Jump to content

Unable to finish GMER


Recommended Posts

Hello

My PC has been infected with virus/spyware. When I run McAfee it finds Appletx.class and Hirwfee.class and deletes them, when I reboot I am unable to access the internet until I do a System Restore from last week. Then the internet works fine for a while untill McAfee deletes those files and I reboot, then I'm stuck without the Internet again. I ran Defogger and DDS, the files for DDS are attached. When I run GMER it runs for a while then the PC reboots when I move the mouse. I was previously experiencing a browser hijacker also.

Thank You

Craig

DDS.txt

Attach.zip

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please try to run the GMER scan with only the Sections option checked and post me the log.

Link to post
Share on other sites

Hi Elise

Here is the result from the GMER scan

Thanks for all your help!

Craig

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-04 06:29:19

Windows 5.1.2600 Service Pack 3

Running: qk1cn08c.exe; Driver: C:\DOCUME~1\home\LOCALS~1\Temp\pwlyqfod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP 9E56926F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP 9E569231 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP 9E569285 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP 9E56929B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP 9E569245 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP 9E56925B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP 9E56921D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP 9E5691DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP 9E5691C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP 9E5691F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP 9E56919B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8975000, 0x19DAB0, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90FEF

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F5C

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A9005B

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90F77

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90F94

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FC0

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A90F35

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A9007D

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F09

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A90F1A

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A90EF8

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90FAF

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A9000A

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A9006C

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A9002C

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A9001B

.text C:\WINDOWS\system32\svchost.exe[300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A90098

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FC0

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F79

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0011

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDB

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F8A

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0036

.text C:\WINDOWS\system32\svchost.exe[300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FAF

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0025

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC0014

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0FB5

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0FEF

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0F9A

.text C:\WINDOWS\system32\svchost.exe[300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC0FD2

.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00AA000A

.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00AA001B

.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00AA0FEF

.text C:\WINDOWS\system32\svchost.exe[300] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00AA0040

.text C:\WINDOWS\system32\svchost.exe[300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0FEF

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01580FEF

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01580F66

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0158005B

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01580F8D

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01580F9E

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01580040

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01580F2E

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01580076

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015800AC

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01580F13

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01580EF8

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01580FB9

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0158000A

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01580F4B

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01580FDE

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01580025

.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0158009B

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01570025

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01570F94

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01570FD4

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01570FE5

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0157005B

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01570000

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01570036

.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01570FB9

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01560FA3

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 01560038

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01560027

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01560000

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01560FD2

.text C:\WINDOWS\system32\services.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01560FE3

.text C:\WINDOWS\system32\services.exe[808] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0000

.text C:\WINDOWS\system32\services.exe[808] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0011

.text C:\WINDOWS\system32\services.exe[808] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0022

.text C:\WINDOWS\system32\services.exe[808] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0FDB

.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FE5

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0F83

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0078

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF005B

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0F9E

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FAF

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F68

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF00A4

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF0F3C

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF0F4D

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0F21

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0040

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0000

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0093

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0FC0

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0011

.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF00CB

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01200FEF

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01200FCA

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01200036

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0120001B

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01200087

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0120000A

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01200076

.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0120005B

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0036

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF001B

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FB5

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\lsass.exe[820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FD2

.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\lsass.exe[820] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FD0FEF

.text C:\WINDOWS\system32\lsass.exe[820] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FD000A

.text C:\WINDOWS\system32\lsass.exe[820] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FD0025

.text C:\WINDOWS\system32\lsass.exe[820] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FD0FD4

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025A0000

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025A00B5

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025A009A

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025A0FB6

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025A0069

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025A0047

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025A0F7E

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025A0F8F

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025A0F6D

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025A00FC

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025A012B

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025A0058

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025A0011

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025A00C6

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025A002C

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025A0FDB

.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025A00EB

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025E001E

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025E0065

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025E0FC3

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025E0FD4

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025E004A

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025E0FEF

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025E0FA8

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7E, 8A] {JLE 0xffffffffffffff8c}

.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025E002F

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025D0FBE

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 025D0053

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025D0027

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025D0FEF

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025D0042

.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025D000C

.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 025B0000

.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 025B0011

.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 025B0FDB

.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 025B0FC0

.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025C000A

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF004A

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF002F

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F61

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F72

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F94

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0076

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0065

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00A2

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0091

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EF8

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F83

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F3A

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FA5

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FC0

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F13

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01040025

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01040F9E

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01040FD4

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01040FEF

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0104005B

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01040000

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01040FAF

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [24, 89] {AND AL, 0x89}

.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01040036

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01030FB7

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 01030FD2

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01030FE3

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01030000

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01030042

.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0103001D

.text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01010FE5

.text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01010FCA

.text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01010000

.text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01010FB9

.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01020000

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0076

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F81

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B005B

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002F

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0091

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F55

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F0C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F1D

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00B6

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FA8

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F66

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FC3

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F2E

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920FE5

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920FB9

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920036

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920025

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0092006C

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0092000A

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00920FCA

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b2, 88] {MOV DL, 0x88}

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920047

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910027

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910F9C

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00910FD2

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00910000

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FB7

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00910FE3

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 007A0000

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 007A0011

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 007A0022

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 007A003D

.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900FEF

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F68

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F83

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F94

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0051

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002C

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0084

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F3C

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00BA

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F21

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00CB

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FAF

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FEF

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F57

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A009F

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B6002C

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6007D

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B6001B

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60000

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60062

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FE5

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B60FCA

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D6, 88]

