

06:47:53:015 1956 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

06:47:53:031 1956 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

06:47:53:062 1956 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

06:47:53:078 1956 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

06:47:53:093 1956 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

06:47:53:109 1956 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

06:47:53:140 1956 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys

06:47:53:296 1956 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

06:47:53:343 1956 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

06:47:53:437 1956 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

06:47:53:531 1956 STHDA (784b73bd9d1c0fba6ca96e8976f4b0e6) C:\WINDOWS\system32\drivers\sthda.sys

06:47:53:734 1956 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

06:47:53:750 1956 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

06:47:53:812 1956 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

06:47:53:859 1956 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

06:47:53:921 1956 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

06:47:53:921 1956 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

06:47:53:953 1956 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

06:47:54:031 1956 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

06:47:54:109 1956 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

06:47:54:156 1956 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

06:47:54:171 1956 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

06:47:54:171 1956 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

06:47:54:187 1956 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

06:47:54:234 1956 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

06:47:54:250 1956 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

06:47:54:265 1956 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

06:47:54:312 1956 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

06:47:54:312 1956 Reboot required for cure complete..

06:47:54:765 1956 Cure on reboot scheduled successfully

06:47:54:765 1956

06:47:54:765 1956 Completed

06:47:54:765 1956

06:47:54:765 1956 Results:

06:47:54:765 1956 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

06:47:54:765 1956 File objects infected / cured / cured on reboot: 1 / 0 / 1

06:47:54:765 1956

06:47:54:765 1956 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

06:47:54:765 1956 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

06:47:54:765 1956 UnloadDriverW: NtUnloadDriver error 1

06:47:54:765 1956 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

ComboFix 10-05-17.05 - Administrator 05/19/2010 6:58.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1288 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))

.

2010-05-17 13:36 . 2010-05-17 13:36 -------- d-----w- C:\QUARANTINE

2010-05-17 13:22 . 2009-10-30 15:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-17 13:22 . 2009-11-09 15:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-17 13:22 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-17 13:22 . 2009-09-03 13:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-17 13:22 . 2010-05-17 13:23 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-17 13:22 . 2010-05-17 17:38 -------- d-----w- c:\program files\Spyware Doctor

2010-05-17 13:22 . 2010-05-17 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-17 13:22 . 2010-05-17 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2010-05-17 13:22 . 2010-05-17 17:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-17 13:02 . 2010-05-17 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-05-17 13:02 . 2010-05-17 13:02 -------- d-----w- c:\program files\Google

2010-05-13 18:19 . 2010-05-13 18:44 -------- d-----w- c:\windows\system32\CatRoot_bak

2010-05-13 13:12 . 2010-05-13 13:12 -------- d-----w- c:\program files\Trend Micro

2010-05-13 13:00 . 2010-05-13 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-13 13:00 . 2006-11-17 07:06 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-13 13:00 . 2006-11-17 07:06 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-13 13:00 . 2006-11-17 07:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll

2010-05-13 12:58 . 2006-11-30 12:50 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-05-13 12:58 . 2006-11-30 12:50 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-05-13 12:58 . 2006-11-30 12:50 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-05-13 12:58 . 2006-11-30 12:50 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys

2010-05-13 12:58 . 2006-11-30 12:50 168776 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-05-13 12:56 . 2010-05-13 12:56 -------- d-----w- c:\program files\McAfee

2010-05-13 12:56 . 2010-05-13 12:56 -------- d-----w- c:\program files\Common Files\McAfee

2010-05-13 12:48 . 2010-05-13 12:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-13 12:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-13 12:48 . 2010-05-13 12:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-13 12:48 . 2010-05-13 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-13 12:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-12 20:17 . 2010-05-12 20:17 -------- d-----w- c:\windows\Sun

2010-05-12 10:44 . 2010-05-12 10:44 0 ----a-w- c:\windows\nsreg.dat

2010-05-12 10:44 . 2010-05-12 10:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-05-12 07:06 . 2010-05-12 07:06 -------- d-----w- c:\windows\ServicePackFiles

2010-05-12 07:04 . 2006-02-28 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-05-12 01:17 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-12 01:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-05-11 19:35 . 2010-05-11 19:35 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ffb9e8-n\msvcp71.dll

2010-05-11 19:35 . 2010-05-11 19:35 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ffb9e8-n\jmc.dll

2010-05-11 19:35 . 2010-05-11 19:35 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ffb9e8-n\msvcr71.dll

2010-05-11 19:34 . 2010-05-11 19:34 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-331f9bd3-n\decora-sse.dll