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60047

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50F8D

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50022

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FC6

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50000

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50011

.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50FE3

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FEF

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FD4

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0025

.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007A0FEF

.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0088000A

.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0089000A

.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01300FEF

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01300F58

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0130004D

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01300F7F

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0130003C

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01300FAB

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01300F47

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01300083

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01300F11

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013000B4

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01300F00

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01300F90

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01300FDE

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01300072

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01300FBC

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01300FCD

.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01300F36

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01B50014

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01B50F83

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01B50FCD

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01B50FDE

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01B50040

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01B50FEF

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01B50F9E

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D5, 89] {AAD 0x89}

.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01B50025

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01B40055

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!system 77C293C7 5 Bytes JMP 01B40FD4

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01B40029

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01B40FEF

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01B40044

.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01B40018

.text C:\WINDOWS\System32\svchost.exe[1444] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EB000A

.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01B20000

.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01B2001B

.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01B2002C

.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01B20047

.text C:\WINDOWS\System32\svchost.exe[1444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B3000A

.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A

.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01890FE5

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01890F1C

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01890F41

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01890F52

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0189001B

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01890F9E

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01890EFA

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01890042

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01890089

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0189006E

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 018900A4

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01890F79

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01890FD4

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01890F0B

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0189000A

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01890FAF

.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0189005D

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03070FC3

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03070FA8

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03070FD4

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03070FEF

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03070065

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03070000

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0307004A

.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0307002F

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 029A005A

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 029A0049

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 029A002E

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 029A0000

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 029A0FCF

.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 029A001D

.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0192000A

.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0192001B

.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01920040

.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01920051

.text C:\WINDOWS\Explorer.EXE[1848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01940FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013D0FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013D006F

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013D0F7A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013D0054

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013D0F97

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013D0FB2

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013D0F3D

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013D0F4E

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013D0EF6

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013D0F07

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013D00AA

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013D0043

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013D0014

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013D0F5F

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013D0FC3

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013D0FDE

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013D0F2C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01410FCA

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01410F8D

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01410011

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01410000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01410FA8

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01410FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0141004A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01410FB9

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01400051

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!system 77C293C7 5 Bytes JMP 01400036

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01400FC6

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01400FE3

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0140001B

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01400000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013F000A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 013E0FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 013E0FDE

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 013E0014

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2516] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 013E0FC3

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F86

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0F97

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0FA8

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D0FB9

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0FCA

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D0F53

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D0F64

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D00CA

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F31

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D00E5

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0051

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D001B

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0F75

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0036

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FE5

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D0F42

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DF0FB9

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DF004A

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DF0000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DF0FD4

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DF0F8D

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DF0FEF

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DF002F

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DF0FA8

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0F8B

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0F9C

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FD2

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE000C

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FB7

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FEF

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00DC0FEF

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00DC000A

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00DC0FD4

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2756] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00DC0025

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F5C

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F77

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0051

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F9E

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B006C

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F30

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EFF

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0098

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EDA

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FAF

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F4B

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0036

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FE5

.text C:\WINDOWS\system32\svchost.exe[3168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B007D

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0025

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FAF

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FD4

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE006C

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE005B

.text C:\WINDOWS\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0040

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FAB

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0036

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FC6

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0025

.text C:\WINDOWS\system32\svchost.exe[3168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FD7

.text C:\WINDOWS\system32\svchost.exe[3168] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 007A000A

.text C:\WINDOWS\system32\svchost.exe[3168] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 007A0FE5

.text C:\WINDOWS\system32\svchost.exe[3168] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 007A001B

.text C:\WINDOWS\system32\svchost.exe[3168] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 007A0FC0

.text C:\WINDOWS\system32\SearchIndexer.exe[3584] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\WINDOWS\system32\wuauclt.exe[3716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A

.text C:\WINDOWS\system32\wuauclt.exe[3716] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A

.text C:\WINDOWS\system32\wuauclt.exe[3716] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0F8B

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0FA6

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D000C

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0FEF

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0FB7

.text C:\WINDOWS\system32\wuauclt.exe[3716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FDE

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002E000A

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002E002F

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002E0FB9

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002E0FCA

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002E0F72

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002E0FE5

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002E0F83

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4E, 88]

.text C:\WINDOWS\system32\wuauclt.exe[3716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002E0F94

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi

I downloaded Combofix, disabled McAfee, started Combofix it got to the screen of scanning for virus' sat there for a minute then Blue Screened. With a IRQL_NOT_LESS_OR_EQUAL Stop 0x0000000A (0x00000001, 0x0000001c, 0x00000000, 0x8050202CD1)

Link to post
Share on other sites

Can you please try to run Combofix in safe mode and let me know if the same thing happens.

If so, please indicate exactly where the BSOD occurs (does the green loading bar finish, does the recovery console get isntalled, does a new restorepoint/registry backup finish).

Link to post
Share on other sites

Hi

Started in safemode,

started Combofix,

it said it found rootkit activity needed to reboot

rebooted

Combofix started running again after normal startup

Combofix screen said it Completed Stage 1 and Completed Stage 2

Then a Windows error message came up saying PEV.cfxxe encountered a problem and needs to close

Completed the rest of the stages

Heres the Combofix file

ComboFix 10-06-03.01 - home 06/04/2010 12:53:57.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2869 [GMT -5:00]

Running from: c:\documents and settings\home\Desktop\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))

.

2010-05-21 22:10 . 2010-05-21 22:10 56840 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-13 14:39 . 2010-05-13 14:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-05-12 14:17 . 2010-05-12 14:17 328728 ----a-w- c:\windows\system32\drivers\IASTOR.SYS

2010-05-11 21:58 . 2010-05-27 13:24 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-07 16:15 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-04 16:03 . 2010-06-04 16:03 -------- d-----w- c:\program files\Advanced Registry Optimizer

2010-06-04 16:02 . 2010-06-04 16:02 -------- d-----w- c:\program files\MemTurbo 4

2010-06-04 16:02 . 2010-06-02 20:40 -------- d-----w- c:\program files\test

2010-06-04 16:02 . 2010-04-19 12:52 -------- d-----w- c:\documents and settings\home\Application Data\Sammsoft

2010-06-04 16:01 . 2010-06-04 16:01 -------- d-----w- c:\program files\Exterminate It!

2010-06-02 21:34 . 2009-11-23 17:43 -------- d-----w- c:\documents and settings\home\Application Data\Apple Computer

2010-06-02 20:40 . 2010-06-02 20:40 -------- d-----w- c:\documents and settings\home\Application Data\Malwarebytes

2010-06-02 20:40 . 2010-06-02 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-27 21:50 . 2009-12-09 17:28 -------- d-----w- c:\program files\Google

2010-05-27 13:23 . 2010-04-19 17:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-27 13:23 . 2010-04-19 22:31 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-27 13:23 . 2010-01-20 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-21 15:21 . 2009-12-18 17:04 -------- d-----w- c:\documents and settings\home\Application Data\ArcSoft

2010-05-07 16:15 . 2009-12-21 15:29 -------- d-----w- c:\program files\Lavasoft

2010-04-20 21:30 . 2010-04-20 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-04-20 21:30 . 2010-04-20 21:30 -------- d-----w- c:\documents and settings\home\Application Data\Office Genuine Advantage

2010-03-11 12:38 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2008-04-25 16:16 430080 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-05-10_18.41.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-04 17:52 . 2010-06-04 17:52 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat

- 2008-04-25 16:16 . 2010-05-10 18:37 79630 c:\windows\system32\perfc009.dat

+ 2008-04-25 16:16 . 2010-06-04 17:56 79630 c:\windows\system32\perfc009.dat

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2008-04-25 16:16 . 2010-05-10 18:37 466414 c:\windows\system32\perfh009.dat

+ 2008-04-25 16:16 . 2010-06-04 17:56 466414 c:\windows\system32\perfh009.dat

+ 2008-04-25 21:27 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll

- 2008-04-25 21:27 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll

- 2009-07-25 07:26 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll

+ 2009-07-25 07:26 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll

- 2010-01-20 22:29 . 2010-04-14 08:03 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-05-27 13:14 . 2010-06-04 16:03 5655012 c:\windows\system32\Restore\rstrlog.dat

- 2009-11-20 16:26 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll

+ 2009-11-20 16:26 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll

+ 2010-05-15 01:32 . 2010-05-15 01:32 1235968 c:\windows\Installer\c9404a4.msi

+ 2009-10-16 12:08 . 2009-10-16 12:08 2237952 c:\windows\Installer\57eb5aa.msp

+ 2010-04-09 20:21 . 2010-04-09 20:21 5025792 c:\windows\Installer\57eb593.msp

+ 2010-01-20 22:29 . 2010-05-11 21:55 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2008-08-26 04:50 . 2008-08-26 04:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\VBE6.DLL

+ 2009-11-20 16:35 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-19 796184]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-09 122880]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]

c:\documents and settings\home\Start Menu\Programs\Startup\

MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2010-4-19 3121760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-20 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2009-12-18 57344]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\documents and settings\home\My Documents\Kim's folder\total pics\mexico09\P6140020.JPG

FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2009 10:38 AM 64288]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/25/2009 5:19 AM 24064]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [7/25/2009 2:28 AM 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [7/25/2009 5:19 AM 144480]

S1 gwtwfstv;gwtwfstv;\??\c:\windows\system32\drivers\gwtwfstv.sys --> c:\windows\system32\drivers\gwtwfstv.sys [?]

S1 MpKsl088b1160;MpKsl088b1160;\??\c:\windows\system32\MpEngineStore\MpKsl088b1160.sys --> c:\windows\system32\MpEngineStore\MpKsl088b1160.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 11:15 AM 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1314704]

.

Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:38]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 16:15]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 16:15]

2010-06-04 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(828)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-04 13:11:28

ComboFix-quarantined-files.txt 2010-06-04 18:11

ComboFix2.txt 2010-05-10 18:43

Pre-Run: 166,947,692,544 bytes free

Post-Run: 167,232,630,784 bytes free

- - End Of File - - F485C3145246A9373675025F50C0B912

Link to post
Share on other sites

Hello again,

That took out a nasty rootkit. Before continuing, please read the following information:

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please let me know how things are running now. Launch MBAM, update it first and run a full scan. Please post me the log.

Link to post
Share on other sites

Hi

OK I still am unable to access the internet on my infected PC. As I noted at the beginning unless I do a system restore to a day before this infection began, I didnt do that unless you want me to. I downloaded MBAM on my other PC and transferred it to the infected one. Here is the log file

Thanks again for all your help!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/4/2010 6:28:13 PM

mbam-log-2010-06-04 (18-28-13).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 238940

Time elapsed: 44 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello again,

Its good you didn't do system restore, that would not improve matters at this point (for a thing, it would place back the rootkit we just disinfected).

Please try the following things.

First of all, if you use a router to connect to the internet, reset it. Malware often infects routers (a router usually has a reset button on the backside somewhere).

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0

Go to the File menu at the top of the Notepad and select Save as.

Select save in: desktop

Fill in File name: test.bat

Save as type: All file types (*.*)

Click save.

Close the Notepad.

Locate and double-click tast.bat on the desktop.

A notepad opens, copy and paste the content it (log1.txt) to your reply.

Link to post
Share on other sites

Hi

I reset the router although it does work fine for my other PC plugged into it, here is the log file

Thanks Again!