2010-05-11 19:34 . 2010-05-11 19:34 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-331f9bd3-n\decora-d3d.dll

2010-05-11 19:20 . 2010-05-18 14:28 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-11 19:20 . 2010-05-11 19:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org

2010-05-11 18:47 . 2010-05-11 18:47 -------- d-----w- c:\program files\JRE

2010-05-11 18:46 . 2010-05-11 18:47 -------- d-----w- c:\program files\OpenOffice.org 3

2010-05-11 18:46 . 2010-05-11 18:46 -------- d-----w- c:\program files\Common Files\Java

2010-05-11 18:46 . 2010-05-11 18:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-05-11 18:46 . 2010-05-11 18:46 -------- d-----w- c:\program files\Java

2010-05-11 17:39 . 2010-05-11 17:39 -------- d-----w- C:\lexmark2

2010-05-11 17:33 . 2010-05-11 17:33 -------- d-----w- C:\lexmark

2010-05-11 16:49 . 2010-05-11 16:49 -------- d-----w- c:\windows\Downloaded Installations

2010-05-11 14:53 . 2010-05-11 14:53 -------- d-----w- c:\program files\Global EPC

2010-05-11 14:53 . 2010-05-11 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Snap-on Business Solutions

2010-05-11 14:53 . 2010-05-11 14:53 -------- d-----w- c:\program files\Snap-on Business Solutions

2010-05-11 14:51 . 2010-05-11 14:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\webex

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-19 10:49 . 2006-02-28 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-13 13:00 . 2007-01-19 17:00 -------- d-----w- c:\program files\Network Associates

2010-05-13 12:58 . 2007-01-19 17:00 -------- d-----w- c:\program files\Common Files\Network Associates

2010-05-13 12:13 . 2007-01-19 16:11 17720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 08:02 . 2006-02-28 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 06:12 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-24 12:31 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 282624]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

Remap.cmd [2010-5-11 70]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/17/2010 9:22 AM 207792]

R2 SBS_GM_TOMCAT6;SBS_GM_TOMCAT6;c:\program files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe [7/21/2008 8:01 PM 57344]

R2 SBS_GM_TRANSBASE;SBS_GM_TRANSBASE;c:\program files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe [9/3/2009 10:46 AM 417792]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/17/2010 9:22 AM 359624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

.

Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-17 13:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: localhost

TCP: {6E4968C2-C178-4BBF-9608-D4D560F1D8DA} = 10.49.17.151

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e1o5hajc.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2010-05-19 07:01:39

ComboFix-quarantined-files.txt 2010-05-19 11:01

Pre-Run: 100,580,323,328 bytes free

Post-Run: 100,807,151,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BB70BD6B51D38E33E3A31BC5FBFCAC9D

Link to post
Share on other sites

Great looks good.

You have 2 antivirus programs running Spyware Doctor with Antivirus and Mcafee.

You will need to uninstall one or the other or both.

I would personally dump both of those and get Microsoft security essentials to replace them, that is unless you have a paid subscription for one of the other.

If you choose to do that the download link for Microsoft security essentials is here : http://www.microsoft.com/security_essentials/

==============

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4116

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

5/19/2010 8:18:43 AM

mbam-log-2010-05-19 (08-18-43).txt

Scan type: Quick scan

Objects scanned: 118409

Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Wednesday, May 19, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, May 19, 2010 08:56:31

Records in database: 4131678

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

E:\

F:\

G:\

X:\

Scan statistics

Objects scanned 41337

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 01:14:41

File name Threat Threats count

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\13\768def8d-26cb2452 Infected: Exploit.Java.Agent.f 1

Selected area has been scanned.

Link to post
Share on other sites

Great just some java leftovers let me know if things are back to normal.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\13\768def8d-26cb2452


  • Then click the Run Fix button at the top
  • Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  • Please post that log in your next reply.

================================Follow up scan=================================

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Everything seems to be running normal. Thanks for your help. I really appreciate it!

OTL logfile created on: 5/19/2010 1:43:32 PM - Run 3

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 134.11 Gb Total Space | 93.88 Gb Free Space | 70.00% Space Free | Partition Type: NTFS

Drive D: | 14.92 Gb Total Space | 13.13 Gb Free Space | 87.98% Space Free | Partition Type: FAT32

Drive E: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

F: Drive not present or media not loaded

Drive G: | 3.74 Gb Total Space | 2.97 Gb Free Space | 79.49% Space Free | Partition Type: FAT32

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 48.83 Gb Total Space | 18.44 Gb Free Space | 37.77% Space Free | Partition Type: NTFS

Computer Name: SPC01

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe (Transaction Software, D 81829 Munich)

PRC - C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbkern32.exe (Transaction Software, D 81829 Munich)

PRC - C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe (Apache Software Foundation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)

PRC - C:\Program Files\Network Associates\Common Framework\Mctray.exe (McAfee, Inc.)