Windows IP Configuration

Host Name . . . . . . . . . . . . : optiplex760

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : dynamic.uiowa.edu

Description . . . . . . . . . . . : Intel® 82567LM-3 Gigabit Network Connection

Physical Address. . . . . . . . . : 00-23-AE-A3-F0-60

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 128.255.3.99

DNS Servers . . . . . . . . . . . : 128.255.64.5

128.255.1.3

128.255.64.11

Server: UnKnown

Address: 127.0.0.1

Server: UnKnown

Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Ping request could not find host yahoo.com. Please check the name and try again.

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 23 ae a3 f0 60 ...... Intel® 82567LM-3 Gigabit Network Connection - Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

255.255.255.255 255.255.255.255 255.255.255.255 2 1

===========================================================================

Persistent Routes:

None

Link to post
Share on other sites

Hello again,

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

Thanks!!

OTL logfile created on: 6/5/2010 10:51:17 AM - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\home\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.79 Gb Total Space | 155.87 Gb Free Space | 66.96% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 232.83 Gb Total Space | 224.64 Gb Free Space | 96.48% Space Free | Partition Type: NTFS

Drive G: | 500.83 Mb Total Space | 63.06 Mb Free Space | 12.59% Space Free | Partition Type: FAT

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: OPTIPLEX760

Current User Name: home

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/05 10:50:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTL.exe

PRC - [2010/04/03 16:44:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

PRC - [2009/12/09 12:29:06 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2009/12/09 12:29:05 | 000,122,880 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2009/02/19 10:56:42 | 000,796,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

PRC - [2009/02/19 10:56:40 | 002,066,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

PRC - [2009/02/19 10:56:36 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\lms.exe

PRC - [2009/02/04 21:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

PRC - [2009/01/27 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

PRC - [2009/01/27 21:50:00 | 000,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

PRC - [2009/01/27 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

PRC - [2008/08/31 21:24:24 | 001,044,480 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/10/25 16:06:00 | 000,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe

PRC - [2007/10/25 11:05:40 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

PRC - [2007/10/25 11:04:56 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe

PRC - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe

PRC - [2007/09/04 15:52:08 | 000,095,536 | ---- | M] (OLYMPUS IMAGING CORP.) -- C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

PRC - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe

PRC - [2007/04/19 05:56:36 | 000,133,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe

PRC - [2006/09/29 12:55:14 | 000,057,344 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

PRC - [2006/09/11 04:40:32 | 000,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

========== Modules (SafeList) ==========

MOD - [2010/06/05 10:50:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTL.exe

MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/05/20 09:38:20 | 001,314,704 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2009/11/20 12:56:29 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2009/02/19 10:56:40 | 002,066,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®

SRV - [2009/02/19 10:56:36 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\lms.exe -- (LMS) Intel®

SRV - [2009/01/27 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)

SRV - [2009/01/27 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)

SRV - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2007/04/19 05:56:36 | 000,133,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)

========== Driver Services (SafeList) ==========

DRV - [2010/05/12 09:17:42 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)

DRV - [2010/02/04 10:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2009/05/04 20:25:34 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®

DRV - [2009/01/27 21:50:00 | 000,177,864 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2009/01/27 21:50:00 | 000,073,512 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2009/01/27 21:50:00 | 000,065,000 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)

DRV - [2009/01/27 21:50:00 | 000,052,168 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2009/01/27 21:50:00 | 000,034,408 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2008/12/29 20:34:52 | 000,144,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel®

DRV - [2008/08/31 21:24:24 | 000,338,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV - [2008/08/31 21:24:24 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)

DRV - [2008/08/27 23:21:06 | 003,230,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2008/05/23 16:54:38 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)

DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)

DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2007/07/23 14:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2007/07/23 14:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

DRV - [2003/09/20 09:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)

DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USREL/1

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/

IE - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)

O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe (OLYMPUS IMAGING CORP.)

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)

O4 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsushita Electric Industrial Co., Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1493179546-2307289003-3433088135-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)

O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1263564143146 (MUWebControl Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.255.64.5 128.255.1.3 128.255.64.11

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop Components:0 () - C:\Documents and Settings\home\My Documents\Kim's folder\total pics\mexico09\P6140020.JPG

O24 - Desktop Components:1 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/06/04 13:22:54 | 000,000,063 | ---- | M] () - G:\AUTORUN.INF -- [ FAT ]

O33 - MountPoints2\{0f6ebb34-d5f5-11de-8d62-0023aea3f060}\Shell\AutoRun\command - "" = G:\OSDINSTALLCD.EXE -- [2006/08/31 07:00:00 | 000,152,360 | ---- | M] (Microsoft Corporation)

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/05 10:50:54 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTL.exe

[2010/06/04 15:22:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/04 15:22:28 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/04 15:22:27 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/06/04 15:19:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/06/04 15:12:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt

[2010/06/04 12:47:39 | 000,000,000 | ---D | C] -- C:\ComboFix

[2010/06/04 11:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google

[2010/06/04 11:03:11 | 000,000,000 | ---D | C] -- C:\Program Files\Advanced Registry Optimizer

[2010/06/04 11:02:58 | 000,000,000 | ---D | C] -- C:\Program Files\MemTurbo 4

[2010/06/04 09:22:40 | 000,000,000 | ---D | C] -- C:\ComboFix(3)

[2010/06/02 15:40:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\home\Application Data\Malwarebytes

[2010/06/02 15:40:19 | 000,000,000 | ---D | C] -- C:\Program Files\test

[2010/06/02 15:40:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/06/02 15:28:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC

[2010/05/27 08:23:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\home\Local Settings\Application Data\ngiavwfkv

[2010/05/26 09:16:42 | 000,000,000 | ---D | C] -- C:\ComboFix(2)

[2010/05/24 18:02:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2010/05/24 14:44:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/24 14:44:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/21 10:21:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\home\My Documents\ArcSoft

[2010/05/13 09:39:51 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/12 09:17:42 | 000,328,728 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\IASTOR.SYS

[2010/05/11 16:58:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

[2010/05/10 13:28:55 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/05/10 13:26:53 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/05/10 13:26:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/05/10 13:26:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/05/10 13:26:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/05/10 13:26:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/05/10 13:26:09 | 000,000,000 | ---D | C] -- C:\Qoobox

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\home\My Documents\*.tmp files -> C:\Documents and Settings\home\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/05 10:50:52 | 002,883,584 | ---- | M] () -- C:\Documents and Settings\home\ntuser.dat

[2010/06/05 10:50:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\home\Desktop\OTL.exe

[2010/06/05 10:50:34 | 000,000,658 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/06/05 10:30:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/06/05 03:30:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/06/04 17:44:24 | 000,557,242 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/04 17:44:24 | 000,466,414 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/04 17:44:24 | 000,079,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/04 17:41:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/04 17:40:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/04 17:40:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/04 17:40:15 | 3487,150,080 | -HS- | M] () -- C:\hiberfil.sys

[2010/06/04 16:04:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\home\ntuser.ini

[2010/06/04 16:03:54 | 005,350,630 | -H-- | M] () -- C:\Documents and Settings\home\Local Settings\Application Data\IconCache.db

[2010/06/04 13:08:05 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/04 11:08:10 | 003,702,826 | R--- | M] () -- C:\Documents and Settings\home\Desktop\ComboFix.exe

[2010/06/03 11:06:04 | 000,005,624 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Attach.zip

[2010/06/03 09:38:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/06/03 09:16:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\home\defogger_reenable

[2010/06/02 15:24:22 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/05/21 17:10:32 | 000,056,840 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/05/21 15:38:31 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/05/21 14:22:30 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Microsoft Office Excel 2007.lnk

[2010/05/14 20:32:09 | 000,001,917 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/05/13 09:39:48 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/12 16:48:05 | 000,093,184 | ---- | M] () -- C:\Documents and Settings\home\My Documents\NETworth11.8.09xls.xls

[2010/05/12 11:59:51 | 000,005,245 | ---- | M] () -- C:\Documents and Settings\home\My Documents\K-report.html

[2010/05/12 09:17:42 | 000,328,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\IASTOR.SYS

[2010/05/11 16:54:33 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

[2010/05/11 14:01:13 | 000,011,194 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Agronomy Settlement Sheet.xlsx

[2010/05/11 13:59:16 | 000,011,546 | ---- | M] () -- C:\Documents and Settings\home\Desktop\Agronomy Settlement Worksheet.xlsx

[2010/05/10 13:29:01 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/05/07 14:59:05 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\home\My Documents\TAXLOSS10.xls

[2010/05/07 11:15:34 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\home\My Documents\*.tmp files -> C:\Documents and Settings\home\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/04 12:50:26 | 3487,150,080 | -HS- | C] () -- C:\hiberfil.sys

[2010/06/03 11:06:04 | 000,005,624 | ---- | C] () -- C:\Documents and Settings\home\Desktop\Attach.zip

[2010/06/03 09:16:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\home\defogger_reenable

[2010/05/23 02:02:47 | 002,883,584 | ---- | C] () -- C:\Documents and Settings\home\ntuser.dat

[2010/05/21 17:10:32 | 000,056,840 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/05/14 20:32:09 | 000,001,917 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/05/12 11:59:51 | 000,005,245 | ---- | C] () -- C:\Documents and Settings\home\My Documents\K-report.html

[2010/05/11 16:54:33 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2010/05/11 14:01:17 | 000,011,194 | ---- | C] () -- C:\Documents and Settings\home\Desktop\Agronomy Settlement Sheet.xlsx

[2010/05/11 13:59:21 | 000,011,546 | ---- | C] () -- C:\Documents and Settings\home\Desktop\Agronomy Settlement Worksheet.xlsx

[2010/05/10 13:29:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/05/10 13:28:56 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/05/10 13:26:53 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/10 13:26:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/05/10 13:26:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/05/10 13:26:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/05/10 13:26:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/05/10 13:22:27 | 003,702,826 | R--- | C] () -- C:\Documents and Settings\home\Desktop\ComboFix.exe

[2010/05/07 11:15:34 | 000,000,869 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2010/03/14 14:09:22 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini

[2010/03/14 14:09:05 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini

[2010/03/14 14:08:10 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini

[2009/12/18 11:55:36 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

[2009/11/20 12:47:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/11/20 12:02:19 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/07/25 05:19:27 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2009/07/25 02:33:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/07/25 02:28:54 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2008/04/25 16:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2007/04/19 05:52:16 | 000,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll

[2007/04/19 05:28:10 | 000,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll

[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Files - Unicode (All) ==========

[2010/04/13 15:38:39 | 000,000,291 | ---- | M] ()(C:\Documents and Settings\home\Desktop\My name is Kim Beitz.doc?(202KB)?.url) -- C:\Documents and Settings\home\Desktop\My name is Kim Beitz.doc‎(202KB)‎.url

[2010/04/13 15:38:39 | 000,000,291 | ---- | C] ()(C:\Documents and Settings\home\Desktop\My name is Kim Beitz.doc?(202KB)?.url) -- C:\Documents and Settings\home\Desktop\My name is Kim Beitz.doc‎(202KB)‎.url

< End of report >

OTL Extras logfile created on: 6/5/2010 10:51:17 AM - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\home\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.79 Gb Total Space | 155.87 Gb Free Space | 66.96% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 232.83 Gb Total Space | 224.64 Gb Free Space | 96.48% Space Free | Partition Type: NTFS

Drive G: | 500.83 Mb Total Space | 63.06 Mb Free Space | 12.59% Space Free | Partition Type: FAT