PRC - C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

PRC - C:\WINDOWS\sttray.exe (SigmaTel, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (SBS_GM_TRANSBASE) -- C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Transbase\tbmux32.exe (Transaction Software, D 81829 Munich)

SRV - (SBS_GM_TOMCAT6) -- C:\Program Files\Snap-on Business Solutions\Global EPC\GM\Tomcat\bin\tomcat6.exe (Apache Software Foundation)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)

SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)

SRV - (McAfeeFramework) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)

SRV - (STacSV) -- C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)

DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.2

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/05/11 14:46:38 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 06:44:27 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/12 06:43:57 | 000,000,000 | ---D | M]

[2010/05/12 06:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2010/05/12 06:44:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/05/19 07:16:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e1o5hajc.default\extensions

[2010/05/12 06:50:26 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e1o5hajc.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}

[2010/05/12 06:43:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/05/12 06:43:58 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2010/04/01 13:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/04/01 13:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2010/04/01 13:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2010/04/01 11:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2010/04/01 11:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2010/04/01 11:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2010/04/01 11:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2010/04/01 11:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010/04/01 11:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2010/04/01 11:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/13 09:20:57 | 000,000,757 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 10.49.17.151 pbs001pdc

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKCU\..Trusted Domains: localhost ([]http in Trusted sites)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1190461668203 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://proquest.webex.com/client/T23SP33EP...bex/ieatgpc.cab (GpcContainer Class)

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/01/17 17:13:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2007/09/14 17:35:09 | 000,000,036 | R--- | M] () - E:\Autorun.inf -- [ UDF ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/19 13:41:51 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/05/19 06:58:06 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/05/19 06:56:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/05/19 06:56:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/05/19 06:56:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/05/19 06:56:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/05/19 06:55:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/05/19 06:55:55 | 000,000,000 | ---D | C] -- C:\ComboFix

[2010/05/19 06:55:24 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/05/19 06:46:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder

[2010/05/18 13:58:22 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/18 13:40:48 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/05/17 11:07:39 | 010,196,424 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\My Documents\windows-kb890830-v3.7.exe

[2010/05/17 09:36:41 | 000,000,000 | ---D | C] -- C:\QUARANTINE

[2010/05/17 09:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/05/17 09:02:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater

[2010/05/17 09:02:29 | 000,000,000 | ---D | C] -- C:\Program Files\Google

[2010/05/13 14:19:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak

[2010/05/13 09:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/05/13 09:00:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2010/05/13 09:00:02 | 001,495,552 | ---- | C] (PGP Corporation) -- C:\WINDOWS\System32\epoPGPsdk.dll

[2010/05/13 09:00:02 | 000,499,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll

[2010/05/13 09:00:02 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll

[2010/05/13 08:58:43 | 000,034,152 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys

[2010/05/13 08:58:42 | 000,168,776 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys

[2010/05/13 08:58:42 | 000,072,264 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys

[2010/05/13 08:58:42 | 000,064,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys

[2010/05/13 08:58:42 | 000,052,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys

[2010/05/13 08:56:25 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee

[2010/05/13 08:56:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee

[2010/05/13 08:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/05/13 08:48:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/13 08:48:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/13 08:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/13 08:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/05/13 08:47:03 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe

[2010/05/12 16:17:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun

[2010/05/12 06:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads

[2010/05/12 06:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla

[2010/05/12 06:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla

[2010/05/12 06:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2010/05/12 03:06:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles

[2010/05/11 21:17:26 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys

[2010/05/11 15:20:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org

[2010/05/11 14:59:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\PARTS_STUFF

[2010/05/11 14:47:03 | 000,000,000 | ---D | C] -- C:\Program Files\JRE

[2010/05/11 14:46:58 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3

[2010/05/11 14:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/05/11 14:46:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/05/11 14:46:45 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/05/11 14:46:45 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/05/11 14:46:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/05/11 14:46:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/05/11 14:46:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/05/11 14:46:34 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/05/11 14:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun

[2010/05/11 14:41:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\OpenOffice.org 3.2 (en-US) Installation Files