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: OPTIPLEX760

Current User Name: home

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call

"{03329281-5216-5AAC-2889-42BAA90AA9A9}" = CCC Help Chinese Standard

"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools

"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center

"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1

"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations

"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger

"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan

"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data

"{100F22AF-553D-3CDB-F89C-B60F46469B33}" = CCC Help Italian

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{20D91772-EB16-4B94-B370-DF825BDA97F6}" = FMH RISQ

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{2466E904-7E48-4597-9321-722CF02930EB}" = 5600

"{24A0A7E4-A410-D4E1-37F0-FC2E0ED01004}" = CCC Help French

"{2788093B-21C6-CD94-2589-0A881A2684A8}" = Catalyst Control Center Core Implementation

"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar

"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload

"{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer

"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp

"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise

"{3650F490-55D6-2D26-D685-FACB56638618}" = Catalyst Control Center Localization Japanese

"{3B24C9F4-BAE9-4E6A-9B7C-DCC19BE31324}" = Catalyst Control Center Graphics Full Existing

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{4054E328-94C6-155A-7F9B-155511178F67}" = Catalyst Control Center Localization Thai

"{41454D20-D3EF-26CA-0094-51EC4D9FA90A}" = Catalyst Control Center Localization Polish

"{4484ED94-E29D-8192-4470-32E16FE32ABB}" = Catalyst Control Center Localization Korean

"{45FCADDB-0B29-457E-83A1-D245C62A716C}" = OLYMPUS Master 2

"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update

"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack

"{527DC9EF-8FA7-A154-A90C-D482F256D3F3}" = Catalyst Control Center Graphics Full New

"{54322232-B3DE-4ED4-8E5E-E91CDA02D7D7}" = Intel® Network Connections 13.1.34.2

"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy

"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg

"{570D2254-A771-E430-DA8A-CFE0811FF66D}" = Catalyst Control Center Localization German

"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch

"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B

"{609E7573-0847-3149-44CB-5612A5FDFCB6}" = ccc-utility

"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer

"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc

"{6EA8A52B-8EA1-4A59-85AB-48132299061A}" = Intel® PRO Alerting Agent

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{6F8799EC-3E7B-3080-903F-44FDCC281158}" = CCC Help English

"{7105D139-C323-639E-79AD-59925919B2F1}" = CCC Help Spanish

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{74F589FD-E68D-AA2B-569F-73972A8F29F1}" = Catalyst Control Center Localization Italian

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware

"{7AB56F86-8859-F35D-92EC-66AE8938C8E1}" = Catalyst Control Center Localization Spanish

"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext

"{83E09138-09A1-1075-EA0E-5332CA2E02CB}" = Catalyst Control Center Localization Chinese Traditional

"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio

"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin

"{8978A90C-FDC0-2980-98FB-347AB5ADD818}" = ccc-core-static

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{89FD1110-1362-1B23-D78B-A54176AC2441}" = Catalyst Control Center Localization Portuguese

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8CB3ED73-ABEE-949D-8EE9-B8B4CD0F4949}" = CCC Help Japanese

"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack

"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)

"{908F3442-DFD7-19CF-AD15-449AF7A0682B}" = Catalyst Control Center Localization French

"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme

"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A9DBEBC-C800-4776-A970-D76D6AA405B1}" = PHOTOfunSTUDIO -viewer-

"{9C28C880-EFC8-C87F-BA4A-B7E912448399}" = Catalyst Control Center Graphics Light

"{9E397B40-13F7-4CA2-9943-ADB29ACBBFDF}" = ArcSoft Software Suite

"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes

"{A7AEE77C-2DC2-69F0-8C02-4D7C6BCBC5B7}" = Catalyst Control Center Localization Chinese Standard

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro

"{AC76BA86-1033-0000-7760-000000000004}_932" = Adobe Acrobat 9.3.2 - CPSID_53951

"{AC76BA86-1033-0000-7760-000000000004}{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro

"{AF521B1D-7A5B-7565-7635-0F9169B97EA8}" = CCC Help Portuguese

"{B01649C2-BEC1-0D69-47D1-FCBB747275ED}" = CCC Help Korean

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B3282FB8-874B-4054-8356-9EB391A826F9}" = OLYMPUS muvee theaterPack

"{B399106F-0878-9AC8-6AFB-D306C863942B}" = CCC Help Polish

"{B711B1FC-140B-779B-1754-DEE3D0D245ED}" = CCC Help Thai

"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2

"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{BFD5AC8A-5884-4da8-9873-3DF8E3DCCE18}" = 5600Trb

"{C0471BC5-1BF6-4685-A4AC-9E6E34B81730}" = Cribbage 2D

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan

"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CC7984C5-020D-4944-85A0-58D09D4A8BFB}" = 5600_Help

"{CD4D567E-44D7-4CDA-977D-C918D88FA3D9}_is1" = MemTurbo 4

"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CF1E99F2-6379-461C-9DD5-26115381851D}" = ccc-core-preinstall

"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials

"{DE660DD0-304A-CE96-D1E4-71FED40277D7}" = CCC Help Chinese Traditional

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant

"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only

"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter

"{ED91136D-4AC7-E90D-428E-E3813565D33C}" = CCC Help German

"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status

"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform

"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery

"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth

"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync

"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express

"Ad-Aware" = Ad-Aware

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Advanced Registry Optimizer_is1" = Advanced Registry Optimizer

"ATI Display Driver" = ATI Display Driver

"ENTERPRISE" = Microsoft Office Enterprise 2007

"Google Chrome" = Google Chrome

"HP Imaging Device Functions" = HP Imaging Device Functions 5.3

"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3

"HPExtendedCapabilities" = HP Extended Capabilities 5.3

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MESOL" = Intel

Link to post
Share on other sites

Hello again,

It looks like your routing table is causing the trouble, so lets try to rebuild that.

Click Start > Run, type cmd in the runbox and press enter.

Type the following at the command prompt and press enter:

route /f

When finished, restart your computer and let me know if the internet is working now.

Link to post
Share on other sites

One thing we didn't try:

Click Start > Run, type services.msc in the runbox and press enter.

Scroll down to the DHCP service and check if the service is Started and set to Automatic.

If not, right click on the service, select Properties and set the right options.

If it will not start, let me know what errormessage is returned.

Link to post
Share on other sites

YOU are really good!! :P Even though it was set to start automatically, it was not started till I manually started it. I rebooted the PC and again DHCP did not start till I manually started it in services. What do you think?

Thanks!

Link to post
Share on other sites

Hi

Same problem as last time when trying to run combofix, when I ran it from a normal bootup it BSOD when the line said scanning for viruses. So I rebooted in safe mode and here is the log file

ComboFix 10-06-06.01 - home 06/06/2010 14:50:36.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2847 [GMT -5:00]

Running from: c:\documents and settings\home\Desktop\ComboFix1.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))

.

2010-06-06 19:34 . 2010-06-06 19:34 -------- d-----w- c:\windows\system32\x64

2010-06-06 19:34 . 2009-01-11 21:46 993816 ----a-w- c:\windows\system32\igxpun.exe

2010-06-06 19:31 . 2010-06-06 19:31 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-04 20:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-04 20:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-04 20:22 . 2010-06-04 20:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 17:47 . 2010-06-06 19:38 -------- d-----w- C:\ComboFix

2010-06-04 16:03 . 2010-06-04 16:03 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-04 16:03 . 2010-06-04 16:03 -------- d-----w- c:\program files\Advanced Registry Optimizer

2010-06-04 16:02 . 2010-06-04 16:02 -------- d-----w- c:\program files\MemTurbo 4

2010-06-04 14:22 . 2010-06-04 16:01 -------- d-----w- C:\ComboFix(3)

2010-06-02 20:40 . 2010-06-02 20:40 -------- d-----w- c:\documents and settings\home\Application Data\Malwarebytes

2010-06-02 20:40 . 2010-06-04 16:02 -------- d-----w- c:\program files\test

2010-06-02 20:40 . 2010-06-02 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-04 16:02 . 2010-04-19 12:52 -------- d-----w- c:\documents and settings\home\Application Data\Sammsoft

2010-06-02 21:34 . 2009-11-23 17:43 -------- d-----w- c:\documents and settings\home\Application Data\Apple Computer

2010-05-27 21:50 . 2009-12-09 17:28 -------- d-----w- c:\program files\Google

2010-05-27 13:23 . 2010-04-19 17:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-27 13:23 . 2010-04-19 22:31 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-27 13:23 . 2010-01-20 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-21 22:10 . 2010-05-21 22:10 56840 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-21 15:21 . 2009-12-18 17:04 -------- d-----w- c:\documents and settings\home\Application Data\ArcSoft

2010-05-13 14:39 . 2010-05-13 14:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-05-12 14:17 . 2010-05-12 14:17 328728 ----a-w- c:\windows\system32\drivers\IASTOR.SYS

2010-05-07 16:15 . 2009-12-21 15:29 -------- d-----w- c:\program files\Lavasoft

2010-04-20 21:30 . 2010-04-20 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-04-20 21:30 . 2010-04-20 21:30 -------- d-----w- c:\documents and settings\home\Application Data\Office Genuine Advantage

2010-03-11 12:38 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2008-04-25 16:16 430080 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-05-10_18.41.09 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-25 16:16 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe

+ 2008-04-25 16:16 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe

+ 2010-01-06 21:33 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll

- 2010-01-06 21:33 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll

+ 2008-04-25 16:16 . 2010-06-06 19:53 79630 c:\windows\system32\perfc009.dat

- 2008-04-25 16:16 . 2010-05-10 18:37 79630 c:\windows\system32\perfc009.dat

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\trk\HDMItrk.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 77824 c:\windows\system32\Lang\hdmi\tha\HDMItha.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\sve\HDMIsve.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 77824 c:\windows\system32\Lang\hdmi\slv\HDMISLV.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\sky\HDMISKY.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\rus\HDMIrus.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\ptg\HDMIptg.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\ptb\HDMIptb.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\plk\HDMIplk.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\nor\HDMInor.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\nld\HDMInld.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 69632 c:\windows\system32\Lang\hdmi\kor\HDMIkor.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 69632 c:\windows\system32\Lang\hdmi\jpn\HDMIjpn.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\ita\HDMIita.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\hun\HDMIhun.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 73728 c:\windows\system32\Lang\hdmi\heb\HDMIheb.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 86016 c:\windows\system32\Lang\hdmi\fra\HDMIfra.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\fin\HDMIfin.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\esp\HDMIesp.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 65536 c:\windows\system32\Lang\hdmi\enu\HDMIenu.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 86016 c:\windows\system32\Lang\hdmi\ell\HDMIell.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 86016 c:\windows\system32\Lang\hdmi\deu\HDMIdeu.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\dan\HDMIdan.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 81920 c:\windows\system32\Lang\hdmi\csy\HDMIcsy.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 65536 c:\windows\system32\Lang\hdmi\cht\HDMIcht.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 65536 c:\windows\system32\Lang\hdmi\chs\HDMIchs.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 73728 c:\windows\system32\Lang\hdmi\ara\HDMIara.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 57344 c:\windows\system32\igxprd32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 51712 c:\windows\system32\igfxsrvc.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 23552 c:\windows\system32\igfxexps.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 93696 c:\windows\system32\hccutils.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 57344 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxprd32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 51712 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxsrvc.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 23552 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxexps.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 93696 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\hccutils.dll