[2010/05/11 13:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TurboMeeting

[2010/05/11 13:39:35 | 000,000,000 | ---D | C] -- C:\lexmark2

[2010/05/11 13:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Lexmark_PCL_UNIV_Driver

[2010/05/11 13:33:30 | 000,000,000 | ---D | C] -- C:\lexmark

[2010/05/11 12:49:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations

[2010/05/11 12:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia

[2010/05/11 10:53:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Snap-on Business Solutions

[2010/05/11 10:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Global EPC

[2010/05/11 10:53:12 | 000,000,000 | ---D | C] -- C:\Program Files\Snap-on Business Solutions

[2010/05/11 10:51:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\webex

[2010/05/11 10:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\WebEx

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/19 12:25:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/05/19 10:19:22 | 000,003,004 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\111.html

[2010/05/19 08:06:48 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/19 08:06:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/19 08:06:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/19 08:05:50 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/05/19 08:05:26 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/05/19 07:00:53 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/19 06:58:09 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/05/19 06:42:49 | 003,691,277 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2010/05/19 06:40:39 | 000,949,152 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip

[2010/05/18 13:58:30 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/05/18 13:41:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\7b1nowvf.exe

[2010/05/18 13:40:55 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/05/17 11:50:46 | 000,007,168 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\0240.xls

[2010/05/17 11:09:50 | 010,196,424 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\My Documents\windows-kb890830-v3.7.exe

[2010/05/17 09:02:18 | 001,251,432 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Google Updater.exe

[2010/05/14 12:22:06 | 002,389,595 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SDCSRulebook%202008%202009.pdf

[2010/05/13 16:30:09 | 006,937,988 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/05/13 09:20:51 | 000,001,156 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp

[2010/05/13 08:48:51 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Malwarebytes' Anti-Malware.lnk

[2010/05/13 08:48:01 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe

[2010/05/13 08:13:53 | 000,017,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/05/12 16:28:59 | 000,355,944 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/05/12 16:28:59 | 000,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/05/12 16:28:59 | 000,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/05/12 16:25:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/05/12 12:00:11 | 000,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd

[2010/05/12 06:44:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat

[2010/05/12 06:43:59 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/12 03:37:24 | 000,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/05/11 15:21:19 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

[2010/05/11 15:02:23 | 002,046,976 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\May 2010 Tires.xls

[2010/05/11 14:46:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/05/11 14:46:37 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/05/11 14:46:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/05/11 14:46:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/05/11 14:46:37 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/05/11 13:58:41 | 000,000,070 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd

[2010/05/11 13:52:14 | 000,001,128 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PBS.RDP

[2010/05/11 13:49:02 | 000,001,253 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\TurboMeeting.lnk

[2010/05/11 12:50:25 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\GM EPC4.url

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/19 10:19:22 | 000,003,004 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\111.html

[2010/05/19 06:58:09 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/05/19 06:58:07 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/05/19 06:56:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/05/19 06:56:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/05/19 06:56:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/05/19 06:56:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/19 06:56:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/05/19 06:42:21 | 003,691,277 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2010/05/19 06:40:32 | 000,949,152 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip

[2010/05/18 13:41:20 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\7b1nowvf.exe

[2010/05/17 11:50:39 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\0240.xls

[2010/05/17 09:02:30 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/05/17 09:01:47 | 001,251,432 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Google Updater.exe

[2010/05/14 12:22:06 | 002,389,595 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SDCSRulebook%202008%202009.pdf

[2010/05/13 09:00:02 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2010/05/13 08:48:51 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Malwarebytes' Anti-Malware.lnk

[2010/05/12 06:44:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/05/12 06:43:59 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/11 15:21:18 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

[2010/05/11 15:02:23 | 002,046,976 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\May 2010 Tires.xls

[2010/05/11 15:01:23 | 000,067,364 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OrderTemplate.xls

[2010/05/11 13:54:29 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Remap.cmd

[2010/05/11 13:52:14 | 000,001,128 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PBS.RDP

[2010/05/11 13:49:35 | 000,001,156 | -H-- | C] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp

[2010/05/11 13:49:02 | 000,001,253 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\TurboMeeting.lnk

[2010/05/11 10:55:39 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\GM EPC4.url

[2008/12/31 05:14:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\softcoin.dll

[2008/12/31 05:14:00 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\gencoin.dll

[2007/01/22 16:01:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2007/01/19 10:32:09 | 000,348,880 | R--- | C] () -- C:\WINDOWS\System32\igmedkrn.dll

[2007/01/19 10:32:09 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll

[2006/02/28 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Link to post
Share on other sites

You are welcome :)

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.