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe

+ 2010-05-15 01:32 . 2010-05-15 01:32 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2008-04-25 16:16 . 2010-05-10 18:37 466414 c:\windows\system32\perfh009.dat

+ 2008-04-25 16:16 . 2010-06-06 19:53 466414 c:\windows\system32\perfh009.dat

+ 2008-04-25 21:27 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll

- 2008-04-25 21:27 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 183808 c:\windows\system32\igxpgd32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 982192 c:\windows\system32\igkrng500.bin

+ 2009-07-25 10:20 . 2009-01-11 21:46 141336 c:\windows\system32\igfxtray.exe

+ 2009-07-25 10:20 . 2009-01-11 21:46 250392 c:\windows\system32\igfxsrvc.exe

+ 2009-07-25 10:20 . 2009-01-11 21:46 199168 c:\windows\system32\igfxpph.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 141336 c:\windows\system32\igfxpers.exe

+ 2009-07-25 10:20 . 2009-01-11 21:46 172056 c:\windows\system32\igfxext.exe

+ 2009-07-25 10:20 . 2009-01-11 21:46 130048 c:\windows\system32\igfxdo.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 205312 c:\windows\system32\igfxdev.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 147456 c:\windows\system32\igfxCoIn_v5009.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 652312 c:\windows\system32\igfxcfg.exe

+ 2009-07-25 10:20 . 2009-01-11 21:46 417344 c:\windows\system32\igcompkrng500.bin

+ 2009-07-25 10:20 . 2009-01-11 21:46 173592 c:\windows\system32\hkcmd.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 183808 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxpgd32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 147456 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxpco32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 982192 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igkrng500.bin

+ 2010-06-06 19:34 . 2009-01-11 21:46 141336 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxtray.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 250392 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxsrvc.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 199168 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxpph.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 141336 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxpers.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 172056 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxext.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 130048 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxdo.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 205312 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxdev.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 652312 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxcfg.exe

+ 2010-06-06 19:34 . 2009-01-11 21:46 417344 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igcompkrng500.bin

+ 2010-06-06 19:34 . 2009-01-11 21:46 173592 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\hkcmd.exe

+ 2009-07-25 07:26 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll

- 2009-07-25 07:26 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll

+ 2009-07-25 07:28 . 2009-01-11 21:46 319456 c:\windows\system32\difxapi.dll

- 2009-07-25 07:28 . 2006-11-10 13:25 319456 c:\windows\system32\difxapi.dll

- 2010-01-20 22:29 . 2010-04-14 08:03 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-05-27 13:14 . 2010-06-04 16:03 5655012 c:\windows\system32\Restore\rstrlog.dat

+ 2009-07-25 10:20 . 2009-01-11 21:46 3773440 c:\windows\system32\igxpdx32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 2685760 c:\windows\system32\igxpdv32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 5702656 c:\windows\system32\igfxress.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 4112384 c:\windows\system32\ig4icd32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 2600960 c:\windows\system32\ig4dev32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 6273504 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxpmp32.sys

+ 2010-06-06 19:34 . 2009-01-11 21:46 3773440 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxpdx32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 2685760 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igxpdv32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 5702656 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\igfxress.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 4112384 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\ig4icd32.dll

+ 2010-06-06 19:34 . 2009-01-11 21:46 2600960 c:\windows\system32\DRVSTORE\kit16476_4CEC385A9E750ADF3C81396072EE2F6411E5D2E1\ig4dev32.dll

+ 2009-07-25 10:20 . 2009-01-11 21:46 6273504 c:\windows\system32\drivers\igxpmp32.sys

+ 2009-11-20 16:26 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll

- 2009-11-20 16:26 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll

+ 2010-05-15 01:32 . 2010-05-15 01:32 1235968 c:\windows\Installer\c9404a4.msi

+ 2009-10-16 12:08 . 2009-10-16 12:08 2237952 c:\windows\Installer\57eb5aa.msp

+ 2010-04-09 20:21 . 2010-04-09 20:21 5025792 c:\windows\Installer\57eb593.msp

+ 2010-01-20 22:29 . 2010-05-11 21:55 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-01-20 22:29 . 2010-04-14 08:03 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-01-20 22:29 . 2010-05-11 21:55 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2008-08-26 04:50 . 2008-08-26 04:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\VBE6.DLL

+ 2009-11-20 16:35 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-19 796184]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-09 122880]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-20 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2009-12-18 57344]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\documents and settings\home\My Documents\Kim's folder\total pics\mexico09\P6140020.JPG

FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2009 10:38 AM 64288]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/25/2009 5:19 AM 24064]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [7/25/2009 2:28 AM 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [7/25/2009 5:19 AM 144480]

S1 gwtwfstv;gwtwfstv;\??\c:\windows\system32\drivers\gwtwfstv.sys --> c:\windows\system32\drivers\gwtwfstv.sys [?]

S1 MpKsl088b1160;MpKsl088b1160;\??\c:\windows\system32\MpEngineStore\MpKsl088b1160.sys --> c:\windows\system32\MpEngineStore\MpKsl088b1160.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 11:15 AM 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1314704]

.

Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:38]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 16:15]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 16:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-06 14:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A5B8D01]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

\Driver\iaStor -> IASTOR.SYS @ 0xb9e6f466

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® 82567LM-3 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d2cbb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d1ba0d

SendHandler -> NDIS.sys @ 0xb9d2fb40

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-06 14:59:29

ComboFix-quarantined-files.txt 2010-06-06 19:59

ComboFix2.txt 2010-06-04 18:11

ComboFix3.txt 2010-05-10 18:43

Pre-Run: 167,134,617,600 bytes free

Post-Run: 167,193,067,520 bytes free

- - End Of File - - 9A93C4786ACFE272C5C0F29B0D018EB7

Thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